For at least a decade, a car theft trick known as a “relay attack” has been the modern equivalent of hot-wiring: a cheap and relatively easy technique to steal hundreds of models of vehicles. A more recent upgrade to the radio protocol in cars' keyless entry systems known as ultra-wideband communications, rolled out to some high-end cars including the latest Tesla Model 3, has been heralded as the fix for that ubiquitous form of grand theft auto. But when one group of Chinese researchers actually checked whether it's still possible to perform relay attacks against the latest Tesla and a collection of other cars that support that next-gen radio protocol, they found that they're as stealable as ever.
In a video shared with WIRED, researchers at the Beijing-based automotive cybersecurity firm GoGoByte demonstrated that they could carry out a relay attack against the latest Tesla Model 3 despite its upgrade to an ultra-wideband keyless entry system, instantly unlocking it with less than a hundred dollars worth of radio equipment. Since the Tesla 3's keyless entry system also controls the car's immobilizer feature designed to prevent its theft, that means a radio hacker could start the car and drive it away in seconds—unless the driver has enabled Tesla's optional, off-by-default PIN-to-drive feature that requires the owner to enter a four-digit code before starting the car.
Jun Li, GoGoByte's founder and a longtime car-hacking researcher, says that his team's successful hack of the latest Model 3's keyless entry system means Tesla owners need to turn on that PIN safeguard despite any rumor that Tesla's radio upgrade would protect their vehicle. “It's a warning for the mass public: Simply having ultra-wideband enabled doesn't mean your vehicle won't be stolen,” Li says. “Using relay attacks, it's still just like the good old days for the thieves.”
Relay attacks work by tricking a car into detecting that an owner's key fob—or, in the case of many Tesla owners, their smartphone with an unlocking app installed—is near the car and that it should therefore unlock. Instead, a hacker's device near the car has, in fact, relayed the signal from the owner's real key, which might be dozens or hundreds of feet away. Thieves can cross that distance by placing one radio device near the real key and another next to the target car, relaying the signal from one device to the other.
Thieves have used the relay technique to, for instance, pick up the signal of a car key inside a house where the owner is sleeping and transmit it to a car in the driveway. Or, as GoGoByte researcher Yuqiao Yang describes, the trick could even be carried out by the person behind you in line at a café where your car is parked outside. “They may be holding a relay device, and then your car may just be driven away,” Yang says. “That's how fast it can happen, maybe just a couple seconds.” The attacks have become common enough that some car owners have taken to keeping their keys in Faraday bags that block radio signals—or in the freezer.
Security researchers have long recommended that carmakers prevent relay attacks by developing keyless entry systems that more precisely measure the timing between a key fob or phone sending a signal and the car receiving it. So when Tesla rolled out its ultra-wideband radio upgrade to its keyless entry system, Tesla owners had every reason to think that the new protocol represented that long-awaited security fix. Ultra-wideband is, after all, capable of far more precise range measurement—it's the radio protocol that makes possible the distance tracking in Apple's AirTags, for instance.
In 2020, Tesla even wrote in a filing to the US Federal Communications Commission that it would be implementing ultra-wideband in its keyless entry systems, and that the ability to far more precisely measure the distance of a key fob or smartphone from a car would—or at least could—prevent its vehicles from being stolen via relay attacks. “The distance estimate is based on a Time of Flight measurement, which is immune to relay attacks,” Tesla's filing read. That document, first turned up by the Verge, led to widespread reports and social media comments suggesting that the upcoming ultra-wideband version of Tesla's keyless entry system would spell the end of relay attacks against its vehicles.
Yet the GoGoByte researchers found they were able to carry out their relay attack against the latest Tesla Model 3 over Bluetooth, just as they had with earlier models, from a distance as far as 15 feet between their device and the owner's key or phone. While the cars do appear to use ultra-wideband communications, they don't apparently use them for a distance check to prevent keyless entry theft.
Tesla has not yet responded to WIRED's requests for comment.
When the GoGoByte researchers shared their findings with Tesla earlier this month, the company's product security team immediately responded in an email dispelling any rumor that ultra-wideband, or “UWB,” was even intended to prevent theft. “This behavior is expected, as we are currently working on improving the reliability of UWB,” read Tesla's email in response to GoGoByte's description of its relay attack. “UWB ranging will be enforced when reliability improvements are complete.”
That answer shouldn't necessarily come as a surprise, says Josep Rodriguez, a researcher for security firm IOActive who has previously demonstrated relay attacks against Tesla vehicles. Tesla never explicitly said it had started using the ultra-wideband feature for security, after all—instead, the company has touted ultra-wideband features like detecting that someone's phone is next to the trunk to open it hands-free—and using it as a security check may still produce too many false positives.
“My understanding is that it can take engineering teams time to find a sweet spot where relay attacks can be prevented but also not affect the user experience,” Rodriguez wrote in an email to WIRED. “I wasn’t expecting that the first implementation of UWB in vehicles would solve the relay attacks.”
Automakers' slow adoption of ultra-wideband security features isn't just limited to Tesla, the GoGoByte researchers note. They found that two other carmakers whose keys support ultra-wideband communications are also still vulnerable to relay attacks. In one case, the company hadn't even written any software to implement ultra-wideband communications in its cars' locking systems, despite upgrading to hardware that supports it. (The researchers aren't yet naming those other carmakers since they're still working through the vulnerability disclosure process with them.)
Despite Teslas' high price tag and continuing vulnerability to relay attacks, some studies have found that the cars are far less likely to be stolen than other cars due to their default GPS tracking—though some car theft rings have targeted them anyway using relay attacks to sell the vehicles for parts.
GoGoByte notes that Tesla, unlike many other carmakers, does have the ability to push out over-the-air updates to its cars and might still use that feature to implement a relay attack fix via ultra-wideband communications. Until then, though, the GoGoByte researchers say they want Tesla owners to understand they're far from immune. “I think Tesla will be able to fix this because they have the hardware in place,” says Li. “But I think the public should be notified of this issue before they release the secure version.”
Until then, in other words, keep your Tesla's PIN-to-drive protection in place. Better that than keeping your keys and smartphone in the freezer—or waking up to find a vacant driveway and your car sold for parts.
