The thought of someone breaking into your Tesla may fill you with dread, but did you know that even with all of its bells and whistles, a determined crook can compromise your car’s security? You may be surprised to know that for about $20, thieves can make a relay attack device that enables them to unlock and drive off with your Tesla in no time at all, assuming they have the technical skills to pull it off.
The YouTube channel Donut Media demonstrated this vulnerability with the help of Sultan Qasim Khan, a cybersecurity researcher from the Manchester-based security firm NCC Group. In the video, we see the team put together a seemingly simple and very inexpensive two-part gadget that makes it possible for one person near a Tesla to unlock and drive away the vehicle. How is this possible? It involves Bluetooth and tricking the car into believing its driver is nearby.
Tricking a Tesla into unlocking its doors
Some newer cars like the Model Y and Model 3 feature a passive keyless entry system, which utilizes a special key fob or smartphone and Bluetooth to determine when the driver (or, more specifically, the key) is nearby. The proximity triggers the vehicle to unlock its doors and also makes it possible to start and operate the vehicle. This is a very convenient system, but apparently one that can be exploited by thieves who are determined enough to steal the car.
Khan published a technical advisory in May 2022 detailing this vulnerability. The testing environment for the relay attack device was similar to a real-world scenario: the iPhone running the Tesla app was located on the top floor of a residence about 82 feet from the Model 3. One part of the attack device was located about 23 feet from the iPhone, picking up its signal and relaying it to the second device, which was around 10 feet away from the Tesla. Despite the distance between the two, Khan explained in the advisory that the team was able to unlock the EV and turn it on.
In a statement to Bloomberg, Khan said that he had disclosed his findings to Tesla, which reportedly doesn’t think the issue is “a significant risk,” though it did allegedly acknowledge that “relay attacks are a known limitation of the passive entry system.” He told Bloomberg that to fix the vulnerability, Tesla would have to make changes to both the keyless entry system and the vehicle hardware. Although the experiments were performed on the Tesla Model 3, Khan says he expected similar results on Model Y cars. He also noted that these attacks were not limited to Tesla cars, either — any vehicle that uses a similar system is reportedly susceptible to attacks by these relay devices.