Safety researchers have shown how Tesla Model 3 and Model Y can be opened and started effortlessly and within seconds at the owner's doorstep. The attack also works with many smart door locks.
An article by
Being able to open and start the car without a key is extremely convenient. So it's no wonder that Tesla also offers such a function for drivers of the two Model Y and 3: The user only has to install the Tesla app on their smartphone and set up keyless access. After that, the Tesla automatically recognizes when the owner's cell phone is in the immediate vicinity and allows the door to be opened and the car to be started with the push of a button.
This technology works via Bluetooth LE – this has the advantage that most current smartphones support this technology. Unfortunately, there is also the disadvantage that this method is unsafe.
Security researchers had already demonstrated this before: Because the Bluetooth LE signal – it is usually also available when the smartphone is simply in your jacket pocket or is lying on the living room table at home – can be forwarded to a second cell phone with other devices, which the attacker then stops in the immediate vicinity of the car.
Countermeasures helped at first – not anymore
Manufacturers like Tesla tried to prevent this attack, known as a relay attack, by introducing an additional level of encryption. Another security measure was that the communication between the unlocking smartphone and the car had to take place with only a very short delay.
Both ensured that the methods used for relay attacks at the time no longer worked. However, this did not make the process really safe. Security researchers from the NCC Group have now demonstrated that their attack method basically still works the same way.
A typical Tesla user parks their vehicle in front of their house. The smartphone is somewhere inside the house. Far too far away to unlock the Tesla. However, the Bluetooth LE signal still reaches the front yard. The attacker then positions his device there. This forwards the signal to the attacker's smartphone, which he places directly next to the Tesla.
Attack can no longer be prevented
New software ensures that the encryption of the signal is not a problem. In addition, the signal delay was just 8 milliseconds (ms) – Tesla's protective measures allow delays of up to 30 ms.
The result is that the attacker can open the door and start the Tesla even though the owner's cell phone is 25 meters away.
According to the security researchers of the NCC Group, there is currently no way to fix this security gap with an update. In addition, a similar problem also occurs with numerous other smart door locks.
For owners of a Tesla Model Y or Model 3, this means: It is best to deactivate the function completely. Alternatively, you can also specify a PIN code that must be entered to start the vehicle. An attacker could then open the car, but not drive away with it.
In the medium term, however, Tesla will have to use a radio method other than Bluetooth LE, according to the researchers. For example, the ultra-wide band radio offered by the newer iPhone models is safer, since the distance between the device and the vehicle can be reliably measured here. BMW, for example, is already using this technology in some models.
The 15 best-selling e-cars in Switzerland in 2021
1/17
The 15 best-selling e-cars in Switzerland in 2021
Tesla crashes into buildings at 110 kilometers per hour
You might also be interested in:
The events surrounding the Ukraine war, which are difficult to digest, as reflected by cartoonists.
Attention, dear watson user: If the tweets in this article don't appear promptly, click on this link for our helpful IT support, count to five, either loudly or quietly, and only then continue scrolling.