Using Homemade Stingray to Clone Tesla IMSI
I don’t see how this would be difficult unless Tesla is using the latest encryption on their SIM cards (doubtful). Grabbing the IMSI off a car would allow for all sorts of shenanigans including remote tracking of a target, undetected entry and exit of a parked vehicle, and strategic theft. It all costs less than a 1000 bucks for most of the gear needed including relay attacking the fob, the IMSI catcher, and buying a white SIM off the darknet to clone the victim’s car to tower connection and use it to perform more sophisticated attacks.
I keep reading about thefts in Europe and wonder if the thieves are using IMSI attacks.
I keep reading about thefts in Europe and wonder if the thieves are using IMSI attacks.
-1
Comments
> Spend your $1000 and do what you think you can do for that...good luck.
https://boingboing.net/2018/11/16/grgsm_livemon.html
Remote tracking seems dubious, requiring hacking into the cell system to monitor which towers can hear the car.
Undetected entry and exit also seems dubious; knowing the IMSI doesn’t make you an authorized phone as far as the car is concerned. Theft is likewise dubious for the same reason.
> Catching the car’s IMSI is doable; the question is what could you do with it?
> Remote tracking seems dubious, requiring hacking into the cell system to monitor which towers can hear the car.
> Undetected entry and exit also seems dubious; knowing the IMSI doesn’t make you an authorized phone as far as the car is concerned. Theft is likewise dubious for the same reason.
>
>
>
Allow me to explain: unpatched fobs still vulnerable to a relay attack could still enable the thief to steal the car but this doesn’t negate the ability to track the car if someone’s Tesla credentials are not known. However, a cloned sim broadcasting the same imsi atop a moving Tesla could cause errors preventing the vehicle from communicating with the nearest tower until it’s safely in a faraday trailer or garage. I’m trying to wrap my head around how these Tesla’s are being stolen in Europe and tracking disabled. It’s just a hypothesis and I could easily be wrong about the methods employed.
- pop out the sim
- blow the fuse that powers it,
- place a cell phone jammer in the front seat
It all comes down to the initial authentication.
IMSI doesn't get you anywhere by itself. Linking to that boingboing article showes that you don't actually know anything about how cell systems work.
> An IMSI by itself gets you nowhere. Cloning a SIM is not trivial. There are encryption keys that you have to get off the SIM, and guess what not only are SIMS not meant to have their PK's copied, they actually actively protect against doing it.
>
> IMSI doesn't get you anywhere by itself. Linking to that boingboing article showes that you don't actually know anything about how cell systems work.
I may not know as much as some. What’s your theory on how remote tracking is being disabled on stolen Teslas so quickly?
- pop out the sim
- blow the fuse that powers it,
- place a cell phone jammer in the front seat
> >>> What’s your theory on how remote tracking is being disabled on stolen Teslas so quickly?
> - pop out the sim
> - blow the fuse that powers it,
> - place a cell phone jammer in the front seat
>
Possible if they stopped using embedded SIMs at some point? To my knowledge they’re soldered on. See this thread:
https://forums.tesla.com/discussion/17451/dev-console-access-code
https://youtu.be/qm7X6bTxzqo