A bit off topic, but are there any electric cars that are lighter on software? e.g. some or all of a physical key, no touch screens, no over-the-air updates, etc?
Something for people who sympathise with [0]
> Tech enthusiasts: My entire house is smart.
> Tech workers: The only piece of technology in my house is a printer and I keep a gun next to it so I can shoot it if it makes a noise I don't recognize
It reads like a telephone (gone through India?) mod of that version I am more familiar with:
>Tech Enthusiasts:
Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future!
Programmers/Engineers:
The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.[0]
[Security technicians:
(takes a deep swig of whiskey) I wish I had been born in the Neolithic.]
That engineer perspective accurately describes me, including the gun. Haha
Someday the finger will be pointed at us once enough attack vectors are introduced and exploited at once. And in general I distance myself from tech I can live without.
Good luck.
Car manufacturers are dying to become service providers and shift buying revenue into recurring revenue. On top of that, a car that's mostly like a smartphone in terms of how you activate and think about its features is incredibly attractive for the carmakers. They dream to be able to set car prices based on unlock-able features, basically what Apple has achieved with M1 on Macs (with the difference that in this case it makes a lot of sense from a user perspective too).
You can't provide services or set prices this way if the car isn't "smart".
If you wanna know more, check what Qualcomm's doing in automotive with the Snapdragon digital chassis concept.
> set car prices based on unlock-able features, basically what Apple has achieved with M1 on Macs
Huh? it's not like you pay more for hardware that's always been present. You get exactly the same CPU from entry level M1 to fully specc'd M1. It's not like you could turn a M1 into a M1 Pro or a M1 Max by flicking a switch or blowing a fuse, because the hardware is just not there.
Compare that with BMW who builds and sells cars with heater seats that you software unlock, but the hardware is already there, which is ridiculous. At that point all cars could have it enabled and it would barely make a dent in the price as the uniform assembly line that produces economies of scale is already in place. This is what Mazda is doing, basically you have two, maybe three trim levels, sometimes only one, fully specc'd, and that's it.
Sort of related. BMW has been doing something similar for some time. I bought a certified 2012 3 series back in 2013. New, the car had an optional package for something called Comfort and Convenience Package or something similar to that. It was mostly lighting - footwell ligting, door handles lights, some other stuff. That package was not purchased on the car I bought but all the actual lights were there and someone created a way to turn those things on using a bluetooth/OBDII connector and a laptop. I think the program was called BMW What App?? Not certain of that. Anyway, I added all the lighting stuff...
I hope people don't buy these subscriptions and auto manufacturers give up on them.
Unlikely. 20+ years ago I was working for a manufacturer of high end office machines and they were doing the same thing. It's been popular for a long time, just now trickling down to consumer hardware.
Raspberry PIs have had a similar thing with VC-1 and MPEG-2 decoding requiring a small fee for about a decade now. In this case, to cover the patent licensing cost so as to not add it into the base hardware, but paying a fee to unlock features resident in the hardware is not new in computing. (I realize there are likely other/older ones I'm sure, but that was the first in my mind)
Raspberry probably isn't profiting from it though, they're legally obliged to do it, and they are also trying to make their hardware cheap as possible, so making it optional in a device like RPi makes sense.
I don't think the big players have the same intentions though.
In the field of physically-large CPUs I don't find this surprising. DEC 10's came in a wide range of models, and a KA10 variant for example could be field upgraded to a better variant, e.g. certain byte-access instructions added to extract bytes from 36-bit words, hardware floating point, and so on could be added. A technician would come and stick in some boards and wire-wrap them to the rest of the machine, and the machine's owner would pay for that. I only know of this with IBM and DEC but I would not be surprised if all the expensive machines were field-upgrade-able.
Yes the whole pay extra to unlock a feature that is already there is a big erk and whilst I can see both sides of the coin, it still has an edge too it that erks.
I shudder self driving cars and the prospect that companies would pay to nudge driver routes past their shops is perhaps another future concern, one in which would be a bit evil. Just as well some companies say they will do no evil, though non spring to mind thesedays.
Still, in tech the earliest type of paying to unlock a feature goes back to the 60's iirc and some storage drive that you would pay to upgrade and entailed an engineer comming out and flipping a dip switch to enable the extra capacity. Think it was some ICL kit, though was such a long time ago and never personaly experienced that beyond past down anicdotes.
It makes perfect sense for BMW, if indeed it's more expensive to make 800 cars with heated seats plus 200 without, over 1000 with heated seats (standardized).
The fact that it doesn't make sense to the buyers should factor into whether it makese sense for the manufacturer. I would feel uncomfortable knowing I'm unnecessarily driving around a subsystem that's ultimately going to end up in the landfill unused. Unless I bite the bullet and agree to a recurring fee. Sure, many won't know or care, but then you're actively selecting for a less discerning clientele.
> I would feel uncomfortable knowing I'm unnecessarily driving around a subsystem that's ultimately going to end up in the landfill unused
Person from Minnesota drives their car down to Florida and sells it. Buyer has no need for the car's heated seats & steering wheel, so it goes unused. Are you saying this is a problem?
Thanks to JIT and JIS, just-in-sequence the 200 non-heated once actually are cheaper. They cannot be sold as Seats as a service, nor can they be re-sold with heated seats after their leasing period ended. So all the SaaS model has to do is geberating enough profit to off set the higher cost of heated seats installed but not paid for. After that the re-sale value, for BMW, is higher and this whole stunt is a net positive for BMW.
> make 800 cars with heated seats plus 200 without, over 1000 with heated seats (standardized)
At that point you can spread the cost over 1000 instead of keep selling 800 at a higher price to cover for the 200. I also guess Pareto goes the other way (200 heated + 800 non-heated), which only makes it worse.
> Then more expensive versions just get more cores unlocked, higher frequency allowed, etc.
That's called binning, the unit goes through some testing and components that don't pass get shunted away (hardware or firmware) because they're known to behave incorrectly. Better that than throwing it into a trash.
Blow the fuse/hack the firmware and you can unlock these because the hardware is there, but it's likely that it doesn't operate entirely correctly (especially under duress), even though it may appear to work at first blush.
Sometimes they will sell a perfectly functioning chip as a cut down version because they need to cater for that market segment. This market segmentation is nothing new and can be done in many ways, like permanently shaping the product before sale (HW) or using flexible licensing (SW). The problem with the "permanent" route is that when you sell such a cut down chip it usually stays cut down forever. So the only way to use the cut down features is to buy a chip that is fully unlocked. This is not only a waste of resources but also a waste of money to upgrade the entire chip.
A solid mechanism to enable/disable these features on demand would make the situation a lot better. You could pay just for the upgrade instead of the whole chip, either permanently or only when you need it and pay per use.
But the reality is that in practice this mechanism will probably not work to the advantage of the end user. It will focus entirely on the company's bottom line and open up new avenues for abuse. If your hardware is linked to a license and to the manufacturer forever, you'll never own it. Unless the legal framework enforces the rights of the consumer under threat of drastic fines for the manufacturer, we're just forgoing real ownership.
I think maybe this is how it started out, but it would be really flakey to match with consumer demand. If everyone is buying the cheaper (binned) option you may not have the volume (or demand from the pricey option to just bin more).
In fairness, it also used to be the case that simply some of the cores were broken on a "dual core" processor. Because it was actually manufactured to be a quad core processor, but testing revealed that only 2 or 3 actually worked, so then it got sold as a dual core. :D
But the thing now with "pay to unlock more cores" is... interesting.
They'd probably love to turn that into a subscription, too.
The "Golden Screwdriver" was supposedly a term from the heyday of the IBM Mainframe. (And one of the first links I found - a tesla discussion on HN 9 years ago: https://news.ycombinator.com/item?id=5472663 )
This is an enormous stretch. Binning mostly allows manufacturers to avoid having to throw away ICs with certain defects, selling them instead as a different SKU (fewer cores, lower clock, worse power consumption etc).
I think Intel abused this at least once, back in the days when they had ridiculously good yields across the board, but let's not generalize in absence of evidence.
Binning is a lot of it, but what happens when they have more of the good bin than they want, for the market proportions they're targetting? They'd be fools not to either just sell the good as the bad, when nobody can tell (like when acheivable frequency is the difference), or more likely just make it bad then sell it.
I think so as well. Everyone wants to get on the subscription bandwagon and charge you from birth to death of the product. They also prefer lock in rather than standardization. Unfortunately although as engineers we think of this stuff, managers always tell us to STFU. However, eventually consumers will complain and the government will start regulating and making right to repair and other laws with enough rumbling from the public.
Can you give any example of an unlockable feature on an M1 Mac?
Perhaps the confusion comes from the different mix of performance and efficiency cores on different Macs, but those are physically different. So for instance my M1 MBA has four performance and four efficiency cores, a compromise intended to give very long battery life.
Not only that, but perhaps they'll also be able to go in the direction of selling bare models so cheaply at a huge loss and make multipliers in profits from subjecting users to adtech, if they so chose.
We've seen how that goes with printers. Not good for end users (regardless of the printer being cheaper up front), and trashing the reputation of the company who pull that crap.
Look at HP. They used to be the go-to "reputable, always reliable" brand for printers. Heck, if you can still find the old Laserjet 4xxx series printers they're still good.
But HP in the last decade or so are on most people's shit list.
HP went to shit because they recognized how short-sighted and price-sensitive consumers are and changed how they sell things to account for it.
When people are shopping for an appliance, price is often the largest deciding factor. HP prices their inkjet printers low to lock in that sale. But in order to still earn a profit, they try to make money from the ink, so they lock down the firmware to block 3rd party ink.
People hate how expensive ink is, so they created Instant Ink, a subscription model. If you do a decent amount of printing, especially color printing, you'll actually save money. But it's widely misunderstood. You're not subscribing to ink, you're subscribing to printed pages. And so there are people writing nasty articles about HP because they'll pay $3 for their first month of Instant Ink, HP will send them an ink cartridge, they'll cancel their subscription, then have a Surprised Pikachu face when their printer then refuses to print with the Instant Ink cartridge, because for some reason they thought they owned the ink cartridge that they paid $3 for.
And of course, someone will take a picture of their printer refusing to print with the Instant Ink cartridge that they're no longer subscribed to and post it to /r/AssholeDesign.
EU probably requires the allowance of 3rd party cartridges and refills by law.
In America, corporations run the government and the propaganda machine. They've convinced half the country that any restrictions on corporations are attacks on the Free Market™ (and your freedom!) and are a slippery slope to SOCIALISM!!.
Yeah. A whole bunch of other printer manufacturers would have picked up a lot of business, from the next time those people needed to buy a printer. eg "Anything other than HP".
Unfortunately, several of the other printer manufacturers seem to have copied HP's approach. With similar results.
The Epson EcoTank range (eg specifically refillable ink tanks) seems like a good idea, not that I've used them yet. :)
Dymo recently trashed their entire business reputation (hopefully) pulling the same crap.
They even went to the point of modifying their Amazon listing for their old label printer, so it has all the good reviews for the old product, but selling the new crap DRM-locked garbage product.
So all the newer reviews are people complaining, but the star average is still high for the moment.
Point taken on the HP printers (and wow, re: "Instant Ink" mentioned by sibling; had to search it myself to believe it), but heck. Everyone seems hell-bent on trashing their reputations in my eyes (or at least earning my eye-roll), anyhow.
Moreover, I seem to recall reading here on HN a fair bit about smart refrigerators and Samsung smart TVs with ads, and I can't see those revenue models going away anytime soon.
Bollinger looked like they were targeting exactly this, but just checked and sadly looks like they have shifted to commercial platforms only (https://bollingermotors.com/looking-for-b1-b2/).
The Skoda version (Citigo-e iV) is even more austere. Manual mirrors and rear windows with a lever like the little triangular windows of old. My guess is that the corners were cut to fit the lane assist system and keep the low price.
I hate lane assist, fails miserably where I live (country lanes). I believe its a requirement now, which is tedious. Its the first assistance feature I've actively disliked.
Even actual brand name e-bikes regularly catch on fire, to a point where fire departments warn against them [1]. I would not even dare to build myself an e-bike from Aliexpress components - you have no idea at all how solid the battery protection systems are, how well-made the cells are or if they are outright forgeries, or how well the cells are matched to the battery protection system.
It doesn't make it legal. Anyways, adults make their own decisions and pay the consequences, I'm not here to tell people what to do. Just keep in mind that e-bikes are very regulated in a lot of European countries.
If someone's wallmart bike with a 1200w aliexpress "push button" motor end up injuring/killing someone (due to undersized brakes, snapping chain, &c.) I'm sure a great deal of people will care about them
You're acting like these Walmart bikes with 1200w motors are commonplace, and sold in mass quantities. Most people aren't going to spend their time fitting this stuff on a regular-ass bike. These "kits" don't even bolt onto most bikes, and require some ingenuity to make them fit. What I'm saying is there's not enough of them out there for people to ever care about the issues you bring up.
I think you, and damn near every other person on the internet hand wringing about this kind of stuff, vastly, vastly over estimates the conversion rate between "shitty bike with more power than it probably should have breaks something" and "mows down some elderly lady"
And you're also over-estimating the number of people who will care when that conversion happens. Because odds are when someone does have a mechanical failure and mow down an elderly lady it will be preceded by a bunch of stupid decisions not having anything to do with that mechanical failure and contrary to what you may believe based on HN/Reddit/Twitter commentary, the general populace is well aware that you can't legislate away stupid.
And as others have said, there's a mechanical aptitude bar to entry for using those kits that make them less common than you're implying they are.
Well arguably the fault lies with Deliveroo because they profit from illegal activity, but pretend its not their employees. They know what is happening and tacitly encourage it.
If i understand bike law correctly, for offroad biking you can use anything, but ofcourae if you rig together something stupidly dangerous and cause an accident, a court will take dim view of it.
All modern cars have far too much tech in them. I don't know how people are happy having sim cards installed in their cars tracking their every movement. Tesla is even worse it has a camera inside the car collecting data..
I wouldn't say it's 'light on software' in an absolute sense, but the Kia Niro EV/PHEV has an 'average' amount of gadget and doodad bs compared to a full 'Tesla' amount. About the same as any other new car. I was recently looking for an EV that wasn't a Tesla and was actually available to purchase in the first half of 2022 and it was literally the only one I could find.
I've rented a VW E-Up once that was pretty low tech despite being fully electric. Physical key that has to be inserted next to the steering wheel to start the car (but can lock/unlock the doors like a normal fob), classic car radio without touch screen, minimalist dashboard buttons. To start the car, you even have to turn the key farther just like you would on a classical ignition. I think it's designed for people who are used to combustion engines.
According to the dashboard, it's range should be about 500km. It is quite small however.
I really want to see more electric conversion kits for existing cars, I must admit. It seems like such a waste to throw away what is in many cases a perfectly good chassis/geartrain/body/etc just because you want to change the ICE engine and fuel tank for an electric motor and a battery pack.
Under the cover, modern vehicles have been migrating to CAN Bus etc anyway, so when everything from door switches to marker lights are just i/o devices. There's less wiring, almost no fusebox, and the computers know more about what's wrong.
The only difference in UX is going to be what's on a touch menu and what's on a hard control.
Its not that "modern" vehicles migrate to CAN. CAN was introduced in 1990 with the Mercedes S class. Since then everybody adopted CAN. At least with OBD-II, which is mandatory in many countries around the world, every car has CAN these days.
Since about 2000 modern cars have integrated further technologies beginning with LIN to replace simple IO wires in the doors and alike.
At the higher end side we hade Byteflight, Flexray, TTP/C and now Automotive Ethernet based on BroadReach.
I don't know much about the space so let me know if I'm wrong, but from my point of view there's still a world of difference between all devices working on a packet network (that's simply efficient) and having ten cameras filming surveilling everyone around me continuously and executable code being pushed to my vehicle over an always-on connection that I have no control over. And then on top of all that is tactile controls so you don't need to avert your eyes or pause podcasts to adjust the windscreen wipers.
> an always-on connection that I have no control over
Has anybody tried disabling the LTE antenna (or whatever it uses) on a Tesla for privacy/security reasons? I'm sure hoping the car still drives fine without it, but can it be done without utterly voiding the warranty etc.?
I'm sure you can come to a safe stop, and there have to be provisions for when not in mobile range because that does happen on occasion, but long term I wonder what it does for warranty or various features that might have (known or even unknown to tesla) dependencies on being online. I also seem to remember reading about a time lock, i.e. needing to be online every x time, but not sure.
While I've had a vehicle with CANbus and no documented fusebox (BMW R1200S), that was probably because it used self-resetting fuses. CAN doesn't remove the need for fuses to protect the wiring, and they don't seem to be going away.
Of course (it's a shortage, not a complete inavailability), but that there are much more components with long lead times than before makes it decidedly not business as usual.
Highly unlikely to find a new one as EuroNCAP and company have started to dock stars for missing active safety features (AEB, lane assist,sleepiness detection, etc.) and low stars are a sales killer. Soon they may even be required by law.
VW e-golf... you can find them for ~10k used and they are just a regular basic (but high quality) car that happens to have an electric drivetrain. The downside is they have slightly less range than newer EVs. I leased one and was really impressed overall, and wish I had bought out the lease.
the so called "RED directive" in the EU mandates OTA for any consumer IoT device as of 2024. After that it'll be illegal to sell a connected coffee-maker without also shipping upgrades for any security vulns. While this is specific for IoT the connected vehicle regulation (anything non-consumer or even safety critical) would require even stricter legislation & defenses in place.
The first few generations of the MG ZS EV was basically just a "dumb" car, but electric. It was replace with a new model in 2022, which has some more smarts.
The car I have has all analog gauges etc. It does have a touch screen, but only for controlling the infotainment system. No OTA.
BMW i3. No OTA updates. No touchscreen. Very limited telemetry (GPS location transmission can be turned off). Electronic key with a physical key backup.
These kinds of "sensation" vulnerabilities have been making great headlines every for the past 15 years. However, there is nothing new about this.
- Relay attacks are nothing new, and not unique to Tesla.
- Every contactless unlock technique is vulnerable to relay attacks.
- No amount of encryption prevents relay attacks.
- Short range/near field wireless standards (such as NFC) are also vulnerable, though requires close proximity of the attacker to the NFC token (phone/card/keyfob).
Even HN often falls victim to these kind of sensational headlines. No, we can't solve this. No, car manufacturers won't go back to physical keys. Yes, 99.9% of consumers really like keyless entry and don't care too much about the potential of theft. For most, that is what insurance is for.
> Every contactless unlock technique is vulnerable to relay attacks.
> - No amount of encryption prevents relay attacks.
This isn't true, and I have the patent(s) to show it.
I developed (along with some truly talented security professionals and cryptographers) the active RFID security system for KIWI, a residential access control system here in Germany. One of the requirements, aside from not keeping a central log of access, was that the system should not work if you were further than 10 meters from the door you were trying to open. Things like measuring signal strength, etc. were not an option, as you might imagine repeaters render that moot.
Ultimately, it comes down to fairly tight timings, the speed of light and the rules of physics, but we could restrict things such that the cryptographic handshake would fail if you were more than about 30 meters away, corresponding to a timing window of about 0.0000001 seconds.
We offered to license the technology to car companies, but they weren't interested.
> Ultimately, it comes down to fairly tight timings, the speed of light and the rules of physics, but we could restrict things such that the cryptographic handshake would fail if you were more than about 30 meters away, corresponding to a timing window of about 0.0000001 seconds.
I was trying to learn more about the problem as two of my colleagues were victims of relay attacks, allegedly. Stolen cars were Mazda and Kia. I found claims that only Jaguars and Land Rovers have been resistant to that kind of attack thanks to precise time measurement - similar solution to your description.
I don't have any links and found only [1] this one quickly.
IIRC this is how the Apple Watch's feature that unlocks your Mac works. It's not vulnerable to repeaters and only works within ~3 feet of the watch and the Mac.
I’ve found the range for unlocking your phone with the watch is even tighter. When I’m on the subway it’s less than six inches, presumably because of local radio noise.
Yep. The reference I saw actually says ~3 meters, but even in seemingly ideal conditions, I don't see it reliably work except within probably just one.
I think the point is we can have both, but it requires more expensive hardware to be able to do the handshake fast enough that it doesn't cause accidental failures and ultimately irritation for the user.
I agreed with the GP but you certainly made them sound like a bag of hot air. What a pleasant reminder that security can be bona fide engineering. It's too bad we live in a world that doesn't always want problems solved.
I am no longer involved in the company. Here is one of the related patents: DE102012104955A1; send me a message/email and I could potentially make a connection.
I heard the argument before that relay attacks can’t be solved because it is too hard to measure distance/time of flight. Except that the NASA Apollo missions were able to do so, on a 2ghz signal with 1.5 meter accuracy all the way to the moon. It used complex equipment back then, but not by today’s standards. It’s not impossible, it is just too expensive.
It also notifies the user with a haptic and audio notification when the Watch has been used to unlock a Mac.
In an open plan office it works around 2 meters away at maximum.
There seems to be some kind of heuristic when it allows it too, the first login for the day requires a password or TouchID to be used, but the ones after that work via the Watch.
The attack in the article is a relay attack, not a replay attack. One letter difference.
Every keyless/wireless car key already uses a challenge-response scheme, just like you described, to prevent replay attacks. However, that will not work against relay attacks. Cryptography does not prevent relaying.
Fun fact: Even most physical car keys produced >1990 have a small RFID based transponder in the key head (the plastic part that you hold). This transponder responds to a challenge transmitted by the ignition barrel. Without a correct response, the ECU will refuse to start the engine. This is mainly done to prevent 'Hollywood' style theft where you connect 2 wires from the ignition barrel together to start a car.
This has caused me a lot of grief on my 1999 Jeep Grand Cherokee Limited. The reader is known to go bad and refuse to let the thing start. Took a long time to find the solution somewhere online to take the steering column cover off and reconnect/jiggle the thing. Probably just some bad solder joints. Personally considering sending in my ecu to be reprogrammed and taking the reader out permanently.
So they could add a power switch to the fob or make it need a button press. Maybe people don't think it's worth it. Could also keep your fob in a radio frequency blocking bag.
Blindly repeating the bits actually works just fine. The relay doesn't need to know anything about the content of the conversation - it just needs to boost the signal enough that the car and key can talk to each other when they're far away. Neither key nor car are the wiser, as long as the latency is low enough.
I was unfamiliar with this buttonless setup. Seems silly.
The attack is defeated by keeping your fob in something that blocks radio frequencies I guess. Same idea as those metal wallets but this time for an actual threat.
I appreciate and agree with your main point, but I want to push back on the "impossible to solve" assertion because solving hard problems is fun.
Using latency seems intrinsically expensive because there's no lower limit to how fast a network switch or relay can operate, meaning speed of light is the only real limit. And then the latency bounds get extremely tight, which probably means expensive components. Probably too expensive for a dedicated key fob, but maybe possible with a phone.
But position is actually the thing we care about. If the key knows its position, say with GPS, then we could do it. The key could securely sign its location (plus timestamp or nonce to avoid replay attacks) and then the car could explicitly verify the signature and that the key is within range. AFAICT this is totally secure and reasonable, if a bit expensive, to implement. In fact it seems like it would almost just work today for phone-based keys.
Putting GPS into a dedicated key fob is probably not even too expensive - car key fobs regularly cost hundreds of dollars to replace, even if their BOM is trivial, and a cheap GPS watch is approaching $100. The biggest barrier I see here is battery life on the key - neither phones nor watches like to be constantly tracking GPS because of the power draw.
I wonder what else could work. Quantum communication protocols can detect or resist relays. These are WAAY out of reach though - mostly theoretical, but IIRC the Chinese actually built a satellite to do relay-resistant quantum key distribution.
I'm not arguing that these options are things car companies are going to do any time soon. But it's fun to think about. And I don't think it's impossibly far off.
Encryption + timestamp + message that expires after MAX_DISTANCE/c seems like it would be pretty foolproof. There are of course some challenges in having enough precision in the clocks, though.
So the encryption is not solving it then. But I may need to add to my original post:
- Relay attacks can theoretically be solved with high precision clocks, but will affect price and reliability in a negative way
This obviously depends a bit on the situation, but most relay attacks happen within reasonable proximity. Most attacks happen to a car parked in front of a house, since the attacker knows that the keyfob is likely to be within the house. The distance here is often less than 20m. To get reasonably reliable relay detection on these kinds of distances, you'll need very precise clocks, which will make the keyfobs expensive and still increases the risk of false positives on relay detection.
What's the point (to the customer) if the expensive ULTRA SECURE (tm) keyless entry system is 10x the price, and still less reliable than the keyless entry system om their 20 year old Toyota?
For lots of modern cars, the users phone is a key, and the car itself is connected, so you could also theoretically share and compare gps location during the unlock attempt.
I think the accuracy should be fine, cell phones typically have a GPS accuracy of 5-10 m. The problem is that you won't be able to rely on it. You probably won't have any GPS signal at all in an underground parking garage, and even in an above ground parking deck you will likely have poor or no signal due to being surrounded by steel and concrete.
Even without measuring the distance you could require periodic re-authentication after entry to keep the car driving. If the attacker did a one-time relay to open the car and start it and then drives away they'd lose contact and thus fail the next challenge-response authentication cycle.
None of the keyless start systems do this, on purpose. Because this may lead to very dangerous situations.
Imagine your engine shutting off on the highway, and your steering wheel locks, just because the car briefly looses response from the keyfob...
Also, just about every keyless entry systems have a physical backup key, to start and drive the car in case the battery in the keyfob is empty. A periodical re-authentication would make this impossible.
Stuck in the middle of the desert with a perfectly good car, but an empty keyfob battery? Well, sucks to be you, you'll likely die, but at least your car won't be vulnerable to relay attacks!
That doesn't mean it's impossible to prevent relay attacks, it's just that people choose not to.
Additionally, the highway scenario could also be mitigated with a warning and a grace period. The desert scenario can be mitigated with having a fallback such as having the contactless system double as a smartcard you can put into a reader or by wireless power transfer.
Plus, if your contactless system fails in the desert you're screwed anyway as soon as you turn off the engine once.
Please don’t. Imagine I am driving and suddenly the car in front of me fails to reauth and suddenly stops in the middle of an intersection. That would be unnecessarily unsafe.
> It could just only deactivate the car if the car is stationary.
Right, stop once for a traffic jam, car loses sync with keyfob, and you'll become a stationary target on a highway.
Better swap out those batteries in your keyfob real quick before that 18-wheeler smashes into your car with kids in the backseat!
But hey, at least your car won't be stolen!
> Problem solved.
I guess this proves my point I was trying to make in my original post. Every xx months a sensation article like this comes out, and suddenly everyone, even on HN, becomes an expert that will 'just' solve the issue with a naive solution.
Car manufacturers, hire smart engineers. If the solution was simple, they would have fixed it already. Cars are always a trade-off between safety, security, reliability, affordability and practicality.
Great that your solution makes car theft resistant, but if also kills people, it's not such a great sell...
What about making the key only broadcast the unlock signal when it's been moved within the last {X} mins? Sitting in a drawer, not broadcasting and not vulnerable to relay attack. Walking to the car, key activates, driver unlocks like normal.
I wonder if it would be possible to have a crystal oscillator be that precise and still be robust enough to survive in a car. This method should work. But, if the system can’t survive the external vibration, temperature changes, and weather, it won’t help a car manufacturer.
I thought most keyfobs have a button you need to press to unlock the car? Wouldn't that prevent almost all relay attacks, because the thief typically does not have physical access to the key?
You are thinking of older types of keys. Modern ones, you just have to be near the car with the key and it will unlock if you try a handle. It is ridiculously convenient.
Its not like a normal IT security problem where attackers can be anywhere on earth.
I dont know the numbers for the US, but in my country it seems 0,9% of cars gets reported stolen a year, which includes stupid stuff like leaving the car idling outside your view. Thats a risk I can live with and don't want to have bothersome security to avoid.
I drive a 2013 mini that has a keyless entry system (and push button start as long as the key is in the car). I’m certain my car could be stolen with a relay attack, but confident that won’t happen because I park it 5 floors down in a building made of concrete and steel.
Virtually every key fob is vulnerable to relay attacks. Yes Teslas use Bluetooth but you can do the same with other radio bands even NFC. Only the latest NFC protocols such as Mifare Plus implement a proximity check function that can help defeat relay attacks.
Articles like this feed on the idea that someone could just swoop in and magically steal your car, but magine how difficult it would be to not get caught when stealing an electric car. There are several uniquely identify components, not to mention the car fully understands it's own location.
It would take a serious criminal organization to get away with the theft and sell it for profit, and at that point you're gonna lose regardless of the type of exploit invoked.
Imagine stealing a smart phone today What's the incentive when the technical overhead of getting away with it is so high?
There are cheap devices that block mobile networks so car won't be able to transmit coordinates. Then just drive the car to junk yard, remove batteries and sell car for parts. This is what actually happen to majority of stolen cars in US.
this misses the point. Theft may not be the sole motivator.
If someone moved my car 200 m away, i would then be forced to go get it. If someone moved my car and parked it where parking wasn't allowed, i pay a fine.
> Relay Attacks
> A relay attack against two > > legitimate parties A and B is > one whereby a man-in-the-> > > middle C forwards A’s messages to B and/or B’s > > messages to A, unbeknown to them.
How is this different from a man in the middle attack?
My understanding is that Relay Attacks take advantage of the fact that key fobs are weak transmitters.
If your car can hear the key fob, it assumes the authorized operator is close enough to interact with the car. A relay attack bridges the physical gap between the transmitter and receiver so that the receiver is tricked into thinking the transmitter is nearby.
For example, a thief can scan for key fobs in a fancy restaurant, beam the signals to an accomplice near the valet lot, unlock your BMW, and drive away.
IIRC this is mostly a problem with always-on key fobs.
MITM is more general and includes the case where the MITM alters the information in transit to misrepresent the communications of the two parties to each other.
ToF + RSSI combination on keys is still to be beaten with good protocol.
I say with good protocol since "ghost peak" vulnerability is really a protocol issue, but keys don't fall under CCC, and have proprietary ones.
This is exactly what they are beating in this article. They claim their relay method is not altering ToF significantly and that the RSSI measurement is useless.
No, it does not beat Time-of-Flight measurement. What it does achieve is keeping GATT response latency within normal ranges, so that the GATT response latency cannot be reliably used as an indication of relay attacks. GATT response latency can vary by tens of milliseconds, whereas Time-of-Flight is usually measured in microseconds or nanoseconds. Unfortunately, Bluetooth LE alone lacks a mechanism for time of flight measurement in secure ranging, hence why technologies like UWB are needed.
The headline on this had me very confused; surely not even Tesla would implement something like this without a crypto challenge-response in there somewhere?
They did not. This attack relies on 2 devices: one next to the car and one next to the phone. It is tunneling the bluetooth link, but you still need an authorized phone at the other end of the tunnel (to respond to the crypto challenge).
EDIT: it had me confused because I saw "Relay Attacks" and parsed it as "Replay Attacks". Now getting more coffee ...
This is quite a traditional attack going back years at this point. It's also incredible effective and regularly used by car thiefs across the world. The hardware thiefs use to execute the attack sometimes differs per brand or model so it's not a universal attack per se, but leaked data sets about car ownerships make it easy to get a good return on investment for even just a repeater that only works on a single model.
These automatically unlocking keys should really be stored in a Faraday cage while not in use. When it comes to phones, well, disable Bluetooth when you're not near your car if you've set up this functionality, I guess…
Some keys supposedly have an accelerometer and will stop emitting if the are not moving, but I really have no idea if this is mainstream or a legend. Myself, I have never seen any key that would stop emitting.
Even if true, this isn't really much of a help. Sure, they won't steal from you while in your house. Maybe, as many folks keep their keys in pockets until bed. But, that aside, just go hang out at a grocery store.
It is rather hilarious how basic threat modeling can basically shore this up as way more impossible to do fool proof than you'd think. You may think "put biometrics/camera" on car so that it can see who is trying to open it. Suddenly valets and kids can't open cars for you. Turn off when key is lost? See plenty of takes on that in this conversation.
This is more convenient than it sounds. Carrying your kid back to the car from a day at the park? Just get close and you can easily open the door. No having to put the kid down so that you can find your keys in whatever bag/pocket they were placed in.
It all depends on the type of key your car comes with. Some have protections to ensure that they only transmit when they're supposed to, but many, if not most, can be tricked into transmitting when they're not. Personally, I'd err on the safe side and use one of those EM blocking pouches just in case.
Tesla's already have NFC unlock, the fob and the card can both be used to unlock using NFC by placing them on at top of the B pillar.
The problem is that people love proximity unlock, i.e car unlocks before you reach it and you don't need to place any device directly on/very close to the surface of the car. To do this requires Bluetooth and usually multiple BT radios such that you can perform ranging (can be augmented with UWB etc) to determine if the owner is approaching or moving away from the car etc.
Because of the timings involved it's easy to perform relay attacks as described in the article and it's a non-trivial problem to solve without impeding on the core user experience (which is to be able to simply walk up to the car).
I think the only viable solution is probably to add some sort of gait/build/facial detection into the Sentry system that needs to obtain confirmation before BT unlock is processed but that seems pretty damn hard and I don't even know if it could reach the accuracy required to thwart attacks.
If you can afford to buy a Tesla, your chances of owning a low-end Android phone is low. I am sure Tesla owners wouldn’t mind buying a new phone for a few hundred bucks to make their car more secure.
They prefer to stick to their own walled garden when it comes to this stuff and I can't disagree with that. Perhaps if the phone's API for things like CarPlay and NFC were to be fully open they would consider integrating, but I don't see why they should prefer the specifications and constraints of someone else's walled garden over their own.
Both Apple and Google significantly limit access and enforce limitations on what Android Auto/CarPlay can and can't do. You're effectively picking and choosing your walled gardens when you use these products.
1) This is optional behaviour. By default when you get the car it’s setup with key cards you need to touch to the drivers side door pillar. You have to manually setup phone proximity if you want
2) you can (and probably should) set up a pin code inside the car too. Proximity unlock, which is very useful, gets you in the car but car can’t be driven away until pin is entered
I don't fully trust my Model 3 with the 'walk away' bluetooth lock.
However I do trust the 'pin to drive' (which randomly changes location on screen to foil fingerprints). And sentry mode is a new bonus, not that it has any real utility beyond a small scare for anyone getting too close.
There is only so far I'm willing to go for security before securing the item becomes worse than the joy of owning the item. Wheel locks, physical keys, barbed wire perimeter? No thanks.
If someone wants to load the car up on a flat bed truck inside of a faraday cage, they've put in the effort, enjoy the car.
I've never understood car makers obsession with proximity unlock.
Let's put it this way: I use biometrics for my phone as convenience, but I have it time out in an hour, and require a pattern. (Or, if I put the phone in lockdown.) The security biometrics offer is too weak to trust.
But imagine if the only option you had was face id, and all other options were removed.
Operations like unlocking the door must be explicit, not implicit. I'd accept configurability, but it would be permanently disabled if I could.
Bluetooth has always sucked, but even if Bluetooth is improved, proximity unlock is brain dead for security.
> I've never understood car makers obsession with proximity unlock.
The competition has it. Some people like it.
And in Tesla's case, it saves money. There is no cylinder on the steering column, no cylinder in the door, no steel key to manufacture, no rod going to a physical unlock switch, and no physical unlock switch. So we've saved 500 grams in the car and probably a good $20 too, no to mention the room in the door for the rod and the physical switch, which add engineering work.
There is a long tail of removing grams and dollars from the car manufacturing process, and 500 grams and $20 is significant. This long tail is why e.g. the Model 3 uses a touch screen for most controls, why the rear glass extends far into the roof, and many other seemingly-"premium" features of the Model 3. It's actually cheaper to manufacture them this way.
> And in Tesla's case, it saves money. There is no cylinder on the steering column, no cylinder in the door...
This is precisely what I mean by "brain dead". You'll forgive the hostility, but this is exactly what I'm talking about!
Nothing about this list of things REQUIRES proximity unlock. You can still require the user to push a button on their key fob to explicitly unlock the door.
I get the convenience factor, I do. If that's a feature you enjoy, then great! All the happiness for you. But give me the chance to opt out of something that is deeply broken from a security perspective.
Let me press a fscking button to unlock my car, instead of my car deciding I probably want it to unlock.
Setting up the proximity unlock is a manual step and decision you make. You can just not do this and use the keycard + pin if you're wanting more security.
I believe I've seen a setting to setup a pin code to drive on my Model 3.
You can also unlock the car with the cards that came with it instead of setting up the app on your phone and using Bluetooth. It would be a bit clunky, but it would work.
There is also a keyfob you can buy (https://shop.tesla.com/product/model-3_y-key-fob), not sure if that uses Bluetooth or not, and is vulnerable though.
Yes opt out is completly
missing with electronic cars. I hope some day it will be mandatory. All those „features“ are useless to me and only freaking me out.
Customers "pushing for convenience" are unaware of the possible security implications of it (to put it in a polite way). And it is absolutely the duty of manufacturers to shut them away from stupid crap like that.
Ask any consumer if they want a Pony and they will say yes.
> I've never understood car makers obsession with proximity unlock.
Presumably because the feature is well liked. I rarely every use the buttons on my keyfob but always use proximity lock/unlock because it's just much more convenient in practice.
I would love to have it. It would mean that I would not need to remove key from my pocket if there was also push to start. It always annoys me when I'm carrying something having to fumble and get it out of pocket. Just to press button and then insert it.
My car ties the keys to seat memory - since we share car it's super nice not to fiddle with that. Also just having it somewhere in your pocket, doesn't require you to search for it.
Proximity unlock makes a huge difference when you have a kid on one arm and groceries on the other. You might still be able to operate the doorhandle without putting stuff down but not fiddle around in your pockets.
Also teslas dont force proximity unlock, its up to you to set it up.
It absolutely is! Locking can be implicit -- the assumption should be that the user wants things secure.
But imagine working for a company that is very excited about their AI firewall, that intelligently OPENS ports based on a machine learning algorithm.
"No! That's a terrible idea!" You exclaim, pulling out tufts of hair. "That has more security holes than a slice of swiss cheese!"
"Yeah, but all our focus groups really liked the feature, and when customers hear AI and algorithms they're more likely to buy... Come on, you'd have to basically have a PhD to exploit an algorithm...."
I wonder how they deal with the channel hopping? I remember BT "Classic" derives the hoping sequence from the encryption key. Not sure if that changed significantly for BLE? So either they establish normal connections between relays and victims (meaning two keys, one between each relay and each victim), and then forward data coming out of the Link Layer between the attacker devices - or they need to sniff the whole spectrum in case there is just one key between car and fob.
Last time I checked, sniffing the full spectrum of BT required three SDRs, meaning six in total; making this attack rather expensive to pull off (no problem for professional thieves though, I guess). OTOH if they can use any BT stack (or manipulate it with e.g. InternalBlue[1]), potential carjackers just need two Android Phones and good WiFi :(
//edit: I think letting the phone do some sanity checking is already a good idea. There are some indicators that can be used to make this much harder (though not impossible), and which are generally available right now (that is, without additional hardware). The two most obvious: Do the GPS locations match up (prevent theft while at other end of a mall)? Did the acceleration sensors indicate that the phone might have been moved closer to the car (prevent theft while sleeping with phone on the nightstand)?
I believe that wireless electronic unlocking of cars has always been a bad idea. Ever since my neighbors got a new Ford that included a Start button with wireless unlocking a decade or so ago, I’ve been suspicious of the technology. Although many hardware based locks aren’t so hard to overcome either, physical contact between key and device will always be more secure than remote unlocking.
We had a whole series of cars robbed on my street last week 100% of them were the "proximity keyfob" types. I would be more excited about the shift to electric if it was just the motors and not the endless stream of marginally helpful but insecure and expensive "features" you are forced to buy on new cars now. I mean if manual window winders are cheaper and use less resources, I want those. It's impossible to get them on front doors now.
It's interesting that Tesla has chosen not to use geofencing for passive keyless entry since the app knows where the car was last parked.
It would make sense that if it receives a cryptographic challenge from the car, it would only respond if it was inside of the geofenced boundary for the vehicle, provided by the phone's location services.
This may sound like a flippant comment, but it cuts to the heart of the matter: In every aspect, Tesla cars demonstrate that their engineering is shoddy. Low-quality, slapped-together, and patched-after-the-fact.
They just don't have quality in their soul.
We should trust these people with... how did Elon Musk put it...
To be honest, I don't think their engineering is necessarily shoddy. Their EV tech was top of the line and is still in the high quality segment despite competitors catching up. Their batteries are quite safe, as far as giant lithium containers can be, and the accident where a Tesla accelerated into a concrete wall without bursting into flames underlines that in my opinion.
The problem with Tesla is basically everything except the car part. Self-driving is overpromised and underdelivered. UI and UX is designed by madmen who think touch controls are acceptable for important driving related functionality. Their steering wheel is not even always a wheel. The fit and finish of their cars is basically a lottery; your body panels may or may not all fit well together.
I think this is why Tesla is doomed to eventually fail. Competitors are catching up quickly and they don't have the terrible Tesla factor when it comes to product finish. The only thing that sets Tesla apart from other luxury brands is their weird proprietary charger, their promises of self driving and their brand image. It's a shame, really, because the engineering on what makes the car move seems to be outstanding.
Electric vehicle battery fires can take up to 25,000 gallons of water to extinguish. Combustion engine vehicle fires typically take up to 300 gallons to extinguish.
Tesla actually recommmends that firefighters let the battery burnt out rather than try to extinguish the fire.
Perhaps someday we will see some researchers perform a remotely-triggered "halt and catch fire" exploit on a "Tesla Energy Product".
Something for people who sympathise with [0]
> Tech enthusiasts: My entire house is smart.
> Tech workers: The only piece of technology in my house is a printer and I keep a gun next to it so I can shoot it if it makes a noise I don't recognize
[0] https://twitter.com/ppathole/status/1116670170980859905?lang...