Tesla’s latest security enhancements with ultra-wideband (UWB) technology were expected to shield its vehicles from relay attacks—a sophisticated method allowing thieves to steal cars in seconds. However, recent findings from the Beijing-based automotive cybersecurity firm GoGoByte reveal that even the newest Tesla Model 3 remains alarmingly susceptible to this type of theft.
For over a decade, relay attacks have been the modern-day equivalent of hot-wiring. This technique involves intercepting and relaying signals from a car’s key fob, tricking the vehicle into unlocking and starting. Despite advancements in keyless entry systems, relay attacks continue to compromise hundreds of car models, including those equipped with next-gen UWB technology.
GoGoByte’s researchers showcased their findings in a video shared with WIRED, where they effortlessly performed a relay attack on a Tesla Model 3 equipped with UWB. Using less than $100 worth of radio equipment, they unlocked the car and started it, highlighting a critical vulnerability in Tesla’s security measures.
ALSO READ: Elon Musk Announces Removal of Steering Wheel Nag in Tesla’s FSD v12.4
Tesla’s UWB Technology
Ultra-wideband communications were hailed as the solution to relay attacks, with Tesla incorporating this technology into its keyless entry systems. UWB offers precise range measurements, theoretically making it difficult for hackers to relay signals over long distances. However, the GoGoByte team demonstrated that Tesla’s UWB implementation does not effectively prevent relay attacks.
Tesla’s keyless entry system relies on Bluetooth for distance checks rather than leveraging the full potential of UWB. This oversight allows hackers to bypass the security measures, rendering the UWB upgrade ineffective against relay attacks.
GoGoByte’s Revelations
Jun Li, founder of GoGoByte and an experienced car-hacking researcher, emphasizes the urgency for Tesla owners to activate the “PIN-to-drive” feature. This optional safeguard requires drivers to enter a four-digit code before starting the car, adding an extra layer of security. “Simply having ultra-wideband enabled doesn’t mean your vehicle won’t be stolen,” Li warns. “Using relay attacks, it’s still just like the good old days for the thieves.”
Relay attacks exploit the proximity detection of key fobs or smartphones. By placing one radio device near the genuine key and another near the target car, thieves can unlock and start the vehicle from significant distances. This method has led to various theft scenarios, including relaying signals from a key inside a house to a car parked outside or even from a café where the owner is nearby.
ALSO READ: Tesla Recalls 3,878 Cybertrucks Due to a Defective Accelerator Pedal
The vulnerabilities exposed by GoGoByte extend beyond Tesla. The researchers identified similar security flaws in two other car brands with UWB-equipped key fobs. While these brands remain unnamed as GoGoByte navigates the disclosure process, the findings underscore a widespread issue within the automotive industry.
Despite the promising capabilities of UWB, its implementation in keyless entry systems is yet to achieve the desired level of security. Automakers need to develop more robust systems that can accurately measure the distance between a key fob and the vehicle, effectively thwarting relay attacks without compromising user experience.
Tesla’s Response
Tesla acknowledged GoGoByte’s findings, stating that the observed behavior aligns with their current development stage. The company’s product security team indicated that they are working on improving UWB reliability and plan to enforce UWB ranging once these improvements are complete. This response highlights Tesla’s commitment to addressing the issue but also leaves owners vulnerable in the interim.
ALSO READ: Elon Musk wants to test Tesla’s Full Self Driving System in China “Robotaxis”
Security expert Josep Rodriguez of IOActive echoes this sentiment, noting that initial UWB implementations were unlikely to resolve relay attacks immediately. “My understanding is that it can take engineering teams time to find a sweet spot where relay attacks can be prevented but also not affect the user experience,” Rodriguez explains.
This relay attack requires two attackers; in this case, one of the attackers will be using the Proxmark device at the vehicle’s NFC reader, and the other can use any NFC-capable device (such as a tablet, computer, or for the purposes of this example, a smartphone) close to either the victim’s Tesla NFC card or smartphone with the Tesla virtual key. The Proxmark and the second attacker’s smartphone can communicate via Bluetooth using the BlueShark module for the Proxmark RDV4.0, or even via Wi-Fi, connecting the Proxmark to a tiny computer like a Raspberry Pi or similar with Bluetooth while the Raspberry Pi connects to the second attacker’s smartphone via Wi-Fi.
IOActive describes the attack in a white paper ( source electrek)
Practical Measures for Tesla Owners
Until Tesla can roll out an effective fix, owners are advised to enable the “PIN-to-drive” feature and consider additional precautions such as using Faraday bags to block radio signals. These steps can help mitigate the risk of relay attacks, though they do not eliminate the threat entirely.
As the automotive industry continues to grapple with these security challenges, the importance of ongoing research and development in keyless entry systems cannot be overstated. Tesla, along with other car manufacturers, must prioritize enhancing their security protocols to protect their customers from evolving threats.