For at least a decade, a car theft trick known as a “relay attack” has been the modern equivalent of hot-wiring: a cheap and relatively easy technique to steal hundreds of models of vehicles. A more recent upgrade to the radio protocol in cars’ keyless entry systems known as ultra-wideband communications, rolled out to some high-end cars including the latest Tesla Model 3, has been heralded as the fix for that ubiquitous form of grand theft auto. But when one group of Chinese researchers actually checked whether it’s still possible to perform relay attacks against the latest Tesla and a collection of other cars that support that next-gen radio protocol, they found that they’re as stealable as ever.
In a video shared with WIRED, researchers at the Beijing-based automotive cybersecurity firm GoGoByte demonstrated that they could carry out a relay attack against the latest Tesla Model 3 despite its upgrade to an ultra-wideband keyless entry system, instantly unlocking it with less than a hundred dollars worth of radio equipment. Since the Tesla 3’s keyless entry system also controls the car’s immobilizer feature designed to prevent its theft, that means a radio hacker could start the car and drive it away in seconds—unless the driver has enabled Tesla’s optional, off-by-default PIN-to-drive feature that requires the owner to enter a four-digit code before starting the car.
Jun Li, GoGoByte’s founder and a longtime car-hacking researcher, says that his team’s successful hack of the latest Model 3’s keyless entry system means Tesla owners need to turn on that PIN safeguard despite any rumor that Tesla’s radio upgrade would protect their vehicle. “It’s a warning for the mass public: Simply having ultra-wideband enabled doesn’t mean your vehicle won’t be stolen,” Li says. “Using relay attacks, it’s still just like the good old days for the thieves.”
Relay attacks work by fooling a car into believing that the owner’s key fob, or in many Tesla owners’ instances, their smartphone with an unlocking app, is close to the car, prompting it to unlock. Instead, the hacker’s device near the car has relayed the signal from the real key, which could be many feet away. By placing one radio device near the actual key and another next to the target vehicle, thieves can span this distance.
The relay method has been utilized by thieves to capture a car key’s signal from inside a house while the owner sleeps and transmit it to a car in the driveway. Or, as GoGoByte researcher Yuqiao Yang explains, the individual standing in line behind you at a café where your car is parked outside could execute the trick. “They may hold a relay device, and your car could just be driven away,” notes Yang. “It can happen that quickly, maybe just in a few seconds. The attacks have become so prevalent that some car owners keep their keys in Faraday bags that block radio signals, or in the freezer.
For a long time, security researchers have advised automakers to prevent relay attacks by designing keyless entry systems that measure the timing interval between a key fob or phone sending a signal and the car receiving it with greater precision. So when Tesla launched its ultra-wideband radio upgrade to its keyless entry system, Tesla owners had every reason to believe the new protocol represented the long-awaited security fix. Ultra-wideband is capable of more precise range measurement—it’s the radio protocol that allows the distance tracking in Apple’s AirTags, for instance.
By Carlton Reid
By Will Knight
By Steven Levy
By Celia Ford
In 2020, Tesla even wrote in a filing to the US Federal Communications Commission that it would be implementing ultra-wideband in its keyless entry systems, and that the ability to far more precisely measure the distance of a key fob or smartphone from a car would—or at least could—prevent its vehicles from being stolen via relay attacks. “The distance estimate is based on a Time of Flight measurement, which is immune to relay attacks,” Tesla’s filing read. That document, first turned up by
the Verge, led to
reports and
social media comments suggesting that the upcoming ultra-wideband version of Tesla’s keyless entry system would spell the end of relay attacks against its vehicles.
Research conducted by GoGoByte discovered that their relay attack could be executed on the latest Tesla Model 3 via Bluetooth, just as with previous models, as long as the distance between their device and the owner’s key or smartphone did not exceed 15 feet. Although the vehicles appear to utilize ultra-wideband communications, it seems they do not employ them for a proximity check to avoid keyless entry theft.
Tesla has not yet issued a response to WIRED’s comment requests.
When the researchers at GoGoByte shared their findings with Tesla earlier this month, Tesla’s product security team promptly replied via email, debunking any speculation that ultra-wideband, or “UWB,” was even designed to prevent theft. The email in response to GoGoByte’s relay attack report read, “This behaviour is anticipated, as enhancing the dependability of UWB is currently underway. UWB ranging will be enforced once these reliability improvements are finalized.”
According to Josep Rodriguez, a researcher for the IOActive security firm who has demonstrated similar relay attacks on Tesla vehicles in the past, this response from Tesla should not be unexpected. Tesla never openly stated that it had commenced using the ultra-wideband feature for security. On the contrary, the company has highlighted ultra-wideband features such as the ability to detect when someone’s phone is near the trunk in order to open it hands-free. Therefore, implementing it as a security check might still yield too many false positives.
“My understanding is that it can take engineering teams time to find a sweet spot where relay attacks can be prevented but also not affect the user experience,” Rodriguez wrote in an email to WIRED. “I wasn’t expecting that the first implementation of UWB in vehicles would solve the relay attacks.”
Automakers’ slow adoption of ultra-wideband security features isn’t just limited to Tesla, the GoGoByte researchers note. They found that two other carmakers whose keys support ultra-wideband communications are also still vulnerable to relay attacks. In one case, the company hadn’t even written any software to implement ultra-wideband communications in its cars’ locking systems, despite upgrading to hardware that supports it. (The researchers aren’t yet naming those other carmakers since they’re still working through the vulnerability disclosure process with them.)
Despite Teslas’ high price tag and continuing vulnerability to relay attacks, some studies have found that the cars are far less likely to be stolen than other cars due to their default GPS tracking—though some car theft rings have targeted them anyway using relay attacks to sell the vehicles for parts.
GoGoByte notes that Tesla, unlike many other carmakers, does have the ability to push out over-the-air updates to its cars and might still use that feature to implement a relay attack fix via ultra-wideband communications. Until then, though, the GoGoByte researchers say they want Tesla owners to understand they’re far from immune. “I think Tesla will be able to fix this because they have the hardware in place,” says Li. “But I think the public should be notified of this issue before they release the secure version.”
Until then, in other words, keep your Tesla’s PIN-to-drive protection in place. Better that than keeping your keys and smartphone in the freezer—or waking up to find a vacant driveway and your car sold for parts.