Hacker News new | past | comments | ask | show | jobs | submit login
Tesla gets stolen with keyfob hack on camera in seconds (electrek.co)
46 points by bedros 53 days ago | hide | past | web | favorite | 68 comments

Apple Watches can be used to unlock MacBooks and are immune to relay attacks like these because the laptop only accepts signals with a small enough roundtrip latency. Due to the speed of light, it's impossible to unlock it from farther than a few feet away, even with a relay. Why don't key fobs do the same thing? It must take more expensive radios/hardware, but I feel like it would be worth it for a car like a Tesla.

I don't think so. Amplification attacks with the right hardware adds only a negligible delay. At the same time the protocol is not constant time, requiring some margin.

The main difference to Tesla hack is that you don't keep your MacBook outside the house at nights. And thief's don't need to unlock it to steal it, they just take it and leave.

The BMW i3 is known to be immune to amplification attacks, so it can be done.

Any idea how they do it?

Nobody wants an i3 so no reason to build software to steal one.

It’s worth it for any car when you think about how much more expensive they are than a laptop.

It is comfortable though to lock/unlock a car from a few meters away.

Is it necessary to start it from far away?

remote start has long been a nice comfort feature for cars especially in cold regions/weather so the car can start warming up before you get to it.

Same applies to hot regions/weather and cooling down the car's interior.

Not fun getting into a car that's been in the sun most of the day when the temperature is 40°C

Reasonable, though the engine on Tesla has no relation to heating.

That, many many years ago I have learned that roundtrip latency should always be measured in this kind of technology, AFAIK since it is mostly measured in the car then battery life and a bit more expensive hardware is not a big deal (apparently not)

I don't understand how anyone in a security role in the car industry can accept a system like this that's been broken and abused for years. Is the convenience of not having to push a button on the key fob as you approach the car really worth the risk of having it stolen fairly easily?

Car security systems always were this unreliable. Earlier systems were vulnerable to replay attacks or had weak encryption. I think they are made to protect against random person walking by, not a professional and well-equipped attacker.

Ultimately a professional can just turn up with a trailer and load the car onto it if they are really determined. Deterring the more casual end of theft is the right solution.

What’s happened is that the accessibility of the technology to undertake eg replay or relay attacks has increased so that’s now become a more casual theft vector. It’s a cat and mouse game.

> Car security systems always were this unreliable.

Not all of them. Some have really really good security.

And security regulation for car security is coming worldwide in 2021, thanks to the "terrorist threat".

This was a headline in all the Swedish newspapers a few days ago. Apparently a gang of car thieves has been sweeping through parts of the country and stealing dozens of Teslas in a very short time span.

i think i saw that movie...

The bus that couldn't slow down

When you unlock your Mac with an Apple Watch, the OS makes sure the watch is actually close to it by measuring the distance it takes the signal to travel to the device. Why won't car manufactures do that? Is there any reason?


What prevents the thieves from just standing closer in that case?

The signal still has to travel from the car to the authentic key, the thieves are just amplifying the signal, they can't make it faster.

Everyone commenting on this should be aware that Tesla has different generations of keyfob technology. The Model 3 keyfobs for instance make a different tradeoff with convenience versus security, being slightly less convenient and way more secure. The car in the story was a Model S.

The main problem with the earlier Tesla keyfobs is that they used a known-broken 40-bit encryption scheme that allowed them to simply be cloned by an attacker. I'm not sure what they fixed other than upgrading the crypto to something that wasn'y horribly insecure. That's also the reason they introduced the PIN feature.

While I really hate that this attack is even possible, a nice feature with a car manufacturer that regularly and often update the software/firmware is this:

"In response to those attacks, Tesla started rolling out [...] If an owner activates the “PIN to Drive” function [...] anyone entering the car will have to know your PIN in order to be able to drive away."

And why wouldn't the car (all vulnerable cars) deactivate when it one minute later (or X meters) doesn't detect the key in the car? Ie do a second poll of the key.

> And why wouldn't the car (all vulnerable cars) deactivate when it one minute later (or X meters) doesn't detect the key in the car? Ie do a second poll of the key

This has been a solved problem for some time in luxury/expensive vehicles. Vehicle tracking systems detect if the car is moved without the tracking card in it and silently inform their control centre of the fact, along with vehicle’s location. Control centre then calls owner and verifies if it’s them. Doing it this way has the advantage that if the driver is being threatened (carjacking for example), it doesn’t put them at further risk.

At least in the recent case of Tesla thefts here in Sweden the car thieves also blocked/disabled the GPS tracking before driving away so tracing the cars was impossible.

And why wouldn't the car (all vulnerable cars) deactivate when it one minute later (or X meters) doesn't detect the key in the car?

Probably a safety vs security concern. They don't want your car to suddenly die on you in the middle of the highway if your keyfob battery dies.

Why are cars with keyfobs like this designed to be able to keep driving when the keyfob goes out of range?

Having to rely on some wireless connection to stay connected while driving doesn’t sound like a good idea.

There is a regulation that says that the car can't just stop driving mid-drive. It's just basic safety common sense - imagine car shutting down on a highway because the key battery died or there was a radio interference.

Probably so you can still drive the car even if you manage to lose the key from the car while it is being driven.

And yes, I do have an unfortunate personal experience to support this theory :-)

Would you rather run the risk of a car turning off on a busy highway when the communication gets interrupted for any reason whatsoever?

Genuine question: does the keyfob depend on a battery that can run out? If so, there's your answer.

Very interesting seeing how this attack is performed. I'd imagine that future keyfobs would use a time of flight based system of call and response to prevent this sort of thing.

Something like a gyro/accelerometer could ensure the keyfob is on a person, and not just sitting on a table.

Not a perfect solution.

Keys are sometimes set down in the vehicle before starting. A time based rule (motion within last x) won't help because sitting in a non-running car is something that happens often enough that keys not working would be a problem.

Also, someone could steal your car while you have your keys in your pocket inside your house, or walking around a store.

Or just a cryptographic challenge/response. No range limitations like time-of-flight, protects against replay, cheap with appropriate hardware. And since key fobs are custom hardware anyway (and typically expensive!) the <1$ crypto ICs I've used like the Microchip ATECC608 could be added to implement it with minimal price increase.

> Or just a cryptographic challenge/response

This was a relay attack. Not a re_p_lay attack.

It's just amplifying the signal from the outside car to the inside keys & vice versa.

What I can’t believe is why the carmakers are not liable for the loss since their locks use such piss-poor cryptography.

To me, locks of any kind are just a deterrent, they aren't meant to be impossible to circumvent, there just meant to deter casual thieves.

Should Yale be responsible for all the stuff stolen from a house after someone picks the lock? I don't think so.

Depends on how they advertise that lock imo.

If a locks manufacturer market a lock to be secure giving it a 8 out of 10 rating but that lock could be decoded without any tools in a very short period of time then I believe that the manufacturer should bear some responsibility.

But then again Master Lock still exist lol... Take the 174SSD for example. Master Lock list it for $38 so not a bargain basement lock. They say it’s “best for“ For: Residential Gates & Fences, Sheds, Workshops, Garages, Storage Lockers, Tool Chests, Tool Boxes[0], the packaging boasts about its security[1] and yet it can be quickly decoded without tools[2].

Now I’m sure the people on this site are aware of the quality of Master Lock but is your avg Joe walking into the hardware store? IMO there is a point where your performance can’t back up your marketing you become libel.

But in Tesla’s case I don’t think they market the security of their keyless entry/start. I would say they are aware of the security risks of the tech and is why they released an OTA update that enables the need of a passcode to start the car. The question for me then becomes, If Tesla we’re aware of this risk and added a protection against it but didn’t advise customers of the risks of keyless entry/start and the protections against it enough could they have at least a little liability? OTA Cuts both ways, Yes it allows for easy updating in the field, but it also provides a direct communication point with your customer to be able to advise them of "such new information".

[0] https://www.masterlock.com/personal-use/product/174SSD

[1] https://imgur.com/a/iaffVut

[2] https://youtu.be/CTLY4b3sG9E

EDIT: Cleared up some spelling (fucking auto correct). But I would also like to make it clear that I wouldn't expect a lock manufacturer to always be responsible for the items the lock is "protecting". For an example: You put a high security lock of your front door to protect your home, A burglar cases your joint and instead of picking the lock which will take too much time they break a window and enter your home though that instead. The lock did its job so I couldn't hold the manufacturer responsible at all.

My gripe is when weak locks, or locks with known defects are being sold to the general public as "secure". If a car manufacturer said their car was safe in a crash, giving themselves a high safety score but it found out that "safe" meant that it was only deemed safe under lab conditions were the impact was at exactly 55mph but in the real world a defect meant it was hit and miss that the airbags would actually deploy in the event of a collision people would be up in arms about it, lawsuits filed, recalls issued, etc.

I don't expect any lock to be 100% secure (nor any car 100% safe in a collision) but when the marketing team for a manufacturer take it on themselves to talk up the security then I don't think its wrong to expect that manufacturer to held to account when their claims don't hold up.

Replying to self as I can no longer edit:

Tesla released an update in 2017 giving users the ability to disable keyless entry. That paired with OTA I wonder if it would be wise of them to push an advisory to all cars with keyless entry still enabled advising the customer of the risk of keyless entry and asking the customer if they would like to disable it? If you have made it explicitly clear that keyless gives a convenience bump at the sacrifice of security but the customer still decides to leave keyless enabled that is a choice the customer willingly made.

Just thinking outloud.

I seems to me it shouldn't be too expensive to offer a key upgrade, if the new models are safer.

I thought a key upgrade might work if they can get the time of flight working correctly to kill of amplify attacks. But it was more an "in the mean time" fix until they release new keys with time of flight or your new service.

I'm glad my car has a keyfob that I can easily turn off. Relay attacks don't work then. In fact I'd much rather have a keyfob where I have to push a button to unlock the car; I don't really see how not having to push a button adds all that much convenience.

When you are wrangling your kids and your keys are in a bag somewhere.

Just one instance of not having to push a button could be a convenience.

Not that I disagree that I much prefer having keyless entry disabled on my car. Just giving a situation where I could see keyless as being more convenient because I’m an argumentative little shit ;-)

One can get RF blocking pouches for the keyfob. It’s a cheap countermeasure; a bit inconvenient, though.

In that case I'd rather just plugin the fob... I have to get it out of the pouch anyway, so I'd rather not bother with it at all.

The newer Tesla keyfobs don’t emit RF unless you either click a button, or are inches away from the RFID reader on the driver door pillar.

Maybe could still be defeated with a very long range RFID reader? I don’t know how long range they get.

I read about ~1m boosting, though not sure what type of technology it was. It might still be a good idea to limit time-of-flight to eliminate relay attacks.

if you know about this issue I guess you just go back to regular keys

Another advantage to an old car. Mechanical keys, and a gearshift :-)

A gearshift is only a deterrent in the US. In EU I think everyone has to get their license in a manual.

EU I think everyone has to get their license in a manual.

Several countries in the EU have automatic only drivers licenses, but hardly anybody gets them since being forbidden from driving a manual car is a pretty significant limitation.

In Germany at least you can get your license in an automatic car, but then you're not allowed to drive manual cars.

Switzerland recently changed the law so people that passed the exam on an automatic are now allowed to drive manual transmissions as well. Seems slightly crazy to me.

They don't have to. But getting your license in an automatic means you are limited to pretty much hybrids/electrics.

You're better off just popping the battery out, and using the keyfob in passive mode.

What happens the next time they want to start the car?

What car? You mean that pile of ready-to-fence parts over there? And the big-ass battery that’ll fetch $4,000? And those seats that I just listed on eBay? ;)

Once you have unlimited physical access to the hardware, software protections are worthless.

And that's ignoring that it could just be sold for parts.


We've banned this account since you've ignored our request to use HN as intended.

If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future.

Wow! If this is DL-generated then I’m very much impressed.

Israeli thieves (well, mostly Palestinians) are already over that- they open a door (or smash a window), open the hood and in seconds change the car's computer with one the bring with them.

Insurance companies try to fight that by forcing the installation of a "safe" around the computer

Are Tesla seriously that bad at crypto that they can't prevent a replay attack? A time-based MAC (Message Authentication Code) system like those used by bank 2FAs can go quite a long way. You just have to resync the clock when you change the battery.

E.g. See Tuomas Aura's most excellent paper:


The article said it's a relay attack, not a replay attack:


It's not a replay attack, it's a relay attach where the signal is amplified further than the usual range of the keyfob.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact