In 2020, Tesla even wrote in a filing with the US Federal Communications Commission that it would implement ultra-wideband technology in its keyless entry systems and that the ability to measure the distance of a key fob or smartphone from the car much more accurately -or at least could—prevent vehicle theft through relay attacks. “Distance estimation is based on time-of-flight measurement, which is resistant to relay attacks,” Tesla’s document reads. This document, first found by Shouldercaused widespread reports AND comments on social media suggesting that the upcoming ultra-wideband version of Tesla’s keyless entry system will mean the end of relay attacks on the company’s vehicles.
However, GoGoByte researchers found that they were able to launch a relay attack on the latest Tesla Model 3 over Bluetooth, as was done with earlier models, with distances of up to 5 feet between the device and the owner’s key or phone. While cars appear to exploit ultra-wideband communications, they apparently do not exploit it to check distances to prevent keyless theft.
Tesla has not yet responded to WIRED’s requests for comment.
When GoGoByte researchers shared their findings with Tesla earlier this month, the company’s product security team immediately responded by email, dispelling any rumors that ultra-wideband, or “UWB,” would even prevent theft. “This behavior is expected as we are currently working to improve UWB reliability,” reads Tesla’s email in response to GoGoByte’s description of the relay attack. “The UWB range will be rolled out once reliability improvements are complete.”
This answer shouldn’t necessarily come as a surprise, says Josep Rodriguez, a researcher at security firm IOActive, who has previously demonstrated relay attacks on Tesla vehicles. After all, Tesla never explicitly said it started using the ultra-wideband feature for safety reasons – instead, the company touted ultra-wideband features such as detecting that someone’s phone is next to the trunk to open it hands-free – and using it as the security check may still give too many false positives.
“I understand that it may take some time for engineering teams to find the sweet spot where relay attacks can be prevented but does not impact the user experience,” Rodriguez wrote in an email to WIRED. “I didn’t expect that the first implementation of UWB in vehicles would solve relay attacks.”
GoGoByte researchers note that automakers’ tardy rollout of ultra-wideband security isn’t just confined to Tesla. They found that two other automakers whose dongles support ultra-wideband communications are also still vulnerable to relay attacks. In one case, the company didn’t even write any software to implement ultra-wideband communications in its car locking systems, despite upgrading to hardware that supports it. (Researchers have not yet released the names of the remaining automakers because they are still working with them on the vulnerability disclosure process.)
Despite Tesla’s high price and ongoing vulnerability to relay attacks, some studies have shown that these cars are much less likely to be stolen than other cars due to their default GPS tracking – although some car thief rings have they targeted them anyway using relay attacks for sale of vehicles for parts.
GoGoByte notes that Tesla, unlike many other automakers, has the ability to send updates to its cars over the air and may continue to exploit this feature to implement a relay attack fix via ultra-wideband communications. But until then, GoGoByte researchers say they want Tesla owners to understand that they are not immune. “I think Tesla will be able to fix it because it has the right equipment,” Li says. “But I think the public needs to be made aware of this issue before they release a safe version.”
In other words, until then, keep your Tesla PIN-to-drive protection in place. It’s better than keeping your keys and smartphone in the freezer or waking up to find the driveway empty and your car sold for parts.
