FOB to Mitigate Relay Attacks


Now Implemented!


Any car can be stolen. But with wireless keys, the signal can be relayed so it seems the keyfob is closer to the car than it actually is.

Such replay attacks are hurting Model S & X customers even if their cars aren’t stolen because of increased insurance costs or reduced convenience because we now have to turn off Passive entry or enable “PIN to drive”. And in the Netherlands, cars are actually stolen for parts (e.g. 9 in just a few months last year).

One FOB solution might have a 3-axis accelerometer or another form of on-body detection that generates the passive entry signal only if they key is carried/moved towards the car. This way, a key that’s “too passive” (sitting in a coat or bag in a wardrobe near the door), will not open the car when this is relayed closer to the car.


I’m aware of at least BMW using this in their keyfobs. Additional benefit is that keys could last longer because they don’t periodically have to pulse radio signals if the key is sitting still. The IMU (inertial measurement unit) could also be used to enable additional gestures, like double knocking on the key to (for instance) open the trunk. This would be easier to “trigger” than pressing the right button, you’d have to hold the key for that.


In June 2018 Tesla started shipping an improved FOB for the Model S that reduces the chance of this type of attack working. Upgraded FOBs can be purchased for all older Model S cars. The Model X already has additional protections.

lightly edited by moderator
Category: CY3XS Applies to:
     Created 3-Sep-2018


Agreed, the specific issue of relay attacks raised is not fixed yet.

Even though the newer keys address an important flaw, it doesn't solve the relay problem which is demonstrated to be in active use in the UK and the Netherlands.

@moderator: could you change the status to "not implemented"
    Created 1-Dec-2018
The updated fobs that started shipping in June do not make relay attacks any more difficult. If you have the new fobs, you still need to set PIN-to-drive if you are worried about relay attacks. I paid $150 apiece for the new fobs (my car was built in Feb), but I now use PIN-to-drive.

What the new fobs do is block an attack that has yet to be used, one that has been named “key cloning”. This technique, discovered and demonstrated by a security team in Belgium, allows someone to clone your key on one day, and then come back the next day and unlock your car with it.
    Created 1-Dec-2018