In 2020, Tesla even wrote in a filing to the US Federal Communications Commission that it would be implementing ultra-wideband in its keyless entry systems, and that the ability to far more precisely measure the distance of a key fob or smartphone from a car would—or at least could—prevent its vehicles from being stolen via relay attacks. “The distance estimate is based on a Time of Flight measurement, which is immune to relay attacks,” Tesla’s filing read. That document, first turned up by the Verge, led to widespread reports and social media comments suggesting that the upcoming ultra-wideband version of Tesla’s keyless entry system would spell the end of relay attacks against its vehicles.
Yet the GoGoByte researchers found they were able to carry out their relay attack against the latest Tesla Model 3 over Bluetooth, just as they had with earlier models, from a distance as far as 15 feet between their device and the owner’s key or phone. While the cars do appear to use ultra-wideband communications, they don’t apparently use them for a distance check to prevent keyless entry theft.
Tesla has not yet responded to WIRED’s requests for comment.
When the GoGoByte researchers shared their findings with Tesla earlier this month, the company’s product security team immediately responded in an email dispelling any rumor that ultra-wideband, or “UWB,” was even intended to prevent theft. “This behavior is expected, as we are currently working on improving the reliability of UWB,” read Tesla’s email in response to GoGoByte’s description of its relay attack. “UWB ranging will be enforced when reliability improvements are complete.”
That answer shouldn’t necessarily come as a surprise, says Josep Rodriguez, a researcher for security firm IOActive who has previously demonstrated relay attacks against Tesla vehicles. Tesla never explicitly said it had started using the ultra-wideband feature for security, after all—instead, the company has touted ultra-wideband features like detecting that someone’s phone is next to the trunk to open it hands-free—and using it as a security check may still produce too many false positives.
“My understanding is that it can take engineering teams time to find a sweet spot where relay attacks can be prevented but also not affect the user experience,” Rodriguez wrote in an email to WIRED. “I wasn’t expecting that the first implementation of UWB in vehicles would solve the relay attacks.”
Automakers’ slow adoption of ultra-wideband security features isn’t just limited to Tesla, the GoGoByte researchers note. They found that two other carmakers whose keys support ultra-wideband communications are also still vulnerable to relay attacks. In one case, the company hadn’t even written any software to implement ultra-wideband communications in its cars’ locking systems, despite upgrading to hardware that supports it. (The researchers aren’t yet naming those other carmakers since they’re still working through the vulnerability disclosure process with them.)
Despite Teslas’ high price tag and continuing vulnerability to relay attacks, some studies have found that the cars are far less likely to be stolen than other cars due to their default GPS tracking—though some car theft rings have targeted them anyway using relay attacks to sell the vehicles for parts.
GoGoByte notes that Tesla, unlike many other carmakers, does have the ability to push out over-the-air updates to its cars and might still use that feature to implement a relay attack fix via ultra-wideband communications. Until then, though, the GoGoByte researchers say they want Tesla owners to understand they’re far from immune. “I think Tesla will be able to fix this because they have the hardware in place,” says Li. “But I think the public should be notified of this issue before they release the secure version.”
Until then, in other words, keep your Tesla’s PIN-to-drive protection in place. Better that than keeping your keys and smartphone in the freezer—or waking up to find a vacant driveway and your car sold for parts.
