This week’s newsletter is a stunner for stealing passwords and much more…At first I was tempted to do a series of New Topic posts but instead subscribe if you want more.
Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while you’re in the grocery store, intercepting your key’s transmitted signal with a radio transceiver. Another stands near your car, with another transceiver, taking the signal from their friend and passing it on to the car. Since the car and the key can now talk, through the thieves’ range extenders, the car has no reason to suspect the key isn’t inside – and fires right up.
But Tesla’s credit card keys, like many digital keys stored in cell phones, don’t work via radio. Instead, they rely on a different protocol called Near Field Communication or NFC. Those keys had previously been seen as more secure, since their range is so limited and their handshakes with cars are more complex.
Now, researchers seem to have cracked the code. By reverse-engineering the communications between a Tesla Model Y and its credit card key, they were able to properly execute a range-extending relay attack against the crossover. While this specific use case focuses on Tesla, it’s a proof of concept – NFC handshakes can, and eventually will, be reverse-engineered.
This is interesting from a technical point of view and good to know.
But first, the attacker would need to put one “walkie talkie” within an inch* or so of where the owner has the NFC key card. FYI to attackers: the key card doesn’t work when in a stack of credit cards, such as in a wallet in a pocket.
Once you unlock the car you have just ~20 (?) seconds to put the car in drive, otherwise you need to re-authenticate in a new location within the car on the center console. Or if you put the car in park you have to re-authenticate to drive it again. Not so simple to avoid needing to do this since the car puts itself into park automatically when you are stopped and open the door or unbuckle the seat belt, or a driver not in the seat, etc.
This isn’t minimizing the fact that a hack is possible, but it doesn’t give the thief full access to the drive the car indefinitely like the key fob hack in other cars.
The real thing that minimizes the usability of this hack is that most Tesla owners use their phones as the car key using Bluetooth. Maybe it is possible to hack the Bluetooth authentication but I’ve not heard of that.
*the official NFC range is 4 cm
[edit: I just tried using my key card and it didn’t work from 4 cm away. I had to get about 1cm from the hot spot on the car door pillar for it to work. Maybe this is based on where Tesla mounted the sensor or how much power they drive it with. Maybe the hacker tool could over power a sensor and get it to read from further than 4 cm???]