Key Fob hacking

Key Fob hacking

I saw a news blurb about people using a device to record Key Fob signals. They hang out in parking lots and receive signals and then use the signal to unlock and start cars.
Are Tesla Key Fobs any different from the rest of the manufacturers?
Does using the automatic lock on walk away feature prevent the "sniffing"?

chris | January 25, 2017

My buddy here in LA is one of the guys that pioneered that hack. He is consulting with a number of car companies to solve it. He's got an even slicker version that sticks as a magnet under your car. It blocks rf and intercepts your first press of the fob. Those things mainly use rolling sequential codes... but since the rf is blocked, the code isnt used. Instead its memorized.

Of course the unsuspecting owner says wtf and presses the fob a second time thinking bat low or w/e. This press is also intercepted amd jammed and recorded. Deftly, his device then replays the original jammed code to the car. Since the car never received either code, the original press is the correct next in sequence.
So yah, your baby opens up on that second press. You shrug, maybe fart and get and smell the leather for maybe the last time....

Cuz meanwhile that device now has your next code. And its sequentially correct for the next open. That baby of yours, cough ex bany, is gonna open like a hot clam on a summer beach for a another man real soon. Yah i said hot clam.

And i dunno if tesla is suspectible. Or i shouldnt say more if i do. :)

Dec 30 2014
Black p85dl
Suicide windows
Plastic wrap
5k miles
Loved everyone of them and this forum! | January 26, 2017

That sounds challenging. I don't know how you can jam a signal and record it at the same time. Magnets don't stick to most parts of Tesla cars but they could use adhesive and simply record the signal sent by the fobkey.

Years ago garage door openers were the target of thieves. That's why rolling codes began to be used.

"A rolling code (or sometimes called a hopping code) is used in keyless entry systems to prevent replay attacks, where an eavesdropper records the transmission and replays it at a later time to cause the receiver to 'unlock'. Such systems are typical in garage door openers and keyless car entry systems."

drklain | January 26, 2017


@Chris, not questioning your buddy's story, but it doesn't make sense to me. What you are suggesting is that
- driver presses fob sending what I'll call code #1.
- recorder receives signal and records it but also somehow prevents the car from receiving the signal so it doesn't unlock (how this RF blockage from one place but not from another is accomplished by a device on a magnet under the car in question defies the laws of RF propagation, but ok).
- driver presses fob sending what I'll call code #2
- recorder receives signal and records code #2 while preventing car from receiving it as before....then it transmits code #1 unlocking the car

At this point, according to this logic, the thief can steal the car next because he has code number 2 captured to retransmit. But by this logic, the fob won't work because it has code #3 set to transmit which is not in sequence with what the car is expecting, so presumably the FOB will no longer work?

I'm not an expert in rolling code encryption used in car fobs or garage door openers but I have spent a lot of my professional life working with type 1 and 2 encryption, so I have some familiarity.

It would seem to me that your scenario presupposes that every time a key is pressed the code changes and that capturing a "unreceived press" allows access. Yet people press their car fob keys all the time when not in range of the car (like when trying to get it to beep to locate it). This does not result in the fob getting "out of step" with the car and being unable to unlock the car.

I'm not saying your friend's story is BS, but I think there are pieces to the puzzle we are missing....

UnshodBob | January 26, 2017

My understanding is that the car and the fob exchange a set of messages back and forth in a few milliseconds to create a "handshake" that enables access. That process must proceed in order from start to finish to be successful. You can't just toss out a code and get into the car. (This is my impression, I'm not privy to all the details.)

tykayn | January 26, 2017

i expect modern key fobs to work like SSH key pairs.
fob and car both have a public and a private key, which they use each time with a different sequence to talk. any message is encrypted and only readable by whom has the good public and private key. so any sniffing of what is transmitted is useless.

Rocky_H | January 26, 2017

@drklain, Yes, I was thinking of that too. You might press the key fob 5 or 10 times while far out of range of the car, but it still works fine when you get back near the car and press it. Something seems off about that explanation of the functionality.

S75RedRidingHood | January 26, 2017

Tesla key FOB is a live device, unlike the garage door opener. It is constantly send heartbeat so the Tesla will know if there is a FOB in the car or not. Have you noticed even when you could get into the car without the FOB, you can not start the car?
@chris, that story is just a fantasy :)

freeewilly | January 26, 2017

How about Bluetooth key fobs??

croman | January 26, 2017

There is a type of man in the middle attack (not quite but similar) that has been discussed but it is not what is described above. The point is that thieves are pioneering new attempts at stealing but Teslas are very hard and almost useless to steal due to the fact Tesla can pinpoint them. | January 26, 2017

@UnshodBob is correct - a handshake is required. Most older car fobs, and perhaps newer ones too from major car companies are a one-way process and are more susceptible to hacks than Tesla's fobs.

@georgehawley and @drklain - I agree 100% - you can't block RF signals and record them at the same time the way it is described.

For non-Tesla cars without a handshake design, perhaps you could install a large grounded metal plate over the antenna area with a reception antenna facing outwards. Aside from seeing a large metal plate attached to the car with wires hanging out of it, my guess it will be hard to fully shield the reception antenna. That also assumes you know where the antenna is.

The Tesla has 7 fob antennas - with one in the center console. You'd have to wrap the car in metal to stop the signals - which of course would prevent the handshake from working!

kevin | January 26, 2017

OP: Fake News.

Here is the original technical article about fob hacking with an explanation of how rolling codes work.

kevin | January 26, 2017

Sorry.... PLS ignore "Fake News" comment.

What Chris describes is in the technical paper I linked above and was described as early as 2009.

UnshodBob | January 27, 2017

@kevin - thanks for that link. "The best laid plans of mice and men..." I hope the Tesla key-recognition scheme is more secure. It seems the criminal tech level is increasing faster than might be expected.

kevin | January 27, 2017

If you have two-way communication, then the problem is quite simple using an asymmetric public key cryptosystem. The car is informed of the keyfob's public key when they are paired. The car then broadcasts a random challenge encrypted with the keyfob's public key. They fob can decrypt it and give a derivative response encrypted with its private key. The car can read the response and know it's the right fob because it is correctly encrypted.

Fob: I'm a Tesla fob." (encrypted with Fob's private key)
[Car tries to decrypt message using all public keys in its authorized list. Continues if it finds one]
Car: "Here is a GUID: 0AFB0C6C-A0EC-4552-A9C7-CBFC014FBE92 can you read it?", encrypted with Fob 1's public key
Fob: "Roger on 0AFB0C6C-A0EC-4552-A9C7-CBFC014FBE92, and please unlock the door" encrypted with Fob 1's private key
[Car decrypts message with Fob public key, verifies the random string is what was sent, then unlocks the door]

redacted | January 26, 2018

@kevin so this would prevent replays, but would not prevent relaying the signal, in which case no decryption would be needed. You'd need a radio near the fob and near the car and let them talk. Since the Tesla fob doesn't require any manual work to unlock the car or mark it as occupied by the fob, it could be done. Although the owner is not likely to be magnetic.

Of course, if the fob signal was lost while driving, you'd get the "key not in car" message.