Relay attacks in cars are nothing new. Thieves have been using them for years to gain unauthorized access to vehicles equipped with keyless entry and start systems, by fooling the car into thinking that precious fob is present and accounted for. But certain forms of keyless entry, like Tesla’s credit card keys or BMW’s cell phone access, have been largely immune to these attacks — until now.
Radio relay attacks are technically complicated to execute, but conceptually easy to understand: attackers simply extend the range of your existing key using what is essentially a high-tech walkie-talkie. One thief stands near you while you’re in the grocery store, intercepting your key’s transmitted signal with a radio transceiver. Another stands near your car, with another transceiver, taking the signal from their friend and passing it on to the car. Since the car and the key can now talk, through the thieves’ range extenders, the car has no reason to suspect the key isn’t inside — and fires right up.
But Tesla’s credit card keys, like many digital keys stored in cell phones, don’t work via radio. Instead, they rely on a different protocol called Near Field Communication or NFC. Those keys had previously been seen as more secure, since their range is so limited and their handshakes with cars are more complex.
Now, researchers seem to have cracked the code. By reverse-engineering the communications between a Tesla Model Y and its credit card key, they were able to properly execute a range-extending relay attack against the crossover. While this specific use case focuses on Tesla, it’s a proof of concept — NFC handshakes can, and eventually will, be reverse-engineered.
As with RF relay attacks, the defense is simple: cut off access. Plenty of commercial wallets, cards, and bags will act like a faraday cage for your Tesla key, restricting its communications from any nearby ne’er-do-wells. And maybe think twice about embedding that NFC tag in your arm — it could pose a legitimate security risk for you car.