Locked Tesla stolen in 30 seconds in London with fob relay trick(businessinsider.com)
businessinsider.com
Locked Tesla stolen in 30 seconds in London with fob relay trick
https://www.businessinsider.com/locked-tesla-stolen-30-seconds-london-signal-relay-2019-8
18 comments
This attack against key fobs has been around for years. The recommendation is to keep your keys in a metal container (faraday cafe) when at home. Or at best, not on a hook right by your front door.
With my car the fob has to be within 2 feet to unlock the door.
At first I thought this was due to using low power transmitters, now I see it as an unintended security feature.
The attack uses a directional antenna and a signal booster / relay, so it works against short-range fobs.
They could use timing to limit the distance due to the laws of physics but it’s difficult.
They could use rangefinding to limit the distance without dealing with precise timers.
How does rangefinding work?
Most short distance rangefinders use an interferometer. You send a radar/laser/sound wave at a target and compare it against a reference. You measure the displacement in the phase angle of the beam bounced off the target to determine distance. You can get insane precision using short wavelengths.
The most common long range rangefinders use nanosecond timers to measure the delay between a pulse and a response. At 100 meters, a laser beam will take 666ns to bounce off a target, 200 meters will take 1300ns etc... The precision of this method is a lot less because of confounding factors like the precision of your timing device, refraction, etc... Data will be encoded into the laser pulses similar to a GPS signal to reduce issues with cross talk between rangefinders and jamming. These measurements are confounded by the huge speed of light. A 1 nanosecond mis-timing will result in 0.3 meters loss of precision.
A triangulating range finder (Usually a LIDAR) will further refine the above measurement by positioning sensors a distance apart to make medium distance sensing more accurate. This allows LIDAR scanners to increase their precision down into the millimeter range.
The most common long range rangefinders use nanosecond timers to measure the delay between a pulse and a response. At 100 meters, a laser beam will take 666ns to bounce off a target, 200 meters will take 1300ns etc... The precision of this method is a lot less because of confounding factors like the precision of your timing device, refraction, etc... Data will be encoded into the laser pulses similar to a GPS signal to reduce issues with cross talk between rangefinders and jamming. These measurements are confounded by the huge speed of light. A 1 nanosecond mis-timing will result in 0.3 meters loss of precision.
A triangulating range finder (Usually a LIDAR) will further refine the above measurement by positioning sensors a distance apart to make medium distance sensing more accurate. This allows LIDAR scanners to increase their precision down into the millimeter range.
Trigonometric rangefinding using multiple sensors is simpler.
Be careful. The attack uses a directional RF booster to allow that fob (while in your house!) to communicate with your car while in the driveway.
You can also disable passive entry, and rely on pressing unlock on the fob or using the Tesla app to unlock the vehicle and enable drive mode.
I wrote a python script that allows quick delegation of access to our Tesla vehicles to family and friends, so huge fan of using the app and API over the passive fob.
I wrote a python script that allows quick delegation of access to our Tesla vehicles to family and friends, so huge fan of using the app and API over the passive fob.
Needs some '2FA', like actually putting the key in the ignition. :)
Or a tiny motion sensor in the key, if it's still then don't authenticate.
[Edit:] Suitable sensor, 2012 technology! https://www.eetimes.com/document.asp?doc_id=1317349#
Or a tiny motion sensor in the key, if it's still then don't authenticate.
[Edit:] Suitable sensor, 2012 technology! https://www.eetimes.com/document.asp?doc_id=1317349#
There is 2FA, they just didn't enable it. There's a PIN to drive feature where you have to put a pin number in on the main touchscreen. It also moves to a different location each time so nobody can look at fingerprints.
If anyone had told me 10 years ago that we should encourage cars to have MFA and that I'd agree with the argument, I'd have lost my mind.
> Needs some '2FA', like actually putting the key in the ignition. :) Or a tiny motion sensor in the key, if it's still then don't authenticate.
Or use infrared to unlock the car, that requires you to stand next to the car and therefore shielding the device from any leakage :]
Or use infrared to unlock the car, that requires you to stand next to the car and therefore shielding the device from any leakage :]