Tesla's Keyless Entry Vulnerable To Spoofing Attack, Researchers Find (theverge.com) 100
An anonymous reader quotes a report from The Verge: Researchers at KU Leuven have figured out a way to spoof Tesla's key fob system, as first reported by Wired. The result would let an attacker steal a Tesla simply by walking past the owner and cloning his key. The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars. This particular attack seems to have only worked on Model S units shipped before June, and in an update last week, Tesla pushed out an update that strengthened the encryption for the remaining vehicles. More importantly, the company added the option to require a PIN password before the car will start, effectively adding two-factor to your car. Tesla owners can add the PIN by disabling Passive Entry in the "Doors & Locks" section of "Settings."
The attack itself is fairly involved. Because of the back-and-forth protocol, attackers would first have to sniff out the car's Radio ID (broadcast from the car at all times), then relay that ID broadcast to a victim's key fob and listen for the response, typically from within three feet of the fob. If they can do that back-and-forth twice, the research team found they can work back to the secret key powering the fob's responses, letting them unlock the car and start the engine.
The attack itself is fairly involved. Because of the back-and-forth protocol, attackers would first have to sniff out the car's Radio ID (broadcast from the car at all times), then relay that ID broadcast to a victim's key fob and listen for the response, typically from within three feet of the fob. If they can do that back-and-forth twice, the research team found they can work back to the secret key powering the fob's responses, letting them unlock the car and start the engine.
The Horror! (Score:2, Funny)
Re: (Score:2)
crap there goes the LTV again on the car loan
Cool. I'd love a Tesla Model S P100V for half list price...like that's gonna happen....
Re: (Score:1)
I don't understand why this is so hard. I've only taken a free online cryptography 101 course, and that's all you need to solve this problem. There are pseudo-random number generators that start with a seed value (128 bits, 256 bits or more) and generate numbers that seem so random that you can mathematically prove it would take millions of years to extract the seed from a sequence of generated values, even if you intercept millions of them. By "prove", I mean that if you did manage to find an efficient met
Re: (Score:2)
Perfecting Keyless entry is not a matter of time, it's a matter of wanting to do it right. The technology already exists to do this job securely, the manufacturers just need to use it.
Personally, if I was doing this, I'd have a keyfob that had a time based code rotation. Where the fob would transmit a constantly changing encrypted sequence of codes but only when it is receiving a specific car's beacon, which is itself a time based encrypted string. If you keep the car's transmit range low, the keyfob won'
Re: (Score:2)
You are right that keyless entry without requiring any button press is a bad idea. I don't understand the added value, why is it so hard to just put your hand into your pocket, feel for the fob, and press the button? Why does anyone want their car to automatically unlock as they are passing by? When you're standing next to your car, anyone can just open your door right away! I want my car to unlock when I tell it to unlock, not whenever I happen to be nearby.
But if I'm not mistaken, that's an option in the
Who pioneered keyless entry? (Score:1)
The first time I saw keyless entry it was on my 2005 Toyota Prius (still rolling, 108K miles thank you very much).
Re: (Score:3)
Re: Who pioneered keyless entry? (Score:1)
Remote Key Exploit Service?
Pioneered what? (Score:5, Informative)
"The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars. "
What kind of propaganda bullshit is this?
Le'ts see what Wikipedia says:
https://en.wikipedia.org/wiki/... [wikipedia.org]
Stop drinking the Flavoraid*.
*Historically accurate if you look it up.
Re: (Score:3)
TESLA KEYLESS DRIVING
Keyless Driving is a feature that allows one to power up and drive the Model S without using the factory key fob. In fact the key fob doesn’t even need to be in possession as all you need is a smart phone (with Tesla Model S app installed) and connectivity to the internet.
Re: (Score:3)
Re: (Score:2)
Saying that you "innovated" by having a $1000+ iPhone* implement the same functionality as an old-style key fob that's less than 1/10th the price even with markup [[and doing it poorly as the article points out]] isn't exactly something that Musk should win a Nobel prize for.
* Before you say something: Think about the Tesla demographic for a bit. Yeah, it's a $1000+ iPhone.
If you think it's 1/10th the price you haven't seen dealer pricing on keys.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Funny)
So to drive your car you just need:
1. Your smart phone (with enough battery to last your trip) and
2. Connectivity to the internet.
Nope, can't see any problem there.
Re: (Score:3)
So to drive your car you just need:
1. Your smart phone (with enough battery to last your trip) and 2. Connectivity to the internet.
Nope, can't see any problem there.
Or...wait for it...use the fob. What? Too many choices?
Re: (Score:2)
No, only enough to start the car. Better not stop it and get out anywhere along the route, though. Of course, once the car is started, you can charge your phone from one of the car's USB outlets.
I don't think that this is correct. I think you only need bluetooth.
Re: (Score:2)
The Tesla Model S uses the cell network to unlock the car. When you get out of the driver's seat, the car shuts off. It is entirely possible to get stranded if you exit the vehicle in a cell phone dead zone.... if you don't have a key fob. And yes, I own a model S.
Re: (Score:2)
I was thinking of the Model 3.
Re: (Score:2)
And hope that the app doesn't log you out so you get stranded. That happened to an actual Model 3 owner, they phoned up Tesla support, who told them to find someone to pick them up.
Re: (Score:2)
They have a Bluetooth based system too, but it's still in beta and doesn't work with a lot of phones.
Not the affected keyless system. (Score:2)
Apparently Tesla keyless driving is a bit different from what you're referencing:
And as pointed by others in this thread, not the keyless system that was affected by the current vulnerability.
The vulnerability affects the classical fob-based keyless system, that has been available for ages from countless others manufacturer.
Thus the parent is right (and the summary is wrong), Tesla hasn't been the one pioneering the affected keyless system.
Re: (Score:2)
Stop drinking the Flavoraid*.
*Historically accurate if you look it up.
Apparently, open packages of both Kool-Aid and Flavor Aid were found at the scene of the Jonestown Massacre, though more of the latter than the former.
(I once heard a couple minutes of a tape of one of Jim Jones' rants-on-the-Jonestown-PA-system. It sounded like a sermon straight out of Heinlein's _Stranger in a Strange Land_. Creepy.)
Re: (Score:2)
Renault introduced it. The system was made by Siemens.
Tesla did not invent keyless entry and start.
Pedant mode ON (Score:2)
"letting them unlock the car and start the engine"
Since when do EVs have "engines". I thought they had electric motors.
Re: (Score:3)
enjn
noun
1. A machine with moving parts that converts power into motion.
synonyms: motor, machine, mechanism
Re: (Score:2)
Unless that car has a neutral gear starting the "engine" without you being inside is a bad idea.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Alright 10:1 gearbox. Again, does it have a way to disengage or are the wheels always connected?
Re: (Score:2)
Re: (Score:2)
So my original statement is correct. You would not want to start the "engine" remotely.
"Starting" an EV vehicle ; clutch (Score:3)
"Starting" an EV is actually bringing all the systems up, waking up the onboard computers, usually performing some self diagnostics (mostly of the lithium battery), re-engaging some systems (is several cars, reportedly in Teslas too, the lithium battery can be shut off for safety and isolation, the computer runs out of secondary lead battery) (The power inverter running the motor is similarly shut off in most cars), and unlock a few stuff (steering lock).
It's closer to what your laptop performs when brough
Re: (Score:2)
Re: (Score:2)
The "motor" versus "engine" debate.
steam engine and NOT steam motor
rocket engine and rocket motor
NOT electric engine and electric motor
NOT starter engine and starter motor
In other words, "engine" and "motor" have overlapping spheres of influence but the 2 terms are not fully inter-changeable due to their historical usage.
One reason why the term "electric engine" is coming into usage is because people know a car has an engine so logically in their mind, the device generating propulsion in an electric car is
Re: (Score:2)
Can you turn the music on without they key? I am craving a Roy Orbison marathon
That sounds awesome...count me in! Only the lonely...
Re: (Score:2)
"Only the Lonely" is likely to be a bit crowded around here.
Re: (Score:2)
Re:Pedantic mode ON (Score:2)
Being pedantic, I have corrected the subject.
Pedant refers to a person that is pedantic. So your subject was meaning enable the pedantic mode of the person.
If you can do a walk-by clone... (Score:4, Insightful)
...then these people really, really, really screwed up. Like absolutely clueless about security. Unfortunately, that seems to be the standard with most EEs doing security these day.
Re: (Score:2)
Looking at the pin code entry it seems that the order of the buttons isn't randomised, so the pin code will be easy to steal just by looking at the fingerprint smudges on the screen.
Re: (Score:2)
A very old, very well-known attack. Thermal imaging has also been uses on ATMs for this, although the timing is more practical there.
If only this worked with all keyless entry systems (Score:5, Insightful)
Oh.
Wait.
It does.
Re: (Score:2)
This one doesn't work for all cars. Most cars would require you to get the FOB and push a button and relay that to the car, then a separate vulnerability to replicate the key action as well. As their is no information transmitted without physical action by the owner, it isn't at all the same. The Tesla FOB automatically unlocks with proximity, and requires no KEY to then drive off at that point.
The Tesla system (used by a couple other luxary cars as well) just requires the hackers to be close to the car for
Re:If only this worked with all keyless entry syst (Score:5, Informative)
No it doesn't. The problem here is not just that you can unlock the car, it's that you can recover the secret key and make a duplicate key. Then you can start and drive the car all you like, access it whenever you want rather then just once.
Not sure what this claim about Tesla pioneering keyless entry in the summary is either. Lots of cars had it long before Tesla came along.
Re: (Score:2)
Wait.
No.
It does not.
All these systems have cryptographic exchanges. Just because one specific imlimentation of it contained a flaw that allows an attacker to gain a access to the secret key doesn't mean that all systems have the same flaw. Unless you're implying in an industry where everyone reinvents everything and designs everything custom to themselves suddenly thought it was a great idea to standardise on one code base for keyfobs.
Tesla pioneered the keyless entry concept, (Score:3)
No, they really didn't.
Keyless Entry / Go was introduced first by Mercedes-Benz in the S-Class car series in 1998. It was being pretty widely used in quite a few luxury brands before 2003 when Tesla was founded.
Re: Tesla pioneered the keyless entry concept, (Score:3)
Re: (Score:1)
Yep, I saw one on a Ford Focus about 9 years ago.
Daft concept, meant you couldn't check the door was actually locked.
Re: (Score:1)
Re: (Score:2)
Renault introduced it first. The system was developped by Siemens.
Tesla did not invent keyless entry and start.
In house crypto (Score:2)
Re:In house crypto (Score:4, Insightful)
Wasn't in-house Tesla. Looks like they used an off-the-shelf solution which is vulnerable in several manufacturer's vehicles. But "Tesla" pushes clicks more than "Mercedes keyless entry..."
RADIO RELAY? (Score:2)
Can somebody tell me why a radio signal detector couldn't unlock the car initially by just range extending it to the parking lot without the owner knowing??
What happens if while driving the car the key is thrown out of the window? (or the range extender stops?)
Re: (Score:2)
>> We regularly have a reminder that it is a bad idea to develop in house crypto. In this situation, it seems that reusing something like Mifare was the way to go.
Mifare is closed source proprietary, very weak and very broken.
That is pretty much worse than in-house crypto, because it's already pre-hacked.
That is very very bad advice.
Re: (Score:2)
Mifare is closed source proprietary, very weak and very broken.
Mifare is a brand which covers a whole range of specific technologies. Only the oldest ones are very weak and very broken. This is like saying "TLS is old and broken", because TLS 1.0 has known vulnerabilities. Yes it does, but that doesn't mean TLS 1.3 isn't quite solid.
However, Mifare is close-range and wouldn't be convenient for this application.
Re: (Score:2)
We regularly have a reminder that it is a bad idea to develop in house crypto.
Always true.
In this situation, it seems that reusing something like Mifare was the way to go.
No, Mifare (or ISO 14443 contactless smart card protocols in general) are too short-ranged. You'd have to pretty much tap the key to some part of the car to activate it. That's much less convenient than the "walk up, get in, drive away" process that Tesla and other high-end automakers want to provide.
It should also be noted that there's another sort of vulnerability that's even harder to prevent: relay attacks. Good crypto will make it impossible to clone the key, but if I can put one transce
Re: (Score:2)
the process negotiates an ephemeral shared secret between them that can be combined with a pre-shared secret to provide strong authentication that is secure against relay attacks.
Mifare does exactly that, and if your system is recent enough to support EV1, you have AES128, which is not broken yet.
The range objection remains, though.
Re: (Score:2)
the process negotiates an ephemeral shared secret between them that can be combined with a pre-shared secret to provide strong authentication that is secure against relay attacks.
Mifare does exactly that
No, Mifare does not support a bounding protocol [wikipedia.org], at all, much less one that negotiates an ephemeral shared secret as a side effect. Mifare is subject to relay attacks. Yes, Mifare -- like most everything else in this space -- does negotiate a session key, but that's not at all the same thing.
Re: (Score:2)
Unless the 1993 Chevrolet Corvette was made by Tesla. The. No. Tesla did not pioneer keyless entry.
Agreed, my '96 Corvette has passive proximity (no button push needed) entry.
Best Motherboards For Hackintosh In 2018 (Score:1)
Not really a Tesla specific issue (Score:1)
There've been other keyless access issues with other companies before as well. I remember reading some article about a guy keeping his key fob in an altoid tin or whatever after someone with a range extender of some kind that let them open his car door several days in a row. Apparently it could be used next to his car (parked in the street) and replicate the signal from the fob a decent distance away.
Now I look forward to this same writer having an article about his fob breaking due to being filled with
What definition of keyless entry is this? (Score:2)
Nothing of what I can imagine have been invented by or pioneered by Tesla. Keyless entry have been used long before Tesla existed, so?