keyless fob security?

keyless fob security?

Like most modern cars now they have keyless fobs. Will the model S have this? Theres articles about keyless fob hacking to gain access to the car. Either way a car can be broken into or even fooled into letting someone in that thinks its the owner.

I know other EV cars have apps on there phone to tell you how much charge your battery has, but could there be an app for the model S that has this function, but also tell you that your car is active? Possibly have a security feature thats password locked that sends a kill switch message to your car?

And an abstract idea that, well maybe you're at a party and get pushed into the pool by some overzealous friends. Your fob gets ruined but, your phone is saved (just for the sake of the phone not getting in the drink too) so you could use your app to open the door and start the car remotely.

Just a few ideas that could be implemented mayhaps.

JayK | 19 January, 2011

FYI, I accidently stepped into a swimming pool with my keyless FOB for my Hyundai still in my pocket. It was submerged for a good 10 seconds before I realized that it was still in my pocket. I thought I was screwed, but fortunately the fob still worked.

Dan5 | 19 January, 2011

I would like a security app on the phone that lets you kill power to the car. Nothing like a car jacker taking your car and you killing the power a half mile away. I'm sure there would liability issues, like killing a stolen car and causing an accident or somehow the thief suing you because you messed up his getaway or something like that, or unlawful restraint.

Here's my premise- you lock the car and have your cell phone kill power to the drive system (if it can be done and only power the door opening AND alarm), that way the fob only opens the door and you have to type in a code on your phone to reenable the drive system power.

The following would be the way to better protect your car
1. Exit car and close door (auto lock based on FOB)
2. Type in code in phone (disables drive system electricity)
3. Walk up to car- door handle comes out (FOB)
4. Type in code on cell phone (enables drive system electricity)
5. Start car (FOB)

I envision an app where you type in the VIN and based on the VIN sends the signal to your car

VolkerP | 19 January, 2011

Why do you think using your smart phone is safer than the FOB?

Someone can hack into your shiny smart phone. If he finds an app that opens the door and starts your car, some $100,000 for writing this hack is going to quickly pay for!

Best way for better security is less components.

What I want from TESLA is a key FOB to open the door, then unlock my car by entering PIN into touch screen. When left, the car should automatically lock doors and the drive system. And it is not so hard to build a battery powered device that withstands being submersed in water (ever heard of IP57?). Of course, we should expect a key FOB with state-of-the-art protection against signal hijacking from TESLA.

I am pretty sure TESLA has a remote kill feature in the roadster. IMHO, such feature should be only operated by car manufacturer.

Smart phone app is useful for monitoring state of charge, find my vehicle (GPS based), check and adjust temperature and so on. No kill switch. No security related app stuff, please.


richardizme | 19 January, 2011

Well the general gist of a kill switch on the phone app is it wouldnt be easily accessible, even if the phone is hacked into or stolen. That would still require a PIN too.

And It was just a general idea anyway to see what other people would think.

Supergreekster | 19 January, 2011

I think this functionality is something some people will want. The Nissan leaf will be able to remotely (through smartphone/web browser) turn on ac/heat to achieve desired car temp ahead of time... Tesla should match this at least, and anti-theft technology is a must... So drivetrain kill is standard these days... But would be nice to be able to do away with key altogether... Fob to open doors if you want, but failsafe system... Biometric?!

Discoducky | 19 January, 2011

Would be nice if my phone could act as the fob. Download the FOB app! New phones will come with NFC (Near Field Communications) which essentially allow your phone to be your wallet. Why couldn't this be used to allow a secure connection with your car?

I don't like the idea of killing the car remotely, but I do like the idea of knowing where my car is at all times, even if the main battery appears to be depleted. Via my phone I should be able to locate my car instantly, even if it's moving.

Would be awesome to only have one "thing" to keep track of.

BYT | 19 January, 2011

Like the Find My iPhone, you want a Find My Model, love that idea. I have a daughter moving into her teens and soon of driving age, I know she will leave my car alone but just in case.

Mark Petersen | 19 January, 2011

well it shout feature a mode to set the car to kids mode limiting the top speed and acceleration
and maybe a parking-boy mode (max 10mph)

Douglas3 | 19 January, 2011

In Canada, the Roadster will not start without the FOB. You must unlock the car with the FOB before turning the key. You also have to start the car within about 30 seconds of hitting the unlock button on the FOB.

If you don't, a message will pop up on the touchscreen telling you to hit the unlock button. Once you hit the button it will then start up.

This is different from the US version; apparently it is a new Canadian requirement to have an "immobilizer" feature. We've had such rampant car theft up here it seems like a damned good idea.

ChristianG | 20 January, 2011

I don't want to press any buttons on my key to enter or start the car. I like the way toyota did that on the prius. I have my key in the pocket, my hand is close to the door handle it unlocks. I get in press 'Start' and away we go.

there are enough technical solutions to avoid scanning problems and so on, that will not requiere any phone apps or passwords typed in before starting.

Mike_ModelS_P457 | 20 January, 2011

This is a very interesting thread.

I have a Lexus HS250 and I love the fob. That said, I also have a Ford Escape Hybrid (no fob, old fashioned key!) which has a keypad on the door for entry - which I also love.

Given the software driven way this car will be run I imagine there will be customizations available. I may want to live by the fob (leave it in my pocket), but my wife may want to live by the pin.

I do like the idea of managing the car (ac/heat/charge status) from an IP enabled device. The remote kill does, however, give me concerns for safety... though I'm sure they will think of how that works.

Douglas3 | 20 January, 2011

The Canadian regulations do not actually require a button on the FOB; keyless is okay. I believe the Roadster's implementation was just the simplest way for them to retrofit the Canadian requirement, because it didn't require modifying the FOB.

The bottom line is that in Canada an electronic interlock is required to start the car; with the new regulations a physical key alone isn't enough. So keyless is definitely the way to go.

David70 | 23 January, 2011

I may be wrong on this, but I recall that the system in the car is/or can be in communication with Tesla and its data base. If so, if coming out to where your car is you discover it missing, you call Tesla, they contact the police in the location where the GPS indicates the car is located, and in communication with the police power down the car in a safe manner when its location is discovered.

Volker.Berlin | 23 January, 2011

Sound like SciFi. :-)

Timo | 23 January, 2011

But is true. Not necessarily for Tesla, but similar systems do exist. GPS locators and remote power off. Some systems allow you to call your car with mobile phone and tell it to power off.

Douglas3 | 23 January, 2011

Tesla can retrieve GPS coordinates if you have enabled GSM log download. I have heard of one occasion where that was used to recover a stolen Roadster.

It's quite common now for car thieves to leave a vehicle parked in an obscure location for a week, to make sure it doesn't have GPS tracking. If it does the car will disappear, if not they can have their way with it.

kwen197 | 4 November, 2014

On UK forum there is a thread called "Keyless entry hack". I e-mailed Tesla service & their reply was "The Model S is one of the safest cars on the road when it comes to theft. The "hack" they speak of is related to hacking the Mobile App which we have recently upgraded the requirments for the username & password to make the app more secure. If you are concerned with this you can always turn off mobile access for your vehicle through the touchscreen by going to controls>settings>safety and security>mobile access-off. This can be only be changed from inside the car and will make it so the mobile app cannot acceess the vehicle."

mrspaghetti | 4 November, 2014


In other words, use a good password and common sense. Nothing to see here.

neill | 4 November, 2014


I was the original poster in the UK forum on a hack for the Tesla and it follows a detailed article in a big UK weekend paper that a disproportionate number of Range Rovers where being stolen in London in the last quarter because thieves are using a £10 device off ebay to effect a man-in-the-middle attack - what they do is have one person stand next to your car with one electronic device picking up the Tesla to key fob signal from the car, and that is wirelessly relayed to their accomplice who follows you up the road. The accomplice has a 2nd electronic device that relays and ocally broadcasts the Cars 'friendly' signal which your fob then confirms - that confirmation signal is relayed back to the first thiefs device which then opens the car and makes it drivable - you'll not know until you get back to find the car missing, although if you have the app you can find out where it has gone, however you will probably lose the contents...

This is how Range Rover and others with keyless entry are being stolen, and there is considerable concern from insurance companies to the point that they are now declining to insure range rovers unless they are parked in secure off-road storage, and even then with loaded premiums and excess charges for theft...

Are Teslas next? After much debate, we think that the 2nd hand market for Tesla cars is too unique and controlled to make it worthwhile or viable, whereas Range Rovers et al can be taken for their parts/export etc.

Best to all our American Cousins!

Neill L-S, Oxford, UK

Pungoteague_Dave | 5 November, 2014

No one can steal a Tesla and keep it for street use. It is too well linked and easily tracked. The only value in a MS theft is to chop it up for parts.

I don't worry about auto theft at all. If you want it, take it. Just please make sure it can't be recovered. Simply an insurance-funded upgrade opportunity.

wrcooper1776 | 18 April, 2015

An article in today's New York Times on hackers who use a simple, inexpensive device to gain entrance to automobiles that use a wireless fob key. See Does anyone know if the Model S is vulnerable to this kind of attack?

wrcooper1776 | 18 April, 2015
wrcooper1776 | 18 April, 2015 | 18 April, 2015

Lots of FUD and Clickbait.

They didn't break the security system. They guessed a simple password through the phone app. If you use a simple password for your car or your bank account, assume it will be used by someone you don't want. If you're still worried or can't think of a good password, then turn off remote access to eliminate any possibility of access. As this 'hack' was published a year ago, I suspect Tesla has made it far harder to guess a password anymore.

Second case is a theoretical case which requires access to the key FOB. If they can hack it (which might be possible) they can hack any cars that use a FOB (about 95% of the cars sold today). It's clear the Tesla is at least as secure as any other FOB accessed car.

Far easier to just carjack the owner's FOB and drive away. No technology hack necessary.

Haggy | 18 April, 2015

Yes, that's disturbing. The whole idea of the app working with the same password as the user's account for the website, and with no other authentication, is very poor.

I have apps for financial information as well as ones that can open my home door locks, and they all have an additional level of security by using a PIN. The advantage of that is that you can have a password that's complex and too hard to remember or guess, have the phone remember it, and then use a PIN that's easy to remember. Assuming you have the added security of physical control of your phone, another level of security for the phone itself such as a fingerprint scan or pattern, and then need something beyond that to use the app, it's better than having a simple password that's easy enough to remember that can also be used on the web or elsewhere.

Also, the phone/tablet isn't tied to the vehicle. With the system for my home, when the app is first installed, it needs a keycode. That keycode is created by me once for each app that gets installed, and is done at the time the app is installed. Somebody who downloads the app can guess codes from today until eternity and it won't do any good. With my door locks in the house, I need to physically press buttons on the wireless bridge and on the locks to tie them together. It's not something a person could change using the keypad on my locks.

On top of all that, I use a password manager so when I do need to use the online system, I can have a complex password and no need to remember it. (That won't work if I need to know it for the app.) The PW manager can have its own password of 20 or more characters that are hard or impossible to guess. If the password for my Tesla account were independent of the web credentials, things would be much better.

Beyond that, it should limit how many tries per minute a user can try for the website. I also use an email address that isn't used for any other purpose, and nobody outside of Tesla would know about it. They could also limit logging onto the website to known computers and ask security questions if it's not a known computer.

As for the fob itself, there's always the option of not carrying one and using the app alone.

NKYTA | 18 April, 2015

+1 Haggy for password vaults like 1Password. Create a different 20 char/digit string for individual logins for each different site - user has to remember one single, hard to guess password. I hadn't used these prior to about four years ago, but the are invaluable.

Stiction | 18 April, 2015

FWIF, We've all be taught the wrong way to come up with passwords.

The best way is to make up special sentences and then take the first letter (or last letter) of each word for your password.

Such gems as follows are easy to remember as sentences, and generate sequences
that are pretty darn random.

Every Good Boy Deserves Fudge (EGBDF)
Oh Be A Fine Girl, Kiss Me (OBAFGKM)
I Like Apples Cooked In Turpentine (ILACIT)

Obviously now you can't use these particular phrases ;)

PS: If you understand the references to all of these it means you probably like music, astronomy and mathematics.

NKYTA | 18 April, 2015

@Stiction, the best way is to come up with random passwords, that aren't acronyms, or your dogs name plus some letters, but incomprehensible blather, and have a password vault, that you own via one master password ( the only one you have to remember), and each "site" or VPN, or whatever, requires your hard to guess main password.

Some of the challenge comes when a site you want to login to, doesn't allow a long enough password, or doesn't allow special characters, or numbers. Be very wary of those sites.

If you want more than that for servers, you use highly encrypted keys, such that no one can get at it -- but a password vault solves many issues/problems. For servers, username/password is a thing of the past in the computer industry.

Stiction | 19 April, 2015

@NKYTA, I have seen co-workers that use vaults....I'm still a bit skeptical what happens if they crash /have a fire/get raided by the feds, etc.

I don't think the average Joe is going to bother with them.

2 factor auth can help a lot. (you get a text message when you log into a 'new' machine that has a key you type in in addition to the password) supports this but not many people even use that! I think it's pretty simple since you only do the 2-factor when it's been a while or if the machine is new. I love it.

I recommend to my non-techy friends that now that phones can do so much , NEVER EVER use
a computer that you don't own. No internet cafes. . If you must do so, only access very low priority accounts that have nothing in them you care about. (e.g. we have a trash and make sure that account does not share a password with any other account.

Ok, well enough of this...

fobguard | 19 May, 2015

You can solve this problem by putting your fob into a keyless entry faraday cage from Fob Guard. It's made of materials tested to Military Specification by independent laboratories and is light, small, flexible, and durable. Stick your keys in it at night and sleep easy!

ir | 20 May, 2015

If you're going to have to unwrap your fob to use it. Just disable auto-present and remote access, install 3rd party tracking.

Then you need to click the fob to make a stealable signal to unlock the doors and there is less Internet attack surface.

Or just have good insurance and enjoy the car.

Brian H | 20 May, 2015

Few or no Tesla thefts because chop shops have no market (yet).