Relay Attack against Teslas

Nice work:

Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while you’re in the grocery store, intercepting your key’s transmitted signal with a radio transceiver. Another stands near your car, with another transceiver, taking the signal from their friend and passing it on to the car. Since the car and the key can now talk, through the thieves’ range extenders, the car has no reason to suspect the key isn’t inside—and fires right up.

But Tesla’s credit card keys, like many digital keys stored in cell phones, don’t work via radio. Instead, they rely on a different protocol called Near Field Communication or NFC. Those keys had previously been seen as more secure, since their range is so limited and their handshakes with cars are more complex.

Now, researchers seem to have cracked the code. By reverse-engineering the communications between a Tesla Model Y and its credit card key, they were able to properly execute a range-extending relay attack against the crossover. While this specific use case focuses on Tesla, it’s a proof of concept—NFC handshakes can, and eventually will, be reverse-engineered.

Tags: , , ,

Posted on September 15, 2022 at 10:28 AM21 Comments

Comments

Alan September 15, 2022 10:42 AM

“But Tesla’s credit card keys, like many digital keys stored in cell phones, don’t work via radio. Instead, they rely on a different protocol called Near Field Communication or NFC.”

NFC is radio. WTF.

jbmartin6 September 15, 2022 11:10 AM

Does the middle segment have to be an extended radio signal? Or could it be any sort of data connection such as a TCP/IP link? That would make it possible to open the car anywhere in the world.

John Tillotson September 15, 2022 11:28 AM

Sadly, security was never really addressed by any of the “short range” RF solutions, as it was (Hanlon’s razor) assumed that the “short range” would be a protection. Even though the capabilities of a pringle can antenna were already well known when this stuff was invented.

The solution must come down to responsibility. If the manufacturer was held responsible for cat thefts caused by bad design of the car security system, or deaths caused by the poor design of “self-driving” software, then the story would be different.

Where’s Ralph Nader when you need him?

John September 15, 2022 12:01 PM

Couldn’t you just keep the key in an RFID protective case? Could probably use the silver bag that you get with an EZ Pass. OTOH they could just go back to a plain old metal key and be done with it.

Nic Dade September 15, 2022 12:15 PM

The key fobs that have a motion sensing component and require movement to transmit reduce the vulnerable time window. Relay attacks then have to be carried out during movement, which makes them it bit harder too, since the antenna now needs to track the fob as it, for example, moves around the store. It’s a neat and simple improvement and I wish more fobs and virtual phone-based keys had it.

Anthony September 15, 2022 2:10 PM

@jbmartin6: one of the (potential) defenses against range-extension attacks is timing how long the key takes to respond. If that could be implemented well enough, then it would prevent the attack: extending the range delays the response because the speed of light is finite. Extending it 500 ft adds 1000ft of travel time and thus (even in a vacuum) 1us of delay.

Real world, possibly they made an implementation error, or just getting timing that precise in relatively cheap devices is hard. (And for useful range limits, it’s around 2 ns/ft).

But adding the Internet in the middle adds at least tens of milliseconds of delay (and lots of jitter). That’s so much larger that it’s a much easier attack to defeat.

Bob Paddock September 15, 2022 3:27 PM

One of the applications being pushed by proponents of Ultra Wideband (UWB) is digital keys. Due to its abilities to measure distances down to centimeters.
The lock won’t function if it thinks you are to far away.

Sadly today’s “UWB” is really nothing like its late creator Larry Fullerton really envisioned. Once “UWB” has channels as currently implemented it is really nothing more than high bandwidth WiFi. Rather than a stealthy hard to detect communication channel.

Clive Robinson September 15, 2022 5:43 PM

@ Alan

Re : Near field is not far field.

“NFC is radio.”

Yes and no…

In the near field the E and B fields are aligned and the movment of charge causes “Displacment Currents” that use Capacitive or Magnetic coupling. Most NFC works like an old fashioned transformer with a very poor magnetic coupling factor, and a field intensity that drops off at 1/(r^3).

Over the near field distance of around two wavelengths the E and H fields establish an orthagonal relationship and the power is from there propergated out by one field creating the other field and vice verser out to infinity, with the intensity dropping at 1/(r^2).

When the fields cross a conductor, slot, or dialectric, they induce charges to move, which create a current in a conductor, which has an impedence thus the current produces power in it (from I^2R and drops off at 1/(r^1)). If the conductor is a properly designed antenna then by the maximum power transfer theorm half the power in the antenna is delivered to the load impedence at it’s terminals, the other half gets re-radiated in all directions causing localised field distortions.

If you get the distortions in the right place they will act like a series of focused lenses and pull in more power by effectively increasing the antenna capture area in one direction.

So as you can see there are reasons why NFC is frequently considered differently by those that are not happy juggling “Maxwell’s Equations” (which you can work out from first principles if… You’ve a spare rainy afternoon with nothing better to do 😉

Clive Robinson September 16, 2022 12:32 AM

@ Anonymous, ALL,

Re : Near Field Communications Security.

“So what does this mean for my Yubikey 5C NFC?”

Is a too specific question.

You should be asking a more general question based on the fact that NFC is at a minimum two Shannon Communications Channels.

From a general security aspect NFC brings nothing special to the table. It was at one point argued that NFC “could” be designed such that by using phased sensors you could get a field that did not radiate information because the fields canceled out. Likewise that this “could” further limit range etc (look up the supposed physical security benifits of MIMO systems).

In practice this was known to be untrue, and was discussed on this blog between @Wael, @RobertT and others a decade or more ago.

So consider NFC like any Serial Communications bus from RS232 up through USB etc. All of the classes of vulnerabilities they had and have hold for NFC as well. But as well consider NFC like any “broadcast” system and all the classes of vulnerabilities they have had since World War One hold for NFC as well.

Thus any security comes not at the NFC “Physical Layer” but at much higher protocol levels which can be poorly thought out due to a fundemental issue with “engineering”.

Most engineers design with two goals in mind,

1, Robustness.
2, Efficiency.

Robustness has a habit of devolving into “ease of testability” thus “simplicity” which has a habit of meaning things like “transmitting plaintext” and “Always Responding to lower layer protocols” including when secirity protocols at higher layers like authentication etc have failed.

In part this is due to the design methodology brought about by not just “simplicity” but also “efficiency”. The major problem with chasing efficiency without a mind towards security is it alows,

1, Covert Side Channels.
2, High bandwidth.

Both of which can be an unmitigated security disaster in the making. Hence one of my pet sayings “Efficiency -v- Security”.

Whilst it is possible with knowledge and care to design “a secure system that is also efficient” it is generally not possible to “make an existing efficient system secure”.

As I point out “Security is a Quality System” and needs to be in place before a project starts, not “bolted on” as an after thought.

Erik September 16, 2022 2:08 AM

About the exact attack range:

The eavesdropping range for NFC (or more specifically, ISO/IEC 14443, which is the RFID standard with which NFC is compatible) can be up to 9 meters, as shown by Engelhardt at al.

But that only allows replay attacks and not relay attacks. For these the attack range is much shorter: it has been shown to be possible at 50 centimeters by Habraken et al. But that is very much in a laboratory setting: the equipment needed is way too cumbersome for practical attacks.

Clive Robinson September 16, 2022 3:47 AM

@ ALL,

The links provided by @Erik above may not be available to you and things have moved on a bit in the decade since.

That said this “Open Paper” is fairly easy to read and will give you a more indepth background,

https://www.researchgate.net/publication/303696103_Far-Field_Testing_Method_of_Spurious_Emission_Produced_by_HF_RFID/fulltext/57db599408ae72d72ea38195/Far-Field-Testing-Method-of-Spurious-Emission-Produced-by-HF-RFID.pdf

The two points you need to remember are,

1, RFIDs are unpowered not passive.
2, RFIDs are powered by an inductively coupled HF excitation signal.

Due to trying to keep things simple, the RFID uses a “coil” that although of small size has sufficient area and inductance at 13.5MHz to recover and store power from the excitation signal. Unfortunately the power is recovered using a “Diode” that is a “Square Law Device”, the upshot of which is it converts the 13.5MHz sine wave into a near square wave that is rich in harmonics right up into the low microwave region of the EM/RF Spectrum. The “coil” becomes more effective as a radiator when the wavelength of the harmonic is related to the physical dimensions of the coil (look up “half wave loop antenna” for example).

Up in the high VHF and into UHF bands even a uW of power will radiate out very much more than the nominal 10cm range at the 13.5MHz fundemental that is inductively coupled. It’s possible to receive the radiated harmonics at a hundred times the distance of the inductively coupled “displacment currents”.

There are two limit on the range,

1, The background noise level
2, The modulation bandwidth

The greater either is the lower the range.

As I noted above the inductive / magnetic coupling drops of at 1/(r^3) but the radiated EM signal drops of at only 1/(r^2), whilst if the signal is conducted it only drops of by 1/(r^1).

Thus an appropriate length conductor “close coupled” to the reader could in theory carry the signal thirty meters (~100ft) in an RF quiet environment.

Gert-Jan September 16, 2022 6:17 AM

You don’t notice the actual radio communication. When used in NFC, you don’t feel, hear, see or smell it.

I assume the key is currently not alerting its owner when it’s communicating.

Of course it would be best if by default, the key is not available for communication, but only during the time the owner explicitly enables it. For example with a button on the key or by taking it out of a communication blocking container.

If that is not practical or too much of an inconvenience (you’d hope that customers would be given a choice), then some kind of alerting could be added. For example, the key could start buzzing or making a sound when communicating.

I’ve never understood the “open by default” mindset / design.

John Tillotson September 16, 2022 7:02 AM

@John

“Couldn’t you just keep the key in an RFID protective case?” Absolutely. That should be the absolute minimum security practice for anyone who has such a device to start their car: We all need to get into the habit of having a place to put our fobs where they are cut off from RF access: Buy a copper-lined box, or bag, or some other RF proof container and when we get home we absolutely MUST put our fobs in there.

This is a case where the carmakers are selling us something that is supposed to make our lives simpler, but because it’s insecure it really makes our lives more complicated and riskier.

@Gert-Jan

Excellent idea: The fob should not allow any traffic unless the owner physically does something with the device that cannot be done remotely, like shake/squeeze it, or push a button.

Bob Paddock September 16, 2022 12:31 PM

@Clive Robinson curious on your comments about this ‘Black Hole’ antenna. This is from a very old website of mine.

U.S. Patent #, 5,296,866 “Active Antenna” AKA NASA GSC-13449.

“A Broadband Active Antenna for ELF Magnetic Fields” by John F. Sutton and G. Craig Spaniol” in Physics Essays March 1993, Vol 6, #1, 1993.

Abstract: “A unique broadband ULF-ELF-magnetic antenna is described. Active circuitry is employed to introduce a negative impedance that combines with the wire resistance, the distributed winding capacitance, and the inductance of a physically small search coil to produce an antenna with a very small impedance. The result is increased search coil current and a enhanced dipole-plane wave field interaction, which greatly increases the effective area of the antenna, independent of frequency – a ‘black hole’ antenna.”

The conclusion of the paper reads:

“We began our work with the known plane-wave electromagnetic field-resonant dipole electromagnetic field interaction which can explain equally well the enhanced effective areas of photon-atom, photo-particle, and radio wave-tuned dipole interactions. We have extended this principle by showing theoretically and demonstrating experimentally that active circuitry can be used to introduce negative impedances into an antenna circuit to reduce this same interaction over a broad band of frequencies. The interaction has been applied to enhance the sensitivity of physically small untuned search coils, used in the study of the ionosphere via the Earth-ionosphere cavity resonances, nominally in the 1 Hz – 100 Hz range. The active antenna frequency response has been measured and confirmed to be free for resonances and uniform, +/- 2dB, over a nearly four decade range of frequencies from 3.5 Hz to 25 kHz.

They site “C.F.Bohren and D.R.Huffman, “Absorption and Scattering of Light by Small Particles” (Wiley, 1983) saying it show Poynting vector field diagrams of the field interactions. Ref #22 of the paper.

Sir A. Fleming “On Atoms of Action, Electricity, and Light” in “The London, Edinburgh, and Bublin Phiosophical Magazine and Journal of Science” October 1932. Phil.Mag.S.7.Vo..14.No.92.Oct 1932

It shows “diagram representing the nature of the electromagnetic field near a receiving aerial in wireless telegraphy”. Sucking like distortion field.

“Light absorption by a dipole” H. Paul and R. Fischer. Sov.Phys.Usp.26(10), Oct. 1983. American Institute of Physics.

Abstract: “In semiclassical radiation theory, the electric dipole moment induced on an atom by a strong incident field, absorbs much more energy, per sec, than is flowing through its geometrical cross section. This means, the atom has the capability to ‘suck up’ [that is what it says here, I’m not make it up] electromagnetic energy from a spatial region that is by far larger than its own volume. An intuitive understanding of the effect is provided by studying, in the framework of classical electrodynamics, the energy flow in the total field made up by superposition of the incident wave and the field that is generated by the dipole also in the absorptive case.”

Someone wrote a note on the cover pages that reads “The German explanation is that it ‘sucks'”.

Related work by Sutton et.al. “Improved Analog Synchronous Demodulator: Output ripple is suppressed without an output filter” GSC-13179, NASA Tech Briefs, March 1992. Uses dual op-amp and 4053 CMOS switches.

“Digital Synchronous Demodulator: The digital version offers greater speed, precision, and reliability.” GSC-13273.

“Broadband Active-Antenna: The effective area of a search coil is increased.” GSC-13309. Single op-amp, search coil and a few passive components. This paper appears to be the patent application before the lawyers screwed it all up.

I don’t have a copy of this one, but it seems to have great weight in GSC-13309 “How Can a Particle Absorb More Than the Light Incidence on It?” by Craig F. Bohren, Am. J. Phys. 51, No. 4, P.323, April 1983.

From GSC-13309: “With a tuned antenna there is always a tuned circuit including the antenna, where a capacitive reactance is effectively cancelled by an inductive reactance which leads, in turn, to a large circulating current in the resonant circuit, which results in the production of a field. This field, in turn, interacts with the incoming field.”

A lot of these are related to the Howland Voltage to Current converter to do regeneration.

Related by but not by Sutton et.al. is “Compact Electric and Magnetic-Field Sensor: A search coil and an electric-field dipole are collocated” NPO-19034. by D.Winterhalter and E.Smith. NASA Tech Brief Vol. 18, No. 10, Item #124 October 1994.

[Dr. Sutton came across this page, which resulted in these comments from him.]

Re: ACTIVE ANTENNA
From: John and Helen
Date: 10/02/05 10:54 pm
Hi Bob,

The synchronous detectors were used in temperature monitors and temperature controllers designed to control temperatures on spacecraft at 60 milliKelvin +/- a few ucroKelvin. The preamplifier had to have a gain of 10E5 after which the demodulated signal had to be converted by a 16 bit ADC, with +/- 1LSB allowable error…. so of course, you can see that we were working with extremely small signals buried in the noise, and we had to go all out in an effort to beat down the noise. That’s why we had to use a new improved synchronous demodulator. This project was as close to being impossible as you can get! I still have trouble believing that we actually made it work. [He never did respond to my question as to what this ‘signal’ was. ?]

The active (“Black Hole”) antenna was developed in another project, where we didn’t want to transport a two meter long antenna that weighed 200 pounds…..so we miniaturized the hardware while simultaneously expanding the antenna field cross section. We wanted to receive the entire ELF-VLF bands all at once, so we had to have an extremely broadband antenna….like four decades of bandwidth or more. You wouldn’t believe the arguments I had with the reviewer at Physics Essays. He just couldn’t believe that one could do what we did….and if it was indeed true, then why hadn’t someone done it years ago?.., “and what makes you so smart”, .so, of course, “this must be nonsense, etc…..” Progress in physics is so bloody difficult because most physicists think that everything worthwhile has already been discovered….so they expect nothing new. This is negative feedback which, of course, makes the system stable, I suppose. [Which prevents us from having ‘Free Energy’ et.al.]

The one text book that includes diagrams of the antenna-external field interaction is listed as one of the references in the Physics Essays paper. Sorry, I can’t remember the name of the author or the title.

John Sutton, Ph.D.

AH> I think Baurov’s device is much more interesting than this nonsense
AH> (sorry..) about an energy sucking antenna.

BillB Wrote —

Um… I think you’d better read the Bohren and the Paul/Fischer papers
listed in the references. This stuff is totally conventional (it is
classical EM applied to light absorption by small particles, the particles
not necessarily being atoms.) If the small particle has a resonance at
the frequency of the EM radiation incident upon it, then the particle
absorbs far more energy than its size would allow. Essentially, the
strong AC fields produced by the EM energy stored in the particle act like
a dipole antenna. If the particle diameter is around 1/2 wavelength of
the EM radiation in question, then nothing odd will occur. However, if
the particle diameter is far smaller than 1/2 wavelength, then the AC
fields make it behave as if it were a large dipole antenna (it
electrically behaves far larger than its physical diameter.)

Baurov is supposed to have a theory which does make at least some sense,
and a working device….

Also, I think Baurov’s theory is related to Shipov’s torsion theory. I
cannot say that about these energysucking fantasies. (sorry…)

Strong words. Better make sure they are based on knowledge, not upon
emotion.

Portable AM radios efficiently receive signals even though they lack a
long-wire antenna. I had always thought that this was explained by the
fact that the input stage of the radio has fairly high gain, and that the
“loopstick” antenna coil was simply behaving as an inductive pickup coil.
Now I’m not so certain. The same applies to “crystal radios”. Is the
coil and capacitor on the input acting as a filter? Or is it acting as an
active “resonance antenna”?

Since the ferrite coil in an AM radio or crystal radio is tuned to
resonate with the radio station being received, then the capacitor/coil
will generate an AC dipolar magnetic field. When superposed on the
incoming EM plane waves, this dipolar magnetic field distorts the plane
waves, and they bend inwards and deliver far more energy to the coil than
we’d expect. And, if we plot the shape of the Poynting vector field
surrounding the antenna, we find a strange kind of “funnel” effect where
the antenna gathers a fairly large area of energy flux by bending the
energy flux inwards so it is absorbed by the antenna.

lurker September 16, 2022 3:22 PM

@Gert-Jan, John Tillotson
“For example with a button on the key …”

Of course the physical OFF switch keeps popping up here for phones. But a mechanical switch
a) adds cost, and
b) adds unreliability.

These, integrated over the total market should balanced actuarily against expected losses of cars. You do the math.

Matthias U September 16, 2022 4:03 PM

That’s all well and good, but I haven’t yet met any Tesla owner who actually uses their keycard. The car pairs with your phone using Bluetooth and unlocks when you’re close enough (a meter or two).

Relay attacks for Bluetooth are an order of magnitude easier than w/ NFC.

Frank B. September 17, 2022 9:51 AM

Tesla’s are insecure? What a surprise.

Why anyone buys these overpriced death traps is beyond me. Far better (and safer) options out there.

X2bike September 17, 2022 3:05 PM

Most Tesla owners do use the phone key, but also carry the card key in their wallets as a backup, if the phone fails.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.