In 2020, Tesla even wrote in a filing with the US Federal Communications Commission that it would implement ultra-wideband in its keyless entry systems and that the ability to much more accurately measure the distance between a key fob or smartphone and a car – or at least could—prevent your vehicles from being stolen through relay attacks. “The distance estimation is based on a time-of-flight measurement, which is immune to relay attacks,” reads Tesla’s presentation. That document, which appeared for the first time by the edgebrought to widespread reports and social media comments suggesting that the upcoming ultra-wideband version of Tesla’s keyless entry system would mean the end of relay attacks against its vehicles.
However, GoGoByte researchers found that they could carry out their relay attack against the latest Tesla Model 3 over Bluetooth, just as they had with previous models, from a distance of up to 15 feet between your device and the key. or the owner’s phone number. While the cars appear to use ultra-wideband communications, they apparently do not use them to perform remote controls and prevent keyless entry theft.
Tesla has not yet responded to WIRED’s requests for comment.
When GoGoByte researchers shared their findings with Tesla earlier this month, the company’s product security team immediately responded in an email dispelling any rumors that ultra-wideband, or “UWB,” was even intended to prevent the robbery. “This behavior is expected as we are currently working to improve the reliability of UWB,” reads Tesla’s email in response to GoGoByte’s description of its relay attack. “UWB range will be applied when reliability improvements are completed.”
That response shouldn’t necessarily come as a surprise, says Josep Rodríguez, a researcher at security firm IOActive who has previously demonstrated relay attacks against Tesla vehicles. After all, Tesla never explicitly said it had started using the ultra-wideband feature for security reasons; Instead, the company has touted ultra-wideband features like detecting that someone’s phone is next to the trunk for hands-free opening, and using it as a safety check can still produce too many false positives.
“My understanding is that it may take time for engineering teams to find a sweet spot where relay attacks can be prevented but still not impact the user experience,” Rodriguez wrote in an email to WIRED. “I didn’t expect the first implementation of UWB in vehicles to solve relay attacks.”
The slow adoption of ultra-wideband safety features by automakers is not limited to just Tesla, GoGoByte researchers note. They found that two other automakers whose keys support ultra-wideband communications also remain vulnerable to relay attacks. In one case, the company had not even written any software to implement ultra-wideband communications in its car locking systems, despite updating the hardware that supports it. (The researchers have not yet named those other automakers, as they are still working with them on the vulnerability disclosure process.)
Despite the high price of Teslas and their continued vulnerability to relay attacks, some studies have found that the cars are much less likely to be stolen than other cars due to their default GPS tracking, although some car theft rings have I targeted them anyway using relay attacks. to sell vehicles for spare parts.
GoGoByte notes that Tesla, unlike many other automakers, has the ability to send over-the-air updates to its cars and could still use that feature to implement a relay attack solution over ultra-wideband communications. Until then, however, GoGoByte researchers say they want Tesla owners to understand that they are far from immune. “I think Tesla will be able to solve this problem because it already has the hardware in place,” Li says. “But I think the public should be notified about this issue before they release the secure version.”
Until then, in other words, keep your Tesla’s driving PIN protection in place. Better that than storing your keys and smartphone in the freezer, or waking up to an empty driveway and your car sold for parts.
