December 3, 2024

Relay attacks — Teslas can still be stolen with a cheap radio hack despite new keyless tech Tesla owners should enable PIN-to-drive protection to thwart relay attacks.

Andy Greenberg, wired.com – May 23, 2024 2:24 pm UTC Enlarge / Tesla sold 1.2 million Model Y crossovers last year.John Paraskevas/Newsday RM via Getty Images reader comments 14

For at least a decade, a car theft trick known as a relay attack has been the modern equivalent of hot-wiring: a cheap and relatively easy technique to steal hundreds of models of vehicles. A more recent upgrade to the radio protocol in cars’ keyless entry systems known as ultra-wideband communications, rolled out to some high-end cars including the latest Tesla Model 3, has been heralded as the fix for that ubiquitous form of grand theft auto. But when one group of Chinese researchers actually checked whether it’s still possible to perform relay attacks against the latest Tesla and a collection of other cars that support that next-gen radio protocol, they found that they’re as stealable as ever.

In a video shared with WIRED, researchers at the Beijing-based automotive cybersecurity firm GoGoByte demonstrated that they could carry out a relay attack against the latest Tesla Model 3 despite its upgrade to an ultra-wideband keyless entry system, instantly unlocking it with less than a hundred dollars worth of radio equipment. Since the Tesla 3’s keyless entry system also controls the car’s immobilizer feature designed to prevent its theft, that means a radio hacker could start the car and drive it away in secondsunless the driver has enabled Tesla’s optional, off-by-default PIN-to-drive feature that requires the owner to enter a four-digit code before starting the car. Advertisement

Jun Li, GoGoByte’s founder and a longtime car-hacking researcher, says that his team’s successful hack of the latest Model 3’s keyless entry system means Tesla owners need to turn on that PIN safeguard despite any rumor that Tesla’s radio upgrade would protect their vehicle. It’s a warning for the mass public: Simply having ultra-wideband enabled doesn’t mean your vehicle won’t be stolen, Li says. Using relay attacks, it’s still just like the good old days for the thieves.

Relay attacks work by tricking a car into detecting that an owner’s key fobor, in the case of many Tesla owners, their smartphone with an unlocking app installedis near the car and that it should therefore unlock. Instead, a hacker’s device near the car has, in fact, relayed the signal from the owner’s real key, which might be dozens or hundreds of feet away. Thieves can cross that distance by placing one radio device near the real key and another next to the target car, relaying the signal from one device to the other.

Thieves have used the relay technique to, for instance, pick up the signal of a car key inside a house where the owner is sleeping and transmit it to a car in the driveway. Or, as GoGoByte researcher Yuqiao Yang describes, the trick could even be carried out by the person behind you in line at a caf where your car is parked outside. They may be holding a relay device, and then your car may just be driven away, Yang says. That’s how fast it can happen, maybe just a couple seconds. The attacks have become common enough that some car owners have taken to keeping their keys in Faraday bags that block radio signalsor in the freezer. Page: 1 2 Next → reader comments 14 WIRED Wired.com is your essential daily guide to what’s next, delivering the most original and complete take you’ll find anywhere on innovation’s impact on technology, science, business and culture. Advertisement Channel Ars Technica ← Previous story Related Stories Today on Ars