KeyFob security in the face of Relay box attack?

KeyFob security in the face of Relay box attack?

So, I was wondering about this the other day - what prevents the relay box attack on a Tesla keyfob?

Well, one thing would be getting into the car and starting it. But how far can you drive without the keyfob (or cell phone)?

Could you get into settings on the car itself to disable the need for the keyfob to drive it?

Once you get in and start the car using a relay box attack, is that enough to basically take the car?

It is for this Mercedes - you will notice that they had to use the relay box again to use the push-to-start but once it was started there was no more need for the relay box. Is that also true for the Tesla cars?

Michael Sinz | 27/11/2017

The real problem is that while the signal is supposed to be short distance and there is a proper challenge/response process, it does not validate that the signal distance and response time match (or are within constraints).

If the proximity is validated not just in that it can get the signal but that the response is within the signal distance parameters then it would be possible to minimize (or completely defeat) the relay boxes.

Victorg-90D | 27/11/2017

Here is more discussion on this:

Also note that Tesla added Passive Entry option recently which improves cars security.

bill | 28/11/2017

Don't forget that the Tesla AP tells you where the car is. So anyone steeling a Tesla needs to be able to disable that, not sure if that is even possible, or quickly strip the car and leave the carcass before you know it is gone and have the police on the scene.

A nice feature would be to have the car text you every time it leaves a parked location via text. That would cut down the window between the car being stolen and you taking action. Maybe even a reply to text that triggers a automatic notification to the closest police dispatch.

ulrichard | 29/11/2017

On the other hand, I was shocked last week when I discovered how easy it is to change the password on my Tesla account. All a thieve has to do is social engineer somebody at your email provider, click the reset password button on the Tesla website. And voila, the account is taken over, and somebody else has app access to the car.
It would be so easy to improve the security by just encrypting the password reset email, or use FIDO U2FA on the website and app.

jordanrichard | 29/11/2017

bill, there is a way to turn off Mobile Access, but I won't mention it here. With that said, if one has their car in Valet mode, they can not turn off the Mobile Access. Of course to use Valet" mode each and every time one leaves their car means having to enter a PIN # to drive their car in normal mode. | 29/11/2017

Then again, Tesla is one of the least stolen production cars in the USA (can't say for Europe/Asia). Really isn't something I worry about, especially since I have insurance.

@ulrichard - I don't think it's all that easy as you make out to "social engineer" having someone give out your password to your email account. If it's that easy, people would be breaking into bank accounts, Amazon and many other sites. Then again, I am my own email provider :) Just depends on how much trust you have for that "free" email account. In my book, you get what you pay for - and free may mean poor security for all your activities.

bill | 29/11/2017

@jordanrichard "there is a way to turn off Mobile Access"

So that should require a different password so you would need to know that to.


I do not know why more sites do not require a text to change your password. Also Why they do not send a email to the old email address when you change email addresses so you know someone breached the site with your credentials.

Cyber security is an area that I do not understand why there has not been more progress in making it more secure and easier on the end user. How many people out there really have a different password for every site they access? And since you have to change it whenever you forget it that makes things even harder.

Lotus Notes, for those of you old enough to remember that was a very secure system because it required that you had a file with your private and public key to access anything. In addition the file had a password as well so you needed both the file and the password in order to gain access. Why are we not using that?

Why doesn't every cell phone have a unique ID that is checked when you log in. When you change phone a rigorous protocol could be employed to make it impossible to impersonate someone else.

We are finally seeing SSO (Single Sign on) on the internet so you can set up web sites to allow you to log in using your Facebook account.

Another pet peeve of mine is why can't we combine all our Credit Cards, Bank Cards, Loyalty Cards into one card where we do not have to have a brief case to carry our cards around!

Sorry I will step off my soap box now.

Solarfan | 29/11/2017

+1 @ulrichard | November 29, 2017,

It would be so easy to improve the security by just encrypting the password reset email, or use FIDO U2FA on the website and app.
Great idea!

I appreciate it when folks like you identify a potential problem AND a cost-effective means to avoid that problem.

Thank you.

NKYTA | 29/11/2017

@bill, in this day and age you should be using a password vault like 1Password or LastPass. The are very easy to use. A little harder across devices, but they are getting there.

I need to know just one master password, which is a good thing as many of the others are 19 digits, letters and symbols, so would be impossible.

rxlawdude | 29/11/2017

@NKYTA, and you pray to God that your 1Password or LastPass file stored locally isn't on a drive that dies.

NKYTA | 29/11/2017

@rxlaw, my master password is in my head, and it is long and complicated and changes over time. If I my disk died, sure I’d lose the emergency kit to get back in, but that is why we have multiple admins. All is encrypted at rest locally, encrypted in transit to the cloud, and encrypted there, such that even 1Pass folks can’t read it.

If they didn’t do that, they wouldn’t have my business, nor much other business.

The alternatives are much more dire, IMO.

mscott | 29/11/2017

+1 for 1Password. +42 for having good backup.

Losing my 1Password database, while definitely painful, wouldn't be nearly as painful as losing, say, 500GB/30 years of family photos. I can reset all those stupid passwords—I couldn't get most of those photos back. Drives die, computers get stolen—if it's important you should have backup.

And sorry, but I'm not all that interested in having yet another piece of hardware that I have to keep track of for U2F. The chances of somebody social engineering access to my email account to steal my car just don't interest me that much. That would have to be a highly targeted attack against *ME* and I'm just not that interesting. Worry about Experian, Yahoo, Target, etc. and don't reuse your passwords so that when they do get your Experian data and see a loan for your Tesla, they don't also conveniently have a password to login to that Tesla account. Hence, 1Password.

rxlawdude | 29/11/2017

Oh, absolutely don't use the same password on multiple sites. Almost all of my Health Information Technology students this semester admitted they use the same passwords for multiple sites. I think I scared the bejesus out of them so hopefully they will change their mindset, and certainly before they get to play with the back end of EMRs!!!

I'm still leery of any third party holding my entire keyring of passwords. That's just me. I have a method that involves remembering something arcane (e.g., a license plate of a car owned in 1970) plus site-specific information (e.g., the first two vowels of the company that owns the site). Even with this, I have to have special rules where punctuation characters are required, and frankly, I keep a cheat sheet in the cloud. But no way anyone would be able to actually use it unless they know the stuff that's solely in my head. :-)

PBEndo | 29/11/2017

if the third party only holds the encrypted keyring and they don't have the ability to decrypt or even know what the file is, you should be safe.

For example, use KeePass, with the encrypted password list stored in a local folder with cloud storage - Dropbox, Google Drive, etc.

Then your only significant vulnerability is on the machine you are using when you decrypt your password list for use. If that device is compromised, you are potentially exposed, but that affects all password storage methods. Adding Two-factor authentication address that concern.

PBEndo | 29/11/2017

Installing BTSync on multiple computers is another way to store the encrypted password offsite without it being in third party hands. This requires multiple machines/locations.

dborn | 30/11/2017

Biometric? Seems to work well with the iPhone X. Could also have password override.

NKYTA | 30/11/2017

PBE +2 for MFA ;-)

ulrichard | 26/01/2018

I deactivated app access in the car. The account security is just not appropriate for the value of a car it secures.

ulrichard | 30/04/2019

Did anybody have their key fobs replaced yet with the newer ones with better encryption?
I ordered a set of new ones last December, but they guy from the SC told me they can still not get them.

mggurley | 30/04/2019

Yes. Bellevue, WA, service center provided the new 40-bit fobs last December for $ 150 each.