Despite New Keyless Technology, Teslas Can Still Be Stolen With a Cheap Radio Hack

TFD – Tesla owners, beware: despite the latest ultra-wideband keyless entry system, your car might still be at risk. Discover why keeping the PIN-to-drive safeguard active is crucial for protecting your Tesla from relay attacks.

For at least a decade, a car theft trick known as a “relay attack” has been the modern equivalent of hot-wiring: a cheap and relatively easy technique to steal hundreds of models of vehicles. A more recent upgrade to the radio protocol in cars’ keyless entry systems known as ultra-wideband communications, rolled out to some high-end cars including the latest Tesla Model 3, has been heralded as the fix for that ubiquitous form of grand theft auto. But when one group of Chinese researchers actually checked whether it’s still possible to perform relay attacks against the latest Tesla and a collection of other cars that support that next-gen radio protocol, they found that they’re as stealable as ever.

The most recent Tesla Model 3 has been upgraded to an ultra-wideband keyless entry system, but researchers at the Beijing-based automotive cybersecurity firm GoGoByte showed in a video shared with WIRED that they could still perform a relay attack against it, instantly unlocking it with less than $100 worth of radio equipment. If the driver hasn’t turned on Tesla’s optional, off-by-default PIN-to-drive feature, which requires the owner to enter a four-digit code before starting the car, a radio hacker could start the Tesla 3 and drive it away in a matter of seconds because the keyless entry system also controls the car’s immobilizer feature, which is meant to prevent theft.

In spite of any speculation that Tesla’s radio update would protect their car, Jun Li, the founder of GoGoByte and an expert in automobile hacking, claims that his team’s successful breach of the most recent Model 3’s keyless entry system means Tesla owners need to activate that PIN safety. “It’s a public service announcement: Just because your car is equipped with ultra-wideband doesn’t guarantee it won’t be stolen,” Li explains. “For the thieves, using relay attacks, it’s still like the good old days.”

By deceiving a car into believing that an owner’s key fob—or, in the case of many Tesla owners, their smartphone with an unlocking app installed—is close to the vehicle, relay assaults cause the vehicle to believe that it should unlock. Instead, the signal from the owner’s actual key—which may be located hundreds or even thousands of feet away—has been relayed by a hacker’s device close to the vehicle. By positioning one radio device next to the actual key and another adjacent to the intended car, thieves can bridge that distance by transmitting a signal from one device to the other.

The relay technique has been used by thieves, for example, to intercept a car key signal inside a sleeping owner’s home and send it to a car parked in the driveway. Alternatively, the trick might even be performed by the person in line behind you at a café where your car is parked outside, according to GoGoByte researcher Yuqiao Yang. Yang speculates that “they might be holding a relay device, and then your car might just be driven away.” “That’s the fastest it could happen, in a matter of seconds.” The attacks have become common enough that some car owners have taken to keeping their keys in Faraday bags that block radio signals—or in the freezer.

Carmakers should build keyless entry systems that more precisely record the time between a key fob or phone sending a signal and the car receiving it, according to a recommendation made long ago by security researchers. This will help prevent relay assaults. Thus, owners of Tesla vehicles had every reason to believe that the new protocol constituted the much-needed security patch when the company released its ultra-wideband radio update for its keyless entry system. After all, ultra-wideband has the capacity to measure range far more precisely; in fact, the radio protocol used in Apple’s AirTags enables distance tracking.

Tesla even stated in a filing to the US Federal Communications Commission in 2020 that it would be integrating ultra-wideband into its keyless entry systems and that this would, or at least could, prevent its cars from being stolen through relay attacks by being able to measure a key fob or smartphone’s distance from a car much more precisely. According to Tesla’s petition, “The distance estimate is based on a Time of Flight measurement, which is immune to relay attacks.” That document, first turned up by the Verge, led to widespread reports and social media comments suggesting that the upcoming ultra-wideband version of Tesla’s keyless entry system would spell the end of relay attacks against its vehicles.

Yet the GoGoByte researchers found they were able to carry out their relay attack against the latest Tesla Model 3 over Bluetooth, just as they had with earlier models, from a distance as far as 15 feet between their device and the owner’s key or phone. It appears that the autos use ultra-wideband connections, but not for a distance check to stop theft of keyless access.

To date, Tesla has not reacted to inquiries from WIRED for comment.

Tesla’s product security team promptly responded in an email after the GoGoByte researchers presented their results with the firm earlier this month, quashing any speculation that ultra-wideband, or “UWB,” was ever meant to deter theft. As we are presently working on enhancing the stability of UWB, this behavior is expected,” Tesla wrote in an email in response to GoGoByte’s description of its relay assault. “UWB ranging will be implemented after reliability enhancements are finished.”

Josep Rodriguez, a researcher for the security company IOActive who has previously shown relay attacks against Tesla vehicles, thinks the response shouldn’t be too shocking. Tesla has emphasized ultra-wideband features like detecting when a phone is next to the trunk to open it hands-free, but the company has never explicitly stated that it has begun using the feature for security. Moreover, using it as a security check may still result in an excessive number of false positives.

“My understanding is that it can take engineering teams time to find a sweet spot where relay attacks can be prevented but also not affect the user experience,” Rodriguez wrote in an email to WIRED. “I didn’t anticipate that the relay attacks would be resolved by the initial deployment of UWB in cars.”

It’s not just Tesla that’s taking a while to implement ultra-wideband security features, according to the GoGoByte researchers. They discovered that two additional automakers remain susceptible to relay assaults even if their keys allow ultra-wideband connectivity. In one instance, the corporation upgraded to technology that allows ultra-wideband communications, but they hadn’t even built any software to implement it in the locking systems of their automobiles. (The researchers aren’t yet naming those other carmakers since they’re still working through the vulnerability disclosure process with them.)

Though some car theft rings have targeted them anyway using relay attacks to sell the vehicles for parts, some studies have found that Teslas are far less likely to be stolen than other cars because of their default GPS tracking, despite their high price tag and ongoing vulnerability to relay attacks.

GoGoByte points out that Tesla, in contrast to many other automakers, can update their vehicles over the air. The company may yet take advantage of this capability to deploy an ultra-wideband communications-based relay assault patch. The GoGoByte researchers, however, argue that until then, Tesla owners should realize that they are by no means safe. Li says, “I believe Tesla can resolve this since they have the necessary hardware.” But before they release the secure version, I believe that the public should be made aware of this problem.

Put another way, don’t remove your Tesla’s PIN-to-drive safeguard until later. That’s preferable to forgetting your phone and keys in the freezer or waking up to discover your car sold for parts and the driveway empty.