General

Using Homemade Stingray to Clone Tesla IMSI

I don’t see how this would be difficult unless Tesla is using the latest encryption on their SIM cards (doubtful). Grabbing the IMSI off a car would allow for all sorts of shenanigans including remote tracking of a target, undetected entry and exit of a parked vehicle, and strategic theft. It all costs less than a 1000 bucks for most of the gear needed including relay attacking the fob, the IMSI catcher, and buying a white SIM off the darknet to clone the victim’s car to tower connection and use it to perform more sophisticated attacks.

I keep reading about thefts in Europe and wonder if the thieves are using IMSI attacks.

Comments

  • Spend your $1000 and do what you think you can do for that...good luck.
  • > @derotam said:
    > Spend your $1000 and do what you think you can do for that...good luck.

    https://boingboing.net/2018/11/16/grgsm_livemon.html
  • And just how are you going to clone a FOB that is no where near the car?
  • Catching the car’s IMSI is doable; the question is what could you do with it?
    Remote tracking seems dubious, requiring hacking into the cell system to monitor which towers can hear the car.
    Undetected entry and exit also seems dubious; knowing the IMSI doesn’t make you an authorized phone as far as the car is concerned. Theft is likewise dubious for the same reason.
  • > @Frank99 said:
    > Catching the car’s IMSI is doable; the question is what could you do with it?
    > Remote tracking seems dubious, requiring hacking into the cell system to monitor which towers can hear the car.
    > Undetected entry and exit also seems dubious; knowing the IMSI doesn’t make you an authorized phone as far as the car is concerned. Theft is likewise dubious for the same reason.
    >
    >
    >

    Allow me to explain: unpatched fobs still vulnerable to a relay attack could still enable the thief to steal the car but this doesn’t negate the ability to track the car if someone’s Tesla credentials are not known. However, a cloned sim broadcasting the same imsi atop a moving Tesla could cause errors preventing the vehicle from communicating with the nearest tower until it’s safely in a faraday trailer or garage. I’m trying to wrap my head around how these Tesla’s are being stolen in Europe and tracking disabled. It’s just a hypothesis and I could easily be wrong about the methods employed.
  • Fob attacks I understand; using a cloned IMSI to confuse the towers is an interesting approach After the car is stolen, but doesn’t really seem necessary. Once you’ve authenticated using a cloned or relayed fob, you can drive away in the car. I don’t know where the sim is in a Model S, but if you wanted to interrupt the cars communications, you could:
    - pop out the sim
    - blow the fuse that powers it,
    - place a cell phone jammer in the front seat

    It all comes down to the initial authentication.
  • An IMSI by itself gets you nowhere. Cloning a SIM is not trivial. There are encryption keys that you have to get off the SIM, and guess what not only are SIMS not meant to have their PK's copied, they actually actively protect against doing it.

    IMSI doesn't get you anywhere by itself. Linking to that boingboing article showes that you don't actually know anything about how cell systems work.
  • > @derotam said:
    > An IMSI by itself gets you nowhere. Cloning a SIM is not trivial. There are encryption keys that you have to get off the SIM, and guess what not only are SIMS not meant to have their PK's copied, they actually actively protect against doing it.
    >
    > IMSI doesn't get you anywhere by itself. Linking to that boingboing article showes that you don't actually know anything about how cell systems work.

    I may not know as much as some. What’s your theory on how remote tracking is being disabled on stolen Teslas so quickly?
  • >>> What’s your theory on how remote tracking is being disabled on stolen Teslas so quickly?
    - pop out the sim
    - blow the fuse that powers it,
    - place a cell phone jammer in the front seat
  • > @Frank99 said:
    > >>> What’s your theory on how remote tracking is being disabled on stolen Teslas so quickly?
    > - pop out the sim
    > - blow the fuse that powers it,
    > - place a cell phone jammer in the front seat
    >

    Possible if they stopped using embedded SIMs at some point? To my knowledge they’re soldered on. See this thread:

    https://forums.tesla.com/discussion/17451/dev-console-access-code
  • Wow I should’ve looked into this more. Apparently the euro Teslas aren’t using access cards with embedded SIMs at all. You’re probably right on the money - they’re just removing the sim and using a jammer.

    https://youtu.be/qm7X6bTxzqo
Sign In or Register to comment.