Random Image Display on Page Reload

Teslas Can Still Be Stolen With a Cheap Radio Hack—Despite New Keyless Tech

May 22, 2024 10:00 AM

Teslas Can Still Be Stolen With a Cheap Radio Hack—Despite New Keyless Tech

Ultra-wideband radio has been heralded as the solution for “relay attacks” that are used to steal cars in seconds. But researchers found Teslas equipped with it are as vulnerable as ever.

Tesla Model 3 vehicles in parking spaces

Photograph: Zhang Hengwei/Getty Images

For at least a decade, a car theft trick known as a “relay attack” has been the modern equivalent of hot-wiring: a cheap and relatively easy technique to steal hundreds of models of vehicles. A more recent upgrade to the radio protocol in cars' keyless entry systems known as ultra-wideband communications, rolled out to some high-end cars including the latest Tesla Model 3, has been heralded as the fix for that ubiquitous form of grand theft auto. But when one group of Chinese researchers actually checked whether it's still possible to perform relay attacks against the latest Tesla and a collection of other cars that support that next-gen radio protocol, they found that they're as stealable as ever.

In a video shared with WIRED, researchers at the Beijing-based automotive cybersecurity firm GoGoByte demonstrated that they could carry out a relay attack against the latest Tesla Model 3 despite its upgrade to an ultra-wideband keyless entry system, instantly unlocking it with less than a hundred dollars worth of radio equipment. Since the Tesla 3's keyless entry system also controls the car's immobilizer feature designed to prevent its theft, that means a radio hacker could start the car and drive it away in seconds—unless the driver has enabled Tesla's optional, off-by-default PIN-to-drive feature that requires the owner to enter a four-digit code before starting the car.

Jun Li, GoGoByte's founder and a longtime car-hacking researcher, says that his team's successful hack of the latest Model 3's keyless entry system means Tesla owners need to turn on that PIN safeguard despite any rumor that Tesla's radio upgrade would protect their vehicle. “It's a warning for the mass public: Simply having ultra-wideband enabled doesn't mean your vehicle won't be stolen,” Li says. “Using relay attacks, it's still just like the good old days for the thieves.”

Relay attacks work by tricking a car into detecting that an owner's key fob—or, in the case of many Tesla owners, their smartphone with an unlocking app installed—is near the car and that it should therefore unlock. Instead, a hacker's device near the car has, in fact, relayed the signal from the owner's real key, which might be dozens or hundreds of feet away. Thieves can cross that distance by placing one radio device near the real key and another next to the target car, relaying the signal from one device to the other.

Thieves have used the relay technique to, for instance, pick up the signal of a car key inside a house where the owner is sleeping and transmit it to a car in the driveway. Or, as GoGoByte researcher Yuqiao Yang describes, the trick could even be carried out by the person behind you in line at a café where your car is parked outside. “They may be holding a relay device, and then your car may just be driven away,” Yang says. “That's how fast it can happen, maybe just a couple seconds.” The attacks have become common enough that some car owners have taken to keeping their keys in Faraday bags that block radio signals—or in the freezer.

Security researchers have long recommended that carmakers prevent relay attacks by developing keyless entry systems that more precisely measure the timing between a key fob or phone sending a signal and the car receiving it. So when Tesla rolled out its ultra-wideband radio upgrade to its keyless entry system, Tesla owners had every reason to think that the new protocol represented that long-awaited security fix. Ultra-wideband is, after all, capable of far more precise range measurement—it's the radio protocol that makes possible the distance tracking in Apple's AirTags, for instance.

In 2020, Tesla even wrote in a filing to the US Federal Communications Commission that it would be implementing ultra-wideband in its keyless entry systems, and that the ability to far more precisely measure the distance of a key fob or smartphone from a car would—or at least could—prevent its vehicles from being stolen via relay attacks. “The distance estimate is based on a Time of Flight measurement, which is immune to relay attacks,” Tesla's filing read. That document, first turned up by the Verge, led to widespreadreports and social media comments suggesting that the upcoming ultra-wideband version of Tesla's keyless entry system would spell the end of relay attacks against its vehicles.

Yet the GoGoByte researchers found they were able to carry out their relay attack against the latest Tesla Model 3 over Bluetooth, just as they had with earlier models, from a distance as far as 15 feet between their device and the owner's key or phone. While the cars do appear to use ultra-wideband communications, they don't apparently use them for a distance check to prevent keyless entry theft.

Tesla has not yet responded to WIRED's requests for comment.

When the GoGoByte researchers shared their findings with Tesla earlier this month, the company's product security team immediately responded in an email dispelling any rumor that ultra-wideband, or “UWB,” was even intended to prevent theft. “This behavior is expected, as we are currently working on improving the reliability of UWB,” read Tesla's email in response to GoGoByte's description of its relay attack. “UWB ranging will be enforced when reliability improvements are complete.”

That answer shouldn't necessarily come as a surprise, says Josep Rodriguez, a researcher for security firm IOActive who has previously demonstrated relay attacks against Tesla vehicles. Tesla never explicitly said it had started using the ultra-wideband feature for security, after all—instead, the company has touted ultra-wideband features like detecting that someone's phone is next to the trunk to open it hands-free—and using it as a security check may still produce too many false positives.

“My understanding is that it can take engineering teams time to find a sweet spot where relay attacks can be prevented but also not affect the user experience,” Rodriguez wrote in an email to WIRED. “I wasn’t expecting that the first implementation of UWB in vehicles would solve the relay attacks.”

Automakers' slow adoption of ultra-wideband security features isn't just limited to Tesla, the GoGoByte researchers note. They found that two other carmakers whose keys support ultra-wideband communications are also still vulnerable to relay attacks. In one case, the company hadn't even written any software to implement ultra-wideband communications in its cars' locking systems, despite upgrading to hardware that supports it. (The researchers aren't yet naming those other carmakers since they're still working through the vulnerability disclosure process with them.)

Despite Teslas' high price tag and continuing vulnerability to relay attacks, some studies have found that the cars are far less likely to be stolen than other cars due to their default GPS tracking—though some car theft rings have targeted them anyway using relay attacks to sell the vehicles for parts.

GoGoByte notes that Tesla, unlike many other carmakers, does have the ability to push out over-the-air updates to its cars and might still use that feature to implement a relay attack fix via ultra-wideband communications. Until then, though, the GoGoByte researchers say they want Tesla owners to understand they're far from immune. “I think Tesla will be able to fix this because they have the hardware in place,” says Li. “But I think the public should be notified of this issue before they release the secure version.”

Until then, in other words, keep your Tesla's PIN-to-drive protection in place. Better that than keeping your keys and smartphone in the freezer—or waking up to find a vacant driveway and your car sold for parts.

Andy Greenberg is a senior writer for WIRED covering hacking, cybersecurity, and surveillance. He’s the author of the new book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His last book was *Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most… Read more
Senior Writer

Read More

Microsoft’s New Recall AI Tool May Be a ‘Privacy Nightmare’

Plus: US surveillance reportedly targets pro-Palestinian protesters, the FBI arrests a man for AI-generated CSAM, and stalkerware targets hotel computers.

Dell Cameron

The Ticketmaster Data Breach May Be Just the Beginning

Data breaches at Ticketmaster and financial services company Santander have been linked to attacks against cloud provider Snowflake. Researchers fear more breaches will soon be uncovered.

Matt Burgess

Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

The iPhone maker has detected spyware attacks against people in more than 150 countries. Knowing if your device is infected can be tricky—but there are a few steps you can take to protect yourself.

Kate O'Flaherty

TikTok Hack Targets ‘High-Profile’ Users via DMs

TikTok has confirmed a “potential exploit” that is being used to go after accounts belonging to media organizations and celebrities, including CNN and Paris Hilton, through direct messages.

Dell Cameron

How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto Wallet

Thanks to a flaw in a decade-old version of the RoboForm password manager and a bit of luck, researchers were able to unearth the password to a crypto wallet containing a fortune.

Kim Zetter

Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers

A coalition of digital rights groups is demanding the US declassify records that would clarify just how expansive a major surveillance program really is.

Dell Cameron

This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI

Windows Recall takes a screenshot every five seconds. Cybersecurity researchers say the system is simple to abuse—and one ethical hacker has already built a tool to show how easy it really is.

Matt Burgess

‘Largest Botnet Ever’ Tied to Billions in Stolen Covid-19 Relief Funds

The US says a Chinese national operated the “911 S5” botnet, which included computers worldwide and was used to file hundreds of thousands of fraudulent Covid claims and distribute CSAM, among other crimes.

Dell Cameron

Credit belongs to : www.wired.com

Check Also

Meet 2 Innu women trailblazers in astrophysics and land guardianship

Laurie Rousseau-Nepton is the first Indigenous woman in Canada to earn a PhD in astrophysics. …