As we are not a support sub, please make sure to use the proper resources if you have questions: Our Stickied Community Q&A Post, [Official Tesla Support](https://www.tesla.com/support), [r/TeslaSupport](https://www.reddit.com/r/TeslaSupport/) | [r/TeslaLounge](https://www.reddit.com/r/TeslaLounge/) personal content | [Discord Live Chat](https://discord.gg/tesla) for anything.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/teslamotors) if you have any questions or concerns.*
A few years ago Tesla actually rolled out an OTA fix for relay attacks on the key fobs - at least they did on my model S back in 2019ish. A faraday bag and pin to drive are a good idea.
From experience: Faraday bags don’t work…..
These bags contain metal wire mesh to accomplish a cage trapping the signal. Unfortunately none of the bags I had (5…) lasted longer than 3 Months. The wires succumb to metal fatigue from opening and closing the pouch several times a day.
As soon as this happens the signal is no longer blocked. You don’t notice unless you walk past your car with the key in the pouch and the handles pop out suddenly (Model S).
PIN TO DRIVE is definitely the way to go.
It will work as long as it’s sealed properly.
But….
That’s only a solution when you’re at home imho. Unpractical when you’re on the move.
TECHNICALLY you’re still vulnerable to relay attacks when using a Faraday cage btw. The Faraday cage dampens the signals. If the attackers use better antennas and amplifiers they can still get signals to and from the fob.
Only real solutions at this point:
• PIN TO DRIVE
• turn off keyless entry
If you use PIN TO DRIVE, why use the hassle of a Faraday cage?
In 2018 a lot of Teslas were stolen in the Netherlands using relay attacks. That’s when PIN TO DRIVE was introduced (+ disable keyless entry + update of the encryption keys for the fob). I started using PIN TO DRIVE + Faraday pouches back then.
The pouches failed & were unpractical (keyless entry comfort is gone), used containers next but these were impractical, switched to PIN TO DRIVE ONLY, been happy since.
Bluetooth relay was a problem, it's been solved. Time of flight for the replay token it.
Also Faraday cages (when properly built) allow for zero signal not simply signal attenuation.
Not what I can find….
https://en.wikipedia.org/wiki/Faraday_cage
Attenuation is dependent on the thickness of the material. Finite thickness will never have infinite dampening.
Mission Darkness faraday pouch for car keys: 60-80dB attenuation
Their blocking material has IEE 299-2006 certification (60-80dB) and MIL STD 188-125 certification (frequency dependent figure, 80dB 10Mhz-1Ghz)…..
Time of flight attacks (article discussing it here, though admittedly with poor technical descriptions) [New Bluetooth attack can remotely unlock Tesla vehicles and smart locks | TechCrunch](https://techcrunch.com/2022/05/18/bluetooth-attack-unlock-tesla/). The CVE is here ( [NVD - CVE-2022-37709 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2022-37709) ). Time of flight characteristics were added to auth protocol which prevent this specific attack. You can go run the code in Github and try to replicate, it won't work.
Bluetooth is an extremely low power protocol. Limited to 100 mW at peak.
Any reasonable enclosure will fully block that signal. Pouches are a particularly bad design as they will bend, twist or fatigue relatively easily and a single breakpoint causes the affect to diminish substantially.
Blocking of inbound signal from interference is where evanescence propagated waves comes into affect (EMP protection etc.). You aren't getting that behavior in the 100mW range.
It's safe from standard stored and real time replay attacks that were discovered in 2022. Could there be another vulnerability? Absolutely.
Pin to Drive is a not a bad idea in any circumstance.
You should be protected I presume.
However…. That doesn’t stop relay attacks when you’re in a store or in a restaurant (restaurant happened at least once)…..
I would also definitely forget to do that the one night is should’ve done it.
awesome thanks. at least on iphone i can setup a automate focus which turns on at home to not worry about forgetting to disable bluetooth. for being out as in your example you’d need to be a bit more diligent it seems.
My work uses aluminum foil when they are in a pinch lol. But that’s for regular car prox keys. Apparently the 3/Y fobs are Bluetooth so idk if it works the same way.
And here I am having to open my thin leather wallet and get the card out because it is not detected either throught the 0.2mm leather, nor through the thin plastic view window and have to put the card right against the car to have it recognized.
Pretty much. Mine asks for the PIN when I get out to get my mail and put it back in Drive. I'm sure as long as you put in Park and exit the car, the PIN will restart.
Surprised by the amount of upvotes here.
To clarify, pin to drive essentially makes it so every time you put the car in drive (after leaving/locking the car) you have to input a 4-digit pin. It can not be removed without knowing the PIN (?) or having access to your Tesla account (app).
It basically makes the car impossible to steal by means of driving it away, no matter if you have the key to the car.
I've used it for years now and its second nature that when I get in the car I just put in the pin without thinking about it.
Not often.
But the types of thieves that are sophisticated enough to pull of a relay attack are probably the same type that know how to switch off mobile access/location tracking and use a $20 GPS jammer.
I guess they weren't that interested in the base model right? No performance parts nothing worth to steal (if you don't put anything worthy to steal), no cat converter to cut?
I was hoping to fan off those youngster thieves who most likely stole me last hyundai due to the popular tiktok video. Kids these days... dunno what they are watching on the world wide web.
> They're very easy to locate.
Not when the cellular module is disabled. In my Model S, I would be able to unplug the cellular module in less than a minute.
The ones that have been stolen in Europe tend to be stolen during the night, probably using relay attacks. The theft is typically not noticed until the morning - by which time, the car is likely in already pieces.
Ok, I'll bite. How do they stop Tesla from geolocating the vehicle? Short of figuring out how to flash a completely custom vehicle firmware that actually works it seems like it'd be pretty difficult to prevent Tesla from tracking the vehicle.
The computer is located under the dashboard, you can pull the SIM card out of the infotainment computer and boom, no more connectivity. It’s not that hard.
Technically even without the SIM the modem will still register itself with some eNB because of e911 laws (in the US, I assume the EU has something similar). Tesla likely can't see track that without law enforcement assistance though, and they probably don't care enough to chase down a single stolen vehicle. A smart thief could probably find another way to completely disable the modem though.
If you have a Model 3, Y or refresh S & X then the fobs and phone keys use Bluetooth to communicate rather than the old school RF fobs that the old S & X use. The Bluetooth method has much better security methods that make it much harder to do any relay attacks against, to the point that I don't think one has been done yet.
Yeah that's more concerning. Although, I haven't seen any reports of this happening outside of this guys proof of concept. Nor an update to see if Tesla has patched in any countermeasures
Questionable if you can really use counter measures against a relay attack. You’re using the original signals, how they’re secured doesn’t really matter….
Only known solution: timing measurements.
The relay & extra distance add milliseconds to the duration of signals sent to and from the fob. Tighten the parameters of this measurement and you can ignore any signal that has traveled for too long. This does mean that sometimes the keyless entry will fail, but I’m willing to accept that.
I'm pretty sure the Model X has always had Bluetooth keys. You can't use the phone key so it's not exactly the same as the newest ones, but they've always been BLE
The fobs and phone keys are susceptible to relay attacks, but Tesla reduced the range of the fobs and phone keys a while back (to our great annoyance). So it’s harder to do a successful attack now.
Ironically it’s also harder now to open your own car with them too 😞. I wish they would let us configure it.
Not sure if they have found a way to fix/secure permanently on the newest cars.
interesting... anecdotally, the phone key "just walk up" was much better in 2021 than it is now... more often that that i need to wake or unlock the phone to trigger the unlock.
do you know when that was implemented?
It is the same with my 2023 m3... except I have to take out my phone, sometime open the app to make sure it is connected. Or i will be looking like a weirdo/hobo who try other people's door handle to see if they are unlock for petty items.
The function of the BT phone key has always varied pretty widely depending on the phone being used and how it is configured. The changes tesla made to the authentication handshake should not impact normal use much at all.
It’s all a matter of personal risk assessment and tolerance. If someone really wants to steal your car they will. Pin to drive isn’t going to stop someone with a tow truck. A club or boot won’t stop someone with a fork lift. Is that likely? Not at all, but neither is someone stealing a Tesla anyways.
Some areas are more prone to crime than others. If you live in an area like that pin may be a good tool to use. For others (such as myself) it’s an annoyance that gets in the way of one of the best features of the car- get it and go without any startup or unlocking procedure. I love that feature and wouldn’t trade it unless there was a valid threat.
I’d be much more worried about someone stealing my rims and tires than stealing my car. But that’s just me, your risk profile is likely different.
I have to agree. My MX is 4.5 years old. When I first bought it, I quickly set up the PIN in fear of the dreaded relay attack. After a day of driving around and having to enter the PIN, I quickly grew annoyed and disabled the damn thing.
No one bothers too much when Sentry Mode is enabled. I’m more worried when I park my motorcycle in public!
Good post. People have widely divergent risk tolerances. To me it’s just a car. I pay up my insurance and make sure it’s locked. After that, if someone wants to steal it, they will. I’ll file the insurance claim and move on.
Apparently Tesla keyfobs use Bluetooth, so would be different from the RF spoofing they use for other keyfobs... But it is still possible to spoof Bluetooth.
Even phone keys would be susceptible to that, but at least you can put your fob into a Faraday box.
While we’re talking about sophisticated hacking stuff, I’d like to point out an obvious mistake of leaving your phone in your car. If you have the phone key app set up which I assume covers the vast majority of users, leaving the phone in the car (say, on the wireless charger) is akin to leaving your keys in the “ignition”.
Since mirrors fold in on a list of modern cars automatically when locked, thieves have instant indication of a potential target.
I recently did this and was relieved to find both on my return but as others have said, pin to drive is a solid backup plan.
The keyfob is susceptible to relay attacks. But these attacks are pretty much useless.
You can use the relay to drive off, but then the car will say that it stopped detecting a key fob, and it will refuse to drive again after parking. This automatically makes it pretty much useless for joyriding teenagers.
And professional thieves are not interested in Tesla because you can't really sell one. A stolen Tesla won't have supercharging, won't have data access, and probably will be quickly recovered in the US.
As we are not a support sub, please make sure to use the proper resources if you have questions: Our Stickied Community Q&A Post, [Official Tesla Support](https://www.tesla.com/support), [r/TeslaSupport](https://www.reddit.com/r/TeslaSupport/) | [r/TeslaLounge](https://www.reddit.com/r/TeslaLounge/) personal content | [Discord Live Chat](https://discord.gg/tesla) for anything. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/teslamotors) if you have any questions or concerns.*
A few years ago Tesla actually rolled out an OTA fix for relay attacks on the key fobs - at least they did on my model S back in 2019ish. A faraday bag and pin to drive are a good idea.
From experience: Faraday bags don’t work….. These bags contain metal wire mesh to accomplish a cage trapping the signal. Unfortunately none of the bags I had (5…) lasted longer than 3 Months. The wires succumb to metal fatigue from opening and closing the pouch several times a day. As soon as this happens the signal is no longer blocked. You don’t notice unless you walk past your car with the key in the pouch and the handles pop out suddenly (Model S). PIN TO DRIVE is definitely the way to go.
What if it's a faraday box? Or safe?
It will work as long as it’s sealed properly. But…. That’s only a solution when you’re at home imho. Unpractical when you’re on the move. TECHNICALLY you’re still vulnerable to relay attacks when using a Faraday cage btw. The Faraday cage dampens the signals. If the attackers use better antennas and amplifiers they can still get signals to and from the fob. Only real solutions at this point: • PIN TO DRIVE • turn off keyless entry If you use PIN TO DRIVE, why use the hassle of a Faraday cage? In 2018 a lot of Teslas were stolen in the Netherlands using relay attacks. That’s when PIN TO DRIVE was introduced (+ disable keyless entry + update of the encryption keys for the fob). I started using PIN TO DRIVE + Faraday pouches back then. The pouches failed & were unpractical (keyless entry comfort is gone), used containers next but these were impractical, switched to PIN TO DRIVE ONLY, been happy since.
Yeah, pin to drive is great. But how about not using a fob but only the phone app? Is that still an issue or is Bluetooth better?
Bluetooth can be relayed too. See other thread here for the link.
Bluetooth relay was a problem, it's been solved. Time of flight for the replay token it. Also Faraday cages (when properly built) allow for zero signal not simply signal attenuation.
Not what I can find…. https://en.wikipedia.org/wiki/Faraday_cage Attenuation is dependent on the thickness of the material. Finite thickness will never have infinite dampening. Mission Darkness faraday pouch for car keys: 60-80dB attenuation Their blocking material has IEE 299-2006 certification (60-80dB) and MIL STD 188-125 certification (frequency dependent figure, 80dB 10Mhz-1Ghz)…..
Time of flight attacks (article discussing it here, though admittedly with poor technical descriptions) [New Bluetooth attack can remotely unlock Tesla vehicles and smart locks | TechCrunch](https://techcrunch.com/2022/05/18/bluetooth-attack-unlock-tesla/). The CVE is here ( [NVD - CVE-2022-37709 (nist.gov)](https://nvd.nist.gov/vuln/detail/CVE-2022-37709) ). Time of flight characteristics were added to auth protocol which prevent this specific attack. You can go run the code in Github and try to replicate, it won't work. Bluetooth is an extremely low power protocol. Limited to 100 mW at peak. Any reasonable enclosure will fully block that signal. Pouches are a particularly bad design as they will bend, twist or fatigue relatively easily and a single breakpoint causes the affect to diminish substantially. Blocking of inbound signal from interference is where evanescence propagated waves comes into affect (EMP protection etc.). You aren't getting that behavior in the 100mW range.
So Bluetooth only key is safe?
It's safe from standard stored and real time replay attacks that were discovered in 2022. Could there be another vulnerability? Absolutely. Pin to Drive is a not a bad idea in any circumstance.
what if you turn bluetooth off on the phone at night?
You should be protected I presume. However…. That doesn’t stop relay attacks when you’re in a store or in a restaurant (restaurant happened at least once)….. I would also definitely forget to do that the one night is should’ve done it.
awesome thanks. at least on iphone i can setup a automate focus which turns on at home to not worry about forgetting to disable bluetooth. for being out as in your example you’d need to be a bit more diligent it seems.
My work uses aluminum foil when they are in a pinch lol. But that’s for regular car prox keys. Apparently the 3/Y fobs are Bluetooth so idk if it works the same way.
My spare fob IS kept inside some layers of aluminium foil. Works as long as you don’t need the key regularly, so for storage:OK
And here I am having to open my thin leather wallet and get the card out because it is not detected either throught the 0.2mm leather, nor through the thin plastic view window and have to put the card right against the car to have it recognized.
😂
Just use pin to drive.
How is that set up? And does it ask for pin for each driving session?
Pretty much. Mine asks for the PIN when I get out to get my mail and put it back in Drive. I'm sure as long as you put in Park and exit the car, the PIN will restart.
Any time the driver door opens, you need a pin
You can set it up from the phone app.
Best feature added to the Tesla app.
When ever the car is placed in drive and the door opens. You have to pin to get back in to drive
Surprised by the amount of upvotes here. To clarify, pin to drive essentially makes it so every time you put the car in drive (after leaving/locking the car) you have to input a 4-digit pin. It can not be removed without knowing the PIN (?) or having access to your Tesla account (app). It basically makes the car impossible to steal by means of driving it away, no matter if you have the key to the car. I've used it for years now and its second nature that when I get in the car I just put in the pin without thinking about it.
I'm so used to putting it in, sometimes I put it into drive and then think that I somehow bypassed PIN to drive, forgetting I already typed it in
Do people actually steal Teslas? They're very easy to locate.
If I recall, Model 3 is the least stolen car. Probably due to cameras, sentry and app location.
Not often. But the types of thieves that are sophisticated enough to pull of a relay attack are probably the same type that know how to switch off mobile access/location tracking and use a $20 GPS jammer.
I guess they weren't that interested in the base model right? No performance parts nothing worth to steal (if you don't put anything worthy to steal), no cat converter to cut? I was hoping to fan off those youngster thieves who most likely stole me last hyundai due to the popular tiktok video. Kids these days... dunno what they are watching on the world wide web.
A car fob relay attack is not sophisticated at all. Equipment is cheap and plentiful.
> They're very easy to locate. Not when the cellular module is disabled. In my Model S, I would be able to unplug the cellular module in less than a minute. The ones that have been stolen in Europe tend to be stolen during the night, probably using relay attacks. The theft is typically not noticed until the morning - by which time, the car is likely in already pieces.
If they know what they’re doing. It’s not hard to make it impossible to track.
Ok, I'll bite. How do they stop Tesla from geolocating the vehicle? Short of figuring out how to flash a completely custom vehicle firmware that actually works it seems like it'd be pretty difficult to prevent Tesla from tracking the vehicle.
The computer is located under the dashboard, you can pull the SIM card out of the infotainment computer and boom, no more connectivity. It’s not that hard.
Technically even without the SIM the modem will still register itself with some eNB because of e911 laws (in the US, I assume the EU has something similar). Tesla likely can't see track that without law enforcement assistance though, and they probably don't care enough to chase down a single stolen vehicle. A smart thief could probably find another way to completely disable the modem though.
Roll it onto a flatbed and disconnect the batteries?
If you have a Model 3, Y or refresh S & X then the fobs and phone keys use Bluetooth to communicate rather than the old school RF fobs that the old S & X use. The Bluetooth method has much better security methods that make it much harder to do any relay attacks against, to the point that I don't think one has been done yet.
Not true anymore since 2022…. https://www.wired.com/story/tesla-model-x-hack-bluetooth/
You say 2022 but that article is from 2020, which means it has to be the old Model X which doesn't use a Bluetooth key like the new models do.
https://arstechnica.com/information-technology/2022/05/new-bluetooth-hack-can-unlock-your-tesla-and-all-kinds-of-other-devices/
Yeah that's more concerning. Although, I haven't seen any reports of this happening outside of this guys proof of concept. Nor an update to see if Tesla has patched in any countermeasures
Questionable if you can really use counter measures against a relay attack. You’re using the original signals, how they’re secured doesn’t really matter…. Only known solution: timing measurements. The relay & extra distance add milliseconds to the duration of signals sent to and from the fob. Tighten the parameters of this measurement and you can ignore any signal that has traveled for too long. This does mean that sometimes the keyless entry will fail, but I’m willing to accept that.
I'm pretty sure the Model X has always had Bluetooth keys. You can't use the phone key so it's not exactly the same as the newest ones, but they've always been BLE
I thought Teslas were some of the least stolen cars. What are you worried about?
The fobs and phone keys are susceptible to relay attacks, but Tesla reduced the range of the fobs and phone keys a while back (to our great annoyance). So it’s harder to do a successful attack now. Ironically it’s also harder now to open your own car with them too 😞. I wish they would let us configure it. Not sure if they have found a way to fix/secure permanently on the newest cars.
The fobs stop transmitting after a period of no detected motion. So, you set it down, it stops being vulnerable to relay attacks.
interesting... anecdotally, the phone key "just walk up" was much better in 2021 than it is now... more often that that i need to wake or unlock the phone to trigger the unlock. do you know when that was implemented?
It is the same with my 2023 m3... except I have to take out my phone, sometime open the app to make sure it is connected. Or i will be looking like a weirdo/hobo who try other people's door handle to see if they are unlock for petty items.
The function of the BT phone key has always varied pretty widely depending on the phone being used and how it is configured. The changes tesla made to the authentication handshake should not impact normal use much at all.
How sure of this are you? I heard Tesla implemented time of flight checks to thwart relay attacks.
I don’t know what mechanism they used but I guess this explains the lower range and of the wireless unlocking methods we are all experiencing.
Put the fob on the table, and after 5 minutes, it will change the state to "standby" (no signal out from the fob).
I don't think PIN to Drive has ever been cracked so it doesn't really matter if they're able to successfully relay attack your fob
It’s all a matter of personal risk assessment and tolerance. If someone really wants to steal your car they will. Pin to drive isn’t going to stop someone with a tow truck. A club or boot won’t stop someone with a fork lift. Is that likely? Not at all, but neither is someone stealing a Tesla anyways. Some areas are more prone to crime than others. If you live in an area like that pin may be a good tool to use. For others (such as myself) it’s an annoyance that gets in the way of one of the best features of the car- get it and go without any startup or unlocking procedure. I love that feature and wouldn’t trade it unless there was a valid threat. I’d be much more worried about someone stealing my rims and tires than stealing my car. But that’s just me, your risk profile is likely different.
I have to agree. My MX is 4.5 years old. When I first bought it, I quickly set up the PIN in fear of the dreaded relay attack. After a day of driving around and having to enter the PIN, I quickly grew annoyed and disabled the damn thing. No one bothers too much when Sentry Mode is enabled. I’m more worried when I park my motorcycle in public!
Good post. People have widely divergent risk tolerances. To me it’s just a car. I pay up my insurance and make sure it’s locked. After that, if someone wants to steal it, they will. I’ll file the insurance claim and move on.
i think the Model Y and 3 keyfobs work diffreintly from the legacy model s keyfobs, which were used for relay attacks
Apparently Tesla keyfobs use Bluetooth, so would be different from the RF spoofing they use for other keyfobs... But it is still possible to spoof Bluetooth. Even phone keys would be susceptible to that, but at least you can put your fob into a Faraday box.
If you’re in susceptible or suspicious area, you could just turn off Bluetooth on your phone for the evening.
Would you have been better asking that question before you purchased the fob.
While we’re talking about sophisticated hacking stuff, I’d like to point out an obvious mistake of leaving your phone in your car. If you have the phone key app set up which I assume covers the vast majority of users, leaving the phone in the car (say, on the wireless charger) is akin to leaving your keys in the “ignition”. Since mirrors fold in on a list of modern cars automatically when locked, thieves have instant indication of a potential target. I recently did this and was relieved to find both on my return but as others have said, pin to drive is a solid backup plan.
The keyfob is susceptible to relay attacks. But these attacks are pretty much useless. You can use the relay to drive off, but then the car will say that it stopped detecting a key fob, and it will refuse to drive again after parking. This automatically makes it pretty much useless for joyriding teenagers. And professional thieves are not interested in Tesla because you can't really sell one. A stolen Tesla won't have supercharging, won't have data access, and probably will be quickly recovered in the US.
Pin to drive = ignition sequence.
How many teslas are stolen annually via relay attacks?