Only electric vehicles that support unlock via BLE proximity.
However, it will impact all electric locks that support this very same functionality as its a fundamental limitation of how BLE is implemented on cell phones. Trying to be more prescriptive on the latency or other parameters under the locks control will make the user experience significantly more frustrating and unreliable, crippling the feature.
Some car manufacturers are employing ultra wide band for precise location. The VW ID.4 for example has this. I'm not aware of successful (relay) attacks against these kind of systems.
I guess if you had a partner, someone could be in the parking lot looking for teslas being parked, then a partner could tail that person and relay over cellular to the first standing near the car?
I'm wondering what the point of this attack is. Any thief who wants in my car will just bust the windows. If they do the relay attack they can steal the car but the car has GPS and can be locked down remotely so it seems like a high risk low reward crime?
This dawned on me the other day, if someone hopped in my Tesla and drove away I’m not sure I could do anything in the app to hinder them. Maybe set valet mode? Best I could do there is cap it to 50
The way the app works though with the default setup leaves it unlocked/ready to go until you walk a considerable distance away. I could see thieves eventually figuring that out.
Pretty sure turning on Keyless driving is separate from unlocking/starting the car with Bluetooth. To do it requires the Tesla account password and I believe is relayed via the LTE connection of the car.
Yeah, this attack works in theory but is so complicated to set up and execute that a random thief is always going to go for one of the easier options, like picking your pocket or smashing a window.
On the other hand if you are a high value target and some person/organization/government has the incentive to target you in this way, you better have adequate protection.
>> the incentive to target you in this way, you better have adequate protection.
Having owned some fancy cars, the advice you usally hear from other owners is this - the best protection you can have is a good insurance policy. Putting any kind of lock out/pin/hidden switch system on it, hiding your keys in radio-proof bags etc, is the best recipe to get hurt. Exactly because if you drive such a fancy car, the people coming to steal it are not opportunistic thieves - they are coming to get your car, and they will hurt you to get it. That's why you don't install any extra fancy "trap" systems in the car and you hang your keys right next to the front door, in plain view. If they want to take the car, don't give them a reason to come in and threaten you or your family for the keys or a lock out pin because you thought you were clever with a fancy alarm system. A Lamborghini is replacable. Your life(or the life of your children) is not.
I still remember a video from a break in our country where the thieves where pounding the door with an axe for minutes to enter, then threatened the homeowner to open the safe they knew was in the house. His wife and kids where “safe” in the attic. If they know what they want they will get it one way or another.
1) luxury cars that are stolen "on order" are usually placed on a trailer/container straight away and not driven around.
2) you assume you can still talk to the car after it's taken - sadly, GSM/GPS jammers are very cheap and common amongst car thieves.
3) even if you have L5 autonomy, I would be really surprised if you could override what the car is doing while it's being driven. Sounds like a recipe for disaster. I'm not sure anyone should even have the ability to do something as simple as shut it down remotely - there's far too much risk of abuse.
There's probably a single fuse you can pull out, or a single wire you can cut which would disable enough of the system that you could still drive, but it would stop reporting telemetry.
Let's say that with enough effort you can probably reach it. But if to do that, you have to disassemble half of the car, then it's possibly not convenient to do so :D
I wonder how well this would work. Wouldn't the Faraday cage need to be tuned to the wavelength of the cellular radio?
Someone elsewhere suggested putting the car in a cargo container, but I don't think that works either. I was on a large ferry recently, my phone worked below deck several inclusive distance units away from the coast.
Cell modems are pretty amazing. One time I wanted to simulate losing reception on one, so I removed the antenna. It still worked, so I added a 50 ohm termination. It still worked. I finally got it to disconnect by putting it all inside an anti-static bag.
Are they? I remember disconneting the antennas of some of my devices for repair purposes and getting no reception at all (not even for emergency calls).
Many radios have more margin on the signal once "connected". I vaguely recall that cell modems in particular need to do an initial registration with the network. That registration is probably at a fairly ancient modulation, without the benefit of the cell tower knowing where the modem is to beam form to it. It seems like that could account for 10's of dB of difference.
There is a waterproof "fuse box" in every car, similar in function to breaker box in a house, on front firewall(even for rear-engined cars!). "Pull a fuse" means removing a fuse for offending subsystem(ECU) to simply disable it, such as ABS, as clean as `apt uninstall sl` would go. What the guy above you is saying is you should be able to turn off "security feature" altogether and the car should revert to an insecure car.
But considering that Teslas are infamous for authenticating every start/stop of individual cars between the key and the infotainment computer and a datacenter in California...
I can't tell if your last sentence is sarcastic? But a Tesla doesn't call home to authenticate the kefob. Otherwise you'd never able to start the car outside of cellular reception.
GPS jammers are like $50 from many chinese sellers. That's why GPS/GSM trackers are not accepted by insurance companies as vehicle trackers in my places, you need to have a VHF tracker which is much harder to jam.
Can someone please help me understand how using a relay device defeats proximity detection by time of flight? It’s not like the relay device can talk to the remote device faster than the speed of the original signal.
It isn't doing time of flight, but just getting under a latency threshold that these devices use as a cutoff to try and avoid things like this relay attack.
They say they got the added delay somewhere below 8ms to defeat the system. In 8ms, light/radio travels around 2500km.
Could latency/time-of-flight threshold be reduced to determine proximity? Requires very accurate clocks on both ends, and support in the wireless cards. Apple developed something similar for Apple Watch unlock on MacOS [1].
I don't see why you need an accurate clock on both ends, you simply need a precise clock on one end (which can be the car): do a challenge/response where the car sends the key a question and requires the answer back within the very short period of time. The key in that case doesn't need a clock at all.
This is exactly the kind of methodology the attack in the article uses though. BLE peripheral devices are usually allowed to miss connection events to preserve battery life, and to increase the reliability of the connection in noisy environments. The attack exploits the ambiguity between "the transmission was intercepted and relayed with an additional 8ms" and "the phone/keyfob skipped a connection event". Allowing no missed connection events would probably make the system frustratingly unreliable as you'd constantly be re-connecting and re-authenticating with the phone/keyfob.
I mean, that's not the methodology of the attack... if the methodology I described were used the attack would not be possible. You are saying it is not possible to implement this mechanism on BLE without affecting the user's experience and, if someone had tried for this key, they wasted their time as they didn't understand how BLE worked. While I am honestly skeptical of that--as I would expect I could use a different packet with a new local timestamp for each of these "reconnections"--I don't know much about BLE, and so am willing to take your word for it; but, as we clearly aren't going to want to synchronize the clock between the car and a silly little key fob so accurately as to allow us to deal with the time difference of the speed of light moving across a mere parking lot, the conclusion to me is that we can not use BLE (which I would think is overkill for a key anyway) and instead must use a more trivial radio scheme.
Tesla uses BLE for their keyfobs as well. They probably just didn't consider it worth it to add additional hardware to prevent these attacks, especially when it has to be compatible with your average consumer smartphone back in 2017 (model 3 release date). You could have two separate radio systems, one for the keyfob, and one for the phone (and then correlate the phones GPS with the measured location), but that sounds expensive and complicated.
BLE has some other mechanisms for determining the proximity of a device, such as Time of Flight (ToF) and Angle of arrival (AoA). I'm unsure if Tesla uses these, or if the reachers were able to circumvent them.
The author of article stated it wrong. It's not the time-of-flight that is used as a proximity measure, it is the received signal strength (RSS). By limiting response times to 8 ms just demands better relaying equipment. 1 nanosecond means around 30 centimeters in air and you need very precise clocks (or by measuring ToF by roundtrip times with very precise local timestamping of messages) and much wider bandwidth (500 MHz+) if you want to measure ToF with such precision. Bluetooth doesn't have that functionality.
I would add that UWB chips do have that functionality so it would be nice to see them adopted widely in mobile phones. Currently only high-end devices have those chips in them (recent iphone and google/samsung flagships).
Chromebooks have a similar 'unlock with phone' feature but add that the phone must be unlocked - basically utilizing the biometrics of the phone to unlock the computer regardless of biometric hardware presence. It also uses a pretty tight proximity radius (<0.5 meters I'd guess). But if someone could combine this relay exploit with social engineering to get the target to unlock their phone (like an incoming text/notification), maybe that would get computer access. Perhaps there's a more complex handshake that takes place but if not, seems valuable.
Apple has a nice solution to this. If you have the watch unlock feature on, your watch will notify you of an unlock and provide a button to relock which disables the feature temporarily.
It’s likely not completely bullet proof but if you are up against such sophisticated attacks then it’s reasonable to say just don’t use these features.
> “BLE proximity authentication systems typically measure the distance of a device by the response time, so if the device is too far away from the device to be unlocked, the response time will be too long and the authentication won’t work.”
> “The tool that researchers at NCC Group developed adds just 8 milliseconds of latency in the response time”
Radio waves propagate at the speed of light so a signal can travel about 2400 km in 8ms. I think there are some key aspects of the Bluetooth le proximity auth protocol that the article is missing which makes the whole thing sound like nonsense.
I think the real reason that Bluetooth le proximity authentication is broken is that it is a passive communication protocol. They do hint at this in the article. Imagine how broken TLS would be if there was no two way communication to negotiate proofs.
Not only that, their test was conducted at a paltry distance of 25 meters between authentication device and vehicle - only barely outside the normal range of the device. If they wanted to prove that they had bypassed the range limit with their relay device, they should relay the authentication over a few kilometers rather than a few meters.
Bluetooth LE is not "passive" in the sense that there is definitely two way communication going on. They even mention GATT in the article and that is as two-way as it gets.
Devices don’t use GATT response latency to estimate distance, but elevated levels of GATT latency are commonly used as indications of relay attacks. A lower latency relay attack can work around this defence. The researcher recommends time-of-flight measurement in a secure ranging protocol to mitigate such attacks.
This is not even the first time, if we look at the car industry. Possibly different wireless protocol, but same idea: proximity without (tight-enough) time-of-flight check. How has Tesla not learned the lesson?
They are very proud of the fact that they don't follow other's "lessons learned" - because Elon assumes everyone else is an idiot and their assumptions suck.
Sometimes he's right. Often he is not.
Several dramatic "defects" of Tesla's could have been prevented - but why should Tesla care? "Bring it in for a fix!" they say. "It is not our money! Haha!" they say. And investors and buyers keep coming.
The lesson should have been to 1) pick or come up with an adequate protocol that includes tight time-of-flight checks or 2) not use proximity auth at all, if it is impossible to mitigate against relay attacks, in terms of physics and maths.
I'm saying Tesla's engineers should have known better, by 1) paying attention to news in the industry; and 2) properly understanding BLE before choosing it as the auth protocol.
1. Disable the ability to unlock the car if the phone has been stationary for a while. No more siphoning authentication from a phone in the night stand.
2a. Setup phone presence inside the car as a second authentication factor for starting the car. BMWs can detect if the key is inside or outside the car; I imagine the same positioning can be detected out of a bluetooth+wifi+nfc radio source.
2b. If phone positioning would require extra hardware, an alternative is using phone NFC as authentication (I think the keycard is NFC, so the hardware should be present)
In response to previous reports of this in 2018 tesla added a „pin to drive“ option.
When enabled, an unlocked car needs a second authentication in form of a pin code the user had previously set up
Tesla provides (two-step) Multi-Factor Authentication to be able to drive the car:
- Unlock the car via BLE. Not able to drive away.
- Enter a PIN-to-drive on car screen, to turn on the virtual ignition. Able to drive away.
Unfortunately, the PIN to drive is not enabled by default.
Pin-to-drive can be bypassed through the Tesla mobile app, and this bypass is not relayed to the car via BLE but rather via the link between car and Tesla servers.
Therefore, someone with proximity to a locked phone can unlock the car, and someone with access to an unlocked phone can unlock the car and drive away.
PIN to drive is so annoying to use. I had it enabled when I lived in Oakland to avoid a potential car-jacking but I could not wait to turn it off when I moved out of California.
If I'm going through the effort to do BLE relay.. then I can probably go through the effort to watch you enter a PIN through a camera lense though, right? (I'm not familiar with how Tesla's actually work)
It's fast because it's not loading 100 JavaScript files from 15 different trackers and 20 ad providers. Also, the content is loaded statically, rather than having to wait for some JS to load that then loads and renders the article text.
It takes effort to make a site slow, not the other way around.
82 comments
[ 3.0 ms ] story [ 169 ms ] threadHowever, it will impact all electric locks that support this very same functionality as its a fundamental limitation of how BLE is implemented on cell phones. Trying to be more prescriptive on the latency or other parameters under the locks control will make the user experience significantly more frustrating and unreliable, crippling the feature.
I'm wondering what the point of this attack is. Any thief who wants in my car will just bust the windows. If they do the relay attack they can steal the car but the car has GPS and can be locked down remotely so it seems like a high risk low reward crime?
https://www.tesla.com/ownersmanual/modely/en_us/GUID-94B0E05...
Isn't this what the research team is abusing? If so, make sure that's turned off too!
On the other hand if you are a high value target and some person/organization/government has the incentive to target you in this way, you better have adequate protection.
https://xkcd.com/538/
There are quite a few security camera videos on youtube of people stealing cars parked in driveways by what appears to be a relay attack.
On those video it looked extremely "easy" to me
Car thief != pick pocket thief
Having owned some fancy cars, the advice you usally hear from other owners is this - the best protection you can have is a good insurance policy. Putting any kind of lock out/pin/hidden switch system on it, hiding your keys in radio-proof bags etc, is the best recipe to get hurt. Exactly because if you drive such a fancy car, the people coming to steal it are not opportunistic thieves - they are coming to get your car, and they will hurt you to get it. That's why you don't install any extra fancy "trap" systems in the car and you hang your keys right next to the front door, in plain view. If they want to take the car, don't give them a reason to come in and threaten you or your family for the keys or a lock out pin because you thought you were clever with a fancy alarm system. A Lamborghini is replacable. Your life(or the life of your children) is not.
I still remember a video from a break in our country where the thieves where pounding the door with an axe for minutes to enter, then threatened the homeowner to open the safe they knew was in the house. His wife and kids where “safe” in the attic. If they know what they want they will get it one way or another.
1) luxury cars that are stolen "on order" are usually placed on a trailer/container straight away and not driven around.
2) you assume you can still talk to the car after it's taken - sadly, GSM/GPS jammers are very cheap and common amongst car thieves.
3) even if you have L5 autonomy, I would be really surprised if you could override what the car is doing while it's being driven. Sounds like a recipe for disaster. I'm not sure anyone should even have the ability to do something as simple as shut it down remotely - there's far too much risk of abuse.
https://www.auto-manual.com/tesla/tesla-model-3/
Someone elsewhere suggested putting the car in a cargo container, but I don't think that works either. I was on a large ferry recently, my phone worked below deck several inclusive distance units away from the coast.
Maybe things changed in the last few years
But considering that Teslas are infamous for authenticating every start/stop of individual cars between the key and the infotainment computer and a datacenter in California...
The upvotes on social media alone will be worth it to many nowadays.
They say they got the added delay somewhere below 8ms to defeat the system. In 8ms, light/radio travels around 2500km.
[1] https://networkingnerd.net/2016/09/21/apple-watch-unlock-802...
I imagine you would use UWB for the location, and BLE for authentication/data transfer though.
BLE has some other mechanisms for determining the proximity of a device, such as Time of Flight (ToF) and Angle of arrival (AoA). I'm unsure if Tesla uses these, or if the reachers were able to circumvent them.
Time-of-flight: https://software-dl.ti.com/simplelink/esd/simplelink_cc2640r...
Angle of arrival: https://dev.ti.com/tirex/explore/node?node=AOSUfCXMkNaUAy6wn...
It’s likely not completely bullet proof but if you are up against such sophisticated attacks then it’s reasonable to say just don’t use these features.
> “The tool that researchers at NCC Group developed adds just 8 milliseconds of latency in the response time”
Radio waves propagate at the speed of light so a signal can travel about 2400 km in 8ms. I think there are some key aspects of the Bluetooth le proximity auth protocol that the article is missing which makes the whole thing sound like nonsense.
I think the real reason that Bluetooth le proximity authentication is broken is that it is a passive communication protocol. They do hint at this in the article. Imagine how broken TLS would be if there was no two way communication to negotiate proofs.
Sometimes he's right. Often he is not.
Several dramatic "defects" of Tesla's could have been prevented - but why should Tesla care? "Bring it in for a fix!" they say. "It is not our money! Haha!" they say. And investors and buyers keep coming.
Why do you single out Tesla?
The title is wrong, this is a generic attack against BLE.
The lesson should have been to 1) pick or come up with an adequate protocol that includes tight time-of-flight checks or 2) not use proximity auth at all, if it is impossible to mitigate against relay attacks, in terms of physics and maths.
I'm saying Tesla's engineers should have known better, by 1) paying attention to news in the industry; and 2) properly understanding BLE before choosing it as the auth protocol.
1. Disable the ability to unlock the car if the phone has been stationary for a while. No more siphoning authentication from a phone in the night stand.
2a. Setup phone presence inside the car as a second authentication factor for starting the car. BMWs can detect if the key is inside or outside the car; I imagine the same positioning can be detected out of a bluetooth+wifi+nfc radio source.
2b. If phone positioning would require extra hardware, an alternative is using phone NFC as authentication (I think the keycard is NFC, so the hardware should be present)
https://insideevs.com/news/339271/tesla-adds-new-pin-to-driv...
- Unlock the car via BLE. Not able to drive away.
- Enter a PIN-to-drive on car screen, to turn on the virtual ignition. Able to drive away.
Unfortunately, the PIN to drive is not enabled by default.
Pin-to-drive can be bypassed through the Tesla mobile app, and this bypass is not relayed to the car via BLE but rather via the link between car and Tesla servers.
Therefore, someone with proximity to a locked phone can unlock the car, and someone with access to an unlocked phone can unlock the car and drive away.
They literally just walked up with an antenna close to a house and the car parked in front of it opened.
It's _very_ different from spying on someone to steal their PIN.
https://youtu.be/uxzm_6SYBFo
It takes effort to make a site slow, not the other way around.