Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tesla's Keyless Entry Vulnerable To Spoofing Attack, Researchers Find (theverge.com)

Posted by BeauHD on from the if-there's-a-will-there's-a-way dept.

An anonymous reader quotes a report from The Verge: Researchers at KU Leuven have figured out a way to spoof Tesla's key fob system, as first reported by Wired. The result would let an attacker steal a Tesla simply by walking past the owner and cloning his key. The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars. This particular attack seems to have only worked on Model S units shipped before June, and in an update last week, Tesla pushed out an update that strengthened the encryption for the remaining vehicles. More importantly, the company added the option to require a PIN password before the car will start, effectively adding two-factor to your car. Tesla owners can add the PIN by disabling Passive Entry in the "Doors & Locks" section of "Settings."

The attack itself is fairly involved. Because of the back-and-forth protocol, attackers would first have to sniff out the car's Radio ID (broadcast from the car at all times), then relay that ID broadcast to a victim's key fob and listen for the response, typically from within three feet of the fob. If they can do that back-and-forth twice, the research team found they can work back to the secret key powering the fob's responses, letting them unlock the car and start the engine.

100 comments

  1. The Horror! by divide+overflow · · Score: 1, Funny

    Omigod, time to short TSLA! :)

    1. Re: The Horror! by Anonymous Coward · · Score: 0

      crap there goes the LTV again on the car loan

    2. Re: The Horror! by divide+overflow · · Score: 1

      crap there goes the LTV again on the car loan

      Cool. I'd love a Tesla Model S P100V for half list price...like that's gonna happen....

    3. Re:The Horror! by Anonymous Coward · · Score: 0

      Omigod, time to short TSLA! :)

      I'll wait until Musk calls these security researchers faggots while hitting a blunt on Twitter.

    4. Re:The Horror! by Anonymous Coward · · Score: 0

      I'd buy more tesla stock if he does

    5. Re:The Horror! by Anonymous Coward · · Score: 0

      Weird how Musk is rewarded and Trump punished for unprofessional behavior.

    6. Re:The Horror! by Anonymous Coward · · Score: 0

      Almost EVERY keyless entry can be "spoofed" if you just proxy all of the radio packets to/from the keyfob. You don't even need to understand the encryption / protocols / etc. You'd just need to know where the owner is and where the car is. (Or the approximate location of the car since you can "beep the horn" to find it.)

      Why did they think a keyless entry system where you don't even need to press any buttons was a good idea?

      Also, once you're at the car and can get in it, it's a piece of cake to start the car. Every car's OBD-II system is like an open book to controlling the entire car. Including the security system, the ignition system, etc. This is similar to how security people say, "once you're at a computer, you have root, there is no way to secure against a physical presence attack".

    7. Re:The Horror! by michelcolman · · Score: 1

      I don't understand why this is so hard. I've only taken a free online cryptography 101 course, and that's all you need to solve this problem. There are pseudo-random number generators that start with a seed value (128 bits, 256 bits or more) and generate numbers that seem so random that you can mathematically prove it would take millions of years to extract the seed from a sequence of generated values, even if you intercept millions of them. By "prove", I mean that if you did manage to find an efficient method, you could break pretty much any cryptographic algorithm out there and make MUCH more money doing that rather than stealing Teslas.

      Simply let both the car and the key prove their identity by sending the next pseudo-random value in the list. The key doesn't respond if the car's code is not correct, and the car doesn't respond if the key's code is not correct.

      If the researchers can extract the seed from two intercepted messages, whoever wrote that authentication mechanism should be banned from ever writing a line of code again. He or she is simply too stupid.

      As for immediate man in the middle (intercepting the broadcast from the car, playing it back near the key, listening for the key's response, playing that back near the car), they should simply be able to check the response time. With processors running at GHz speeds, surely we can measure the number of nanoseconds it took for the fob to respond? If the owner is 30 meters away, that's a whopping 0.2 microseconds for the signal to go back and forth, not even including the delay from the relay device. That's an eternity! I know the fobs are low power, probably running at much lower speeds with high latency, but they can always start with a classic high latency response and then temporarily activate a high power low latency circuit to determine distance. The fob wouldn't need to be in this low latency mode all the time.

    8. Re:The Horror! by michelcolman · · Score: 2

      You are right that keyless entry without requiring any button press is a bad idea. I don't understand the added value, why is it so hard to just put your hand into your pocket, feel for the fob, and press the button? Why does anyone want their car to automatically unlock as they are passing by? When you're standing next to your car, anyone can just open your door right away! I want my car to unlock when I tell it to unlock, not whenever I happen to be nearby.

      But if I'm not mistaken, that's an option in the Tesla settings menu anyway. So anyone with common sense can just set it to require a fob button press.

    9. Re:The Horror! by Anonymous Coward · · Score: 0

      And then it instead fails in unusually cold/warm weather when the transistors switch at slightly different speed or when your pocket is damp or whatever.

      Tesla is kind of an expensive car. Why can't they offer an oldfashioned key option, for those of us who wants it? Similar to how they have a sunroof option and so on.

      Perfecting 'keyless' will take some time, they certainly aren't there today. And the perfect keyless system will always be outcompeted by a cheaper system that don't have good countermeasures against thief-in-the-middle attacks. So all the ignorants will buy hopeless systems, and there "won't be a market" for the good system. So not gonna happen.

      The good old key is so much better. While it can be copied, it is hard to do so while it is in my pocket.

    10. Re:The Horror! by bobbied · · Score: 1

      Perfecting Keyless entry is not a matter of time, it's a matter of wanting to do it right. The technology already exists to do this job securely, the manufacturers just need to use it.

      Personally, if I was doing this, I'd have a keyfob that had a time based code rotation. Where the fob would transmit a constantly changing encrypted sequence of codes but only when it is receiving a specific car's beacon, which is itself a time based encrypted string. If you keep the car's transmit range low, the keyfob won't be transmitting unless it is with visual range of the car. Keyfob transmissions would also be time division multiplexed with the cars in a random looking pattern and frequency hopping driven by encryption. This would make the hacker's most common methods of getting around such systems much more difficult.

      Spoofing the keyfob by just parroting what it transmits wouldn't work anymore. It would be very difficult to capture enough car/keyfob conversations to break the encryption keys. The only possible way to hack this would to be a bi-directional RF amplifier setup, which would be much more difficult to do if the hackers didn't know the random frequency hoping and time division sequencing.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    11. Re:The Horror! by Anonymous Coward · · Score: 0

      Not a wise move. There are far too many irrational Tesla investors. It is very hard to predict when they will see the emperor's new clothes for what they are and in the mean time, they can just go on inflating the stock.

  2. So, the gist of this is.... by Anonymous Coward · · Score: 0

    ...nothing to see here?

  3. Who pioneered keyless entry? by Anonymous Coward · · Score: 1

    The first time I saw keyless entry it was on my 2005 Toyota Prius (still rolling, 108K miles thank you very much).

    1. Re:Who pioneered keyless entry? by Anonymous Coward · · Score: 0

      I installed keyless entry on my 70 VW Beetle many many many years ago. I often get odd looks when I lock the car and the horn honks. And after all these years it still amuses me to honk the horn remotely whenever a kid walks up to the car and says slug bug.

      P.S. it also has power windows as I hate reaching over and rolling down the passenger side when it's 100 out.

    2. Re:Who pioneered keyless entry? by scdeimos · · Score: 2

      Renault had RKES on their Fuego in the 1980's.

    3. Re: Who pioneered keyless entry? by Anonymous Coward · · Score: 1

      Remote Key Exploit Service?

    4. Re: Who pioneered keyless entry? by Anonymous Coward · · Score: 0

      Renault.

  4. Pioneered what? by Anonymous Coward · · Score: 5, Informative

    "The attack is particularly significant because Tesla pioneered the keyless entry concept, which has since spread to most luxury cars. "

    What kind of propaganda bullshit is this?

    Le'ts see what Wikipedia says:

    The remote keyless systems using a handheld transmitter first began appearing on the French made Renault Fuego in 1982,[2] and as an option on several American Motors vehicles in 1983, including the Renault Alliance. The feature gained its first widespread availability in the U.S. on several General Motors vehicles in 1989.[citation needed]

    https://en.wikipedia.org/wiki/...

    Stop drinking the Flavoraid*.

    *Historically accurate if you look it up.

    1. Re:Pioneered what? by divide+overflow · · Score: 2
      Apparently Tesla keyless driving is a bit different from what you're referencing:

      TESLA KEYLESS DRIVING

      Keyless Driving is a feature that allows one to power up and drive the Model S without using the factory key fob. In fact the key fob doesn’t even need to be in possession as all you need is a smart phone (with Tesla Model S app installed) and connectivity to the internet.

    2. Re:Pioneered what? by Anonymous Coward · · Score: 0

      Saying that you "innovated" by having a $1000+ iPhone* implement the same functionality as an old-style key fob that's less than 1/10th the price even with markup [[and doing it poorly as the article points out]] isn't exactly something that Musk should win a Nobel prize for.

      * Before you say something: Think about the Tesla demographic for a bit. Yeah, it's a $1000+ iPhone.

    3. Re:Pioneered what? by divide+overflow · · Score: 2

      Whatever. Give your horse a carrot, grumpy.

    4. Re:Pioneered what? by Ungrounded+Lightning · · Score: 1

      Stop drinking the Flavoraid*.

      *Historically accurate if you look it up.

      Apparently, open packages of both Kool-Aid and Flavor Aid were found at the scene of the Jonestown Massacre, though more of the latter than the former.

      (I once heard a couple minutes of a tape of one of Jim Jones' rants-on-the-Jonestown-PA-system. It sounded like a sermon straight out of Heinlein's _Stranger in a Strange Land_. Creepy.)

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    5. Re: Pioneered what? by Anonymous Coward · · Score: 0

      Just standard Pentacostal fare.

    6. Re:Pioneered what? by liquid_schwartz · · Score: 1

      Saying that you "innovated" by having a $1000+ iPhone* implement the same functionality as an old-style key fob that's less than 1/10th the price even with markup [[and doing it poorly as the article points out]] isn't exactly something that Musk should win a Nobel prize for.

      * Before you say something: Think about the Tesla demographic for a bit. Yeah, it's a $1000+ iPhone.

      If you think it's 1/10th the price you haven't seen dealer pricing on keys.

    7. Re:Pioneered what? by Anonymous Coward · · Score: 0

      There's also the third interpretation: radio key fobs that work by proximity. We've had remote unlocking for so long that the phrase "keyless entry" now tends to mean that you don't need to press the button, just have the key fob on your person when you approach the car.

      I don't know if Tesla were very early adopters of this (I wouldn't be at all surprised if Mercedes were; they usually are) but it's still an optional extra on most vehicles, if it's offered at all.

    8. Re:Pioneered what? by LynnwoodRooster · · Score: 1

      TFS mentions "fob" and "key" four times each, and has zero mentions about a phone. If it's about a phone-based system, then it's incredibly poorly written (even for BeauHD). Or it's about the actual fob - not what you surmise, the phone.

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    9. Re:Pioneered what? by LynnwoodRooster · · Score: 1

      Thankfully you can buy replacement fobs from someone else than the dealer. Like you can with pretty much all parts for all non-Tesla vehicles.

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    10. Re:Pioneered what? by divide+overflow · · Score: 1

      Article was poorly written. The key fob entry method wasn't a Tesla innovation, the alternative, smartphone-based entry system is. According to TFA the problem was only with the fob, specifically the weak encryption used in the Pektron chip used in Tesla's key fob.

    11. Re:Pioneered what? by Anonymous Coward · · Score: 0

      Article was poorly written. The key fob entry method wasn't a Tesla innovation, the alternative, smartphone-based entry system is. According to TFA the problem was only with the fob, specifically the weak encryption used in the Pektron chip used in Tesla's key fob.

      Well if it really takes only a couple passes, that isn't just weak, that is essentially non existent. I suspect part of the issue is people want their car key fobs not to need a new battery too often, which likely reduces the number crunching possible along with the RF communication. It be interesting to see what is possible in that kind of ultra low power space.

      Heck, they'd probably be better with straight dictionary responses than whatever this is. Store a 100k or so responses to 100k 128bit messages, and don't let the fob respond more than once a second. That is lousy crypto wise, but likely good enough to protect most cars.

    12. Re:Pioneered what? by Trogre · · Score: 1, Funny

      So to drive your car you just need:

      1. Your smart phone (with enough battery to last your trip) and
      2. Connectivity to the internet.

      Nope, can't see any problem there.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    13. Re:Pioneered what? by divide+overflow · · Score: 2

      So to drive your car you just need:

      1. Your smart phone (with enough battery to last your trip) and 2. Connectivity to the internet.

      Nope, can't see any problem there.

      Or...wait for it...use the fob. What? Too many choices?

    14. Re:Pioneered what? by whoever57 · · Score: 1

      1. Your smart phone (with enough battery to last your trip)

      No, only enough to start the car. Better not stop it and get out anywhere along the route, though. Of course, once the car is started, you can charge your phone from one of the car's USB outlets.

      2. Connectivity to the internet.

      I don't think that this is correct. I think you only need bluetooth.

      --
      The real "Libtards" are the Libertarians!
    15. Re:Pioneered what? by Anonymous Coward · · Score: 0

      Apparently Tesla keyless driving is not that different from internet controllable refrigerators and stoves available since the 1990's

      Using a smartphone with data plan is actually a step backwards if anything.
      What if you drive out of your carrier coverage zone, or have bad reception,or your phone gets damaged(a fob is alot more robust and doesn't require data connectivity)...

    16. Re:Pioneered what? by AmiMoJo · · Score: 1

      They have a Bluetooth based system too, but it's still in beta and doesn't work with a lot of phones.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    17. Re:Pioneered what? by Anonymous Coward · · Score: 0

      Why require a network connection? A phone can use bluetooth or near-field communication. Or wired usb. That works out in the bush where nobody has any kind of cell coverage. And in faraday cage (metal garage). Stuff involving 'a phone' does in no way require 'a server somewhere, in the cloud.' Keep it simple, avoid that third part. And have a car that doesn't become handicapped instantly if the manufacturer goes belly-up. Sure, there'll be a shortage of parts. But parts can be made to order, for those with skills or willingness to pay. But loosing functionality because a server somewhere is not longer operated - sheesh.

    18. Re:Pioneered what? by stooo · · Score: 1

      Renault introduced it. The system was made by Siemens.
      Tesla did not invent keyless entry and start.

      --
      aaaaaaa
    19. Re:Pioneered what? by Anonymous Coward · · Score: 0

      That won't stop them from claiming they did, though.

    20. Re:Pioneered what? by ai4px · · Score: 1

      The Tesla Model S uses the cell network to unlock the car. When you get out of the driver's seat, the car shuts off. It is entirely possible to get stranded if you exit the vehicle in a cell phone dead zone.... if you don't have a key fob. And yes, I own a model S.

    21. Re:Pioneered what? by whoever57 · · Score: 1

      I was thinking of the Model 3.

      --
      The real "Libtards" are the Libertarians!
    22. Re:Pioneered what? by drsquare · · Score: 1

      And hope that the app doesn't log you out so you get stranded. That happened to an actual Model 3 owner, they phoned up Tesla support, who told them to find someone to pick them up.

  5. Pedant mode ON by NewtonsLaw · · Score: 1

    "letting them unlock the car and start the engine"

    Since when do EVs have "engines". I thought they had electric motors.

    1. Re:Pedant mode ON by divide+overflow · · Score: 2

      engine
      enjn
      noun
      1. A machine with moving parts that converts power into motion.
      synonyms: motor, machine, mechanism

    2. Re: Pedant mode ON by Anonymous Coward · · Score: 0

      Can you turn the music on without they key? I am craving a Roy Orbison marathon

    3. Re:Pedant mode ON by ArchieBunker · · Score: 1

      Unless that car has a neutral gear starting the "engine" without you being inside is a bad idea.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    4. Re: Pedant mode ON by divide+overflow · · Score: 1

      Can you turn the music on without they key? I am craving a Roy Orbison marathon

      That sounds awesome...count me in! Only the lonely...

    5. Re:Pedant mode ON by divide+overflow · · Score: 1

      You are kidding, right?

    6. Re:Pedant mode ON by Anonymous Coward · · Score: 0

      It's not that stupid a proposition. What use does an EV have for a clutch? Do they even have them?

    7. Re: Pedant mode ON by belthize · · Score: 1

      "Only the Lonely" is likely to be a bit crowded around here.

    8. Re:Pedant mode ON by divide+overflow · · Score: 1

      Rather debate what is "stupid" I'll just say that anyone can answer that question in perhaps three seconds using Google and the two keywords "Tesla" and "transmission." The first linked result will provide the answer.

    9. Re: Pedant mode ON by divide+overflow · · Score: 1

      Clever, Snarky Snark.

    10. Re:Pedant mode ON by ArchieBunker · · Score: 1

      Alright 10:1 gearbox. Again, does it have a way to disengage or are the wheels always connected?

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    11. Re:Pedant mode ON by divide+overflow · · Score: 1

      If you read that link I provided it says "no clutch or torque converter," meaning no disengagement, just a 10:1 reduction gear. This simplifies regenerative breaking.

    12. Re:Pedant mode ON by dAzED1 · · Score: 1

      if you're going to go the route of saying an engine is something that converts power to motion, then it would be dumb to do that without the person in the car. An EV doesn't "idle" - there simply isn't power applied to the /motors/ yet. IE, it's not creating any "motion," even if you want to pretend it has a neutral in the way ICE cars do.

    13. Re:Pedant mode ON by ArchieBunker · · Score: 1

      So my original statement is correct. You would not want to start the "engine" remotely.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    14. Re:Pedant mode ON by skullandbones99 · · Score: 1

      The "motor" versus "engine" debate.

      steam engine and NOT steam motor
      rocket engine and rocket motor
      NOT electric engine and electric motor
      NOT starter engine and starter motor

      In other words, "engine" and "motor" have overlapping spheres of influence but the 2 terms are not fully inter-changeable due to their historical usage.

      One reason why the term "electric engine" is coming into usage is because people know a car has an engine so logically in their mind, the device generating propulsion in an electric car is an "electric engine". This is how language evolves.

      But if you went to a spares department and asked for an "electric engine", I suspect you would get funny looks because the parts list will say "electric motor".

  6. If you can do a walk-by clone... by gweihir · · Score: 3, Insightful

    ...then these people really, really, really screwed up. Like absolutely clueless about security. Unfortunately, that seems to be the standard with most EEs doing security these day.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:If you can do a walk-by clone... by AmiMoJo · · Score: 1

      Looking at the pin code entry it seems that the order of the buttons isn't randomised, so the pin code will be easy to steal just by looking at the fingerprint smudges on the screen.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:If you can do a walk-by clone... by gweihir · · Score: 1

      A very old, very well-known attack. Thermal imaging has also been uses on ATMs for this, although the timing is more practical there.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. If only this worked with all keyless entry systems by WillAffleckUW · · Score: 4, Insightful

    Oh.

    Wait.

    It does.

    --
    -- Tigger warning: This post may contain tiggers! --
  8. Re: If only this worked with all keyless entry sys by Anonymous Coward · · Score: 0

    To be fair, with most systems you can be much farther away from the fob than 3 feet.

  9. SIMPLE SOLUTION by Anonymous Coward · · Score: 0

    Unplug the battery when you leave it. Plug it back in when you are on MOOOOOVE!

  10. Tesla pioneered the keyless entry concept, by JustNiz · · Score: 2

    No, they really didn't.
    Keyless Entry / Go was introduced first by Mercedes-Benz in the S-Class car series in 1998. It was being pretty widely used in quite a few luxury brands before 2003 when Tesla was founded.

    1. Re:Tesla pioneered the keyless entry concept, by Anonymous Coward · · Score: 0

      And GM had it in the 1980's.

    2. Re: Tesla pioneered the keyless entry concept, by jrumney · · Score: 2

      That was push button keyfobs. I'm pretty sure the GP, and TFA are talking about the keyfobs that transmit without any button needing to be pressed, so you don't even need to remove them from your pocket or bag. I remember them being advertised as a feature on quite ordinary cars in the mid 2000s, so 1998 Mercedes S class sounds plausible for a first appearance. Certainly they were around before Tesla had sold any cars.

    3. Re:Tesla pioneered the keyless entry concept, by Anonymous Coward · · Score: 0

      Mercedes may have first used it, but Nissan popularized it.

    4. Re: Tesla pioneered the keyless entry concept, by BenJaminus · · Score: 1

      Yep, I saw one on a Ford Focus about 9 years ago.
      Daft concept, meant you couldn't check the door was actually locked.

    5. Re:Tesla pioneered the keyless entry concept, by stooo · · Score: 1

      Renault introduced it first. The system was developped by Siemens.
      Tesla did not invent keyless entry and start.

      --
      aaaaaaa
    6. Re: Tesla pioneered the keyless entry concept, by Anonymous Coward · · Score: 0

      Yep, I saw one on a Ford Focus about 9 years ago.
      Daft concept, meant you couldn't check the door was actually locked.

      My 2006 Lexus has it, the door doesn't unlock until you actually put your hand around the handle (there is a proximity sensor that can detect it, even if you have gloves on.) To look the door you just pushed a small button on the handle (later models didn't even have the button, just a indent you touched with a proximity sensor beneath.) There are still buttons on the remote to lock/unlock from a distance.

    7. Re: Tesla pioneered the keyless entry concept, by larkins.joe · · Score: 1

      I have a 2002 SL55 with Keyless entry and go. It's a credit card-sized plastic thing about 3mm thick that you can stick in your wallet. I don't need to press a button on the 'fob'. As I touch the door handle to open it, a sensor unlocks the car for me, and when I'm seated I just press a button on the gearknob and the engine fires up. I believe that the SL from 2004 onwards got rid of the credit card thing altogether and it was completely in the key. The SL is the marque's flagship 2-seater, and generally gets technology at the same time as or just after the S Class, so I would imagine the 1998 S Class has an identical system to my SL. By the way, if you have £15k to spend and don't mind high maintenance costs, I reckon the SL55 is the best value for money. Open top when you want it, proper steel roof in the winter. 500BHP on tap, and delimited does 201mph (as tested on a non-modified SL55 by Autocar I seem to recall). Love the look on the face of Porsche/Maserati/Anything owners (under about £150k) when you put your foot down. Insanely fast for its age. Apart from app functionality (which wasn't a 'thing' in 2002) what does the Tesla system do that mine doesn't? Oh, and this credit-card-sized thing is smaller and lighter than my phone...

  11. In house crypto by manu0601 · · Score: 1

    We regularly have a reminder that it is a bad idea to develop in house crypto. In this situation, it seems that reusing something like Mifare was the way to go.

    1. Re:In house crypto by im_thatoneguy · · Score: 3, Insightful

      Wasn't in-house Tesla. Looks like they used an off-the-shelf solution which is vulnerable in several manufacturer's vehicles. But "Tesla" pushes clicks more than "Mercedes keyless entry..."

    2. Re:In house crypto by Anonymous Coward · · Score: 0

      Pretty sure there was a story on /. about either RR or BMW having similar issues a long long long time ago.

    3. Re:In house crypto by Anonymous Coward · · Score: 0

      The last time this was on slashdot people pointed that out, but some *cough Rei* claimed Tesla was different and impervious to these problems.

      Now the "specialness" of Tesla is being ignored or refuted to normalize.

      Sad really.

    4. Re:In house crypto by stooo · · Score: 1

      >> We regularly have a reminder that it is a bad idea to develop in house crypto. In this situation, it seems that reusing something like Mifare was the way to go.

      Mifare is closed source proprietary, very weak and very broken.
      That is pretty much worse than in-house crypto, because it's already pre-hacked.

      That is very very bad advice.

      --
      aaaaaaa
    5. Re:In house crypto by swillden · · Score: 1

      We regularly have a reminder that it is a bad idea to develop in house crypto.

      Always true.

      In this situation, it seems that reusing something like Mifare was the way to go.

      No, Mifare (or ISO 14443 contactless smart card protocols in general) are too short-ranged. You'd have to pretty much tap the key to some part of the car to activate it. That's much less convenient than the "walk up, get in, drive away" process that Tesla and other high-end automakers want to provide.

      It should also be noted that there's another sort of vulnerability that's even harder to prevent: relay attacks. Good crypto will make it impossible to clone the key, but if I can put one transceiver near the car and another near the fob and relay messages between them, I can also get in and drive. There is a solution on the horizon for this problem, though: secure range-bounding protocols. The forthcoming Ultra Wideband Wifi spec includes one that allows the precise range between radios to be determined, and in the process negotiates an ephemeral shared secret between them that can be combined with a pre-shared secret to provide strong authentication that is secure against relay attacks. UWB Wifi can do this with extremely low power consumption as well, making it a good candidate for use in a key fob.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    6. Re:In house crypto by swillden · · Score: 1

      Mifare is closed source proprietary, very weak and very broken.

      Mifare is a brand which covers a whole range of specific technologies. Only the oldest ones are very weak and very broken. This is like saying "TLS is old and broken", because TLS 1.0 has known vulnerabilities. Yes it does, but that doesn't mean TLS 1.3 isn't quite solid.

      However, Mifare is close-range and wouldn't be convenient for this application.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:In house crypto by Anonymous Coward · · Score: 0

      Well, Mercedes doesn't have a massive army of fanboys. But then, Mercedes also doesn't have this issue as far as currently known.

    8. Re:In house crypto by manu0601 · · Score: 1

      the process negotiates an ephemeral shared secret between them that can be combined with a pre-shared secret to provide strong authentication that is secure against relay attacks.

      Mifare does exactly that, and if your system is recent enough to support EV1, you have AES128, which is not broken yet.

      The range objection remains, though.

    9. Re:In house crypto by swillden · · Score: 1

      the process negotiates an ephemeral shared secret between them that can be combined with a pre-shared secret to provide strong authentication that is secure against relay attacks.

      Mifare does exactly that

      No, Mifare does not support a bounding protocol, at all, much less one that negotiates an ephemeral shared secret as a side effect. Mifare is subject to relay attacks. Yes, Mifare -- like most everything else in this space -- does negotiate a session key, but that's not at all the same thing.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  12. Tesla did not pioneer keyless entry. by Anonymous Coward · · Score: 0

    Unless the 1993 Chevrolet Corvette was made by Tesla. The. No. Tesla did not pioneer keyless entry.

    1. Re:Tesla did not pioneer keyless entry. by zlexiss · · Score: 1

      Unless the 1993 Chevrolet Corvette was made by Tesla. The. No. Tesla did not pioneer keyless entry.

      Agreed, my '96 Corvette has passive proximity (no button push needed) entry.

  13. Re:If only this worked with all keyless entry syst by Dare+nMc · · Score: 1

    This one doesn't work for all cars. Most cars would require you to get the FOB and push a button and relay that to the car, then a separate vulnerability to replicate the key action as well. As their is no information transmitted without physical action by the owner, it isn't at all the same. The Tesla FOB automatically unlocks with proximity, and requires no KEY to then drive off at that point.

    The Tesla system (used by a couple other luxary cars as well) just requires the hackers to be close to the car for a few seconds, then close to the key for a few seconds. As the car constantly sends out a challenge to the key, they record that, then play that challenge to the FOB, after 2 valid responses they can duplicate the FOB as they have generate a 2Tb lookup to catch the key code. After that point they have everything needed to operate the car normally without any contact with the original fob again.

    They do have a Fix, if the owner purchases a better FOB, then software can protect this with a larger encryption key. Relay attacks without touching the original FOB would still work. Tesla now allows owners to have a password to start the car. Personally I would rather have a key, than having to carry a FOB, and enter a password each time to be as secure.

  14. Re:If only this worked with all keyless entry syst by Anonymous Coward · · Score: 0

    Are you afraid of writing "fob"?

  15. Pioneered keyless entry? by Anonymous Coward · · Score: 0

    "The attack is particularly significant because Tesla pioneered the keyless entry concept..."

    I have a 2011 Nissan Altima that has a no-contact in-your-pocket key fob. Did Nissan license the technology from Tesla (since they "pioneered it")?

    1. Re:Pioneered keyless entry? by Anonymous Coward · · Score: 0

      Renault already offered a keyless entry system in the early 1980s. It was claimed to have been developed by Siemens, but apparently Siemens copied something Tesla developed thirty years later using a time machine of some sorts.

  16. FOBs? by Kokobaby39 · · Score: 0

    Remember that FOBs are not a key. If the concern is getting into the car, you don't want to FOB. Understand that FOBs are an added layer on the car and key that is NOT going to get you anywhere near the car. I had all my keys as FOBs, but went years without getting into the car. Found out though that FOBs are like car hack - mine had to go, but hacking to get the car open isn't the most efficient thing to do. You can call a FOB safe, but that takes billions of man hours to get though. Blank clones? I found that the movie theaters are at "I just cloned you at the door." VERY horrifying. You might as well take in the movie in front of the candy machine.

  17. Best Motherboards For Hackintosh In 2018 by JamFalakShair · · Score: 1

    https://www.amazontedx.com/bes...

  18. Re:If only this worked with all keyless entry syst by AmiMoJo · · Score: 5, Informative

    No it doesn't. The problem here is not just that you can unlock the car, it's that you can recover the secret key and make a duplicate key. Then you can start and drive the car all you like, access it whenever you want rather then just once.

    Not sure what this claim about Tesla pioneering keyless entry in the summary is either. Lots of cars had it long before Tesla came along.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  19. Re:If only this worked with all keyless entry syst by thegarbz · · Score: 1

    Wait.

    No.

    It does not.

    All these systems have cryptographic exchanges. Just because one specific imlimentation of it contained a flaw that allows an attacker to gain a access to the secret key doesn't mean that all systems have the same flaw. Unless you're implying in an industry where everyone reinvents everything and designs everything custom to themselves suddenly thought it was a great idea to standardise on one code base for keyfobs.

  20. Not really a Tesla specific issue by Daralantan · · Score: 1

    There've been other keyless access issues with other companies before as well. I remember reading some article about a guy keeping his key fob in an altoid tin or whatever after someone with a range extender of some kind that let them open his car door several days in a row. Apparently it could be used next to his car (parked in the street) and replicate the signal from the fob a decent distance away.

    Now I look forward to this same writer having an article about his fob breaking due to being filled with altoid dust.

  21. What definition of keyless entry is this? by Megol · · Score: 1

    Nothing of what I can imagine have been invented by or pioneered by Tesla. Keyless entry have been used long before Tesla existed, so?

  22. Someone other than the dealer. by Anonymous Coward · · Score: 0

    Someone other than the dealer.

  23. Not the affected keyless system. by DrYak · · Score: 1

    Apparently Tesla keyless driving is a bit different from what you're referencing:

    And as pointed by others in this thread, not the keyless system that was affected by the current vulnerability.

    The vulnerability affects the classical fob-based keyless system, that has been available for ages from countless others manufacturer.

    Thus the parent is right (and the summary is wrong), Tesla hasn't been the one pioneering the affected keyless system.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  24. "Starting" an EV vehicle ; clutch by DrYak · · Score: 2

    "Starting" an EV is actually bringing all the systems up, waking up the onboard computers, usually performing some self diagnostics (mostly of the lithium battery), re-engaging some systems (is several cars, reportedly in Teslas too, the lithium battery can be shut off for safety and isolation, the computer runs out of secondary lead battery) (The power inverter running the motor is similarly shut off in most cars), and unlock a few stuff (steering lock).
    It's closer to what your laptop performs when brought out of suspend mode, than what an ICE does when starting.

    i.e.: "Starting" is make the car ready to drive.

    But unlike an ICE vehicle, the motor doesn't start to purr constantly. The electrical motor will only start turning if you press the accelerator pedal.

    Though it's extremely fast on most cars (a couple of seconds of self-diagnostic), some manufacturers like Tesla might already do as you approach the car, so you can simply enter and hit the accelerator.

    Also regarding the question about clutch, there's no physical clutch in an EV: the motor is connected to the differential with a fixed ratio.

    On most cars, there's still a "gear selector"-like lever with Reverse/Neutral/Forward position similar to automatic cars.
    But this actually isn't controlling any physical device, it's electronically defining the behavior of the vehicle.
    (e.g.: which direction the motors spins when the accelerator pedal is pushed).

    Also, because electic motors only use fixed gear ratio and go in reverse by spinning the motor the otherway around, it means that nothing will physically limit the speed of the car in *reverse* the motor could spin as fast forward as backward.
    (Unlike an ICE, where the motor constantly spins in a single direction, and only has 1 single gear going in reverse. You can't shift to a "2nd gear reverse" to go any faster, unlike when going forward with 5 or 6 gears).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  25. Re:Pedantic mode ON by skullandbones99 · · Score: 1

    Being pedantic, I have corrected the subject.

    Pedant refers to a person that is pedantic. So your subject was meaning enable the pedantic mode of the person.

  26. VW,Audi,Porsche,BMW.. all have same vulnerability by Anonymous Coward · · Score: 0

    All you need is a SDR transciever and some decent programming skills. All you need to do is record the bitstream from the car to the fob and the fob to the car.
    VW pioneered the technology, not Tesla. The problem is the data is not encrypted. They don't implement public and private keys. A more sophisticated approach would be to seed public key. Only the CAR and FOB would have the current public key. I am not going to tell you how to break in. I can tell you it's easy.
    Keyless entry is easy too. Similar to open a door but you would need a key for the ignition for a standard keyless entry.

    A fob.. well if you record a fob / car data stream, you can easily unlock the car and drive it.

  27. RADIO RELAY? by bussdriver · · Score: 1

    Can somebody tell me why a radio signal detector couldn't unlock the car initially by just range extending it to the parking lot without the owner knowing??

    What happens if while driving the car the key is thrown out of the window? (or the range extender stops?)

    --
    Democracy Now! - uncensored, anti-establishment news
  28. Is this really how keyless entry systems work? by Anonymous Coward · · Score: 0

    Why wouldn't they use a challenge-response system so that it can't be replayed?