Sophisticated Car Thefts

[DaMeatMan]

Anybody see this? Has this been addressed for the MME?

https://www.cbsnews.com/news/cars-hacked-stolen-keyless-vehicle-thefts/

All car keys (fobs) in our home go into a Faraday box for keys, that is purpose built to prevent this type of relay attack.

See below as an example. It essentially prevents radio signals from the FOB from leaving the box, which then cannot be intercepted and relayed outside to gain entry into the vehicle.

https://www.amazon.ca/gp/aw/d/B08R9C2DGY?psc=1&ref=ppx_pop_mob_b_asin_title

That said, an intruder can still physically break into the vehicle by smashing a window, and then take their chances at quickly accessing the CANBUS system to program a new key fob and drive away with the vehicle.

They make OBD port locks that will make it more difficult to access the canbus, but a motivated thief will always be able to leave with your vehicle if given enough time and opportunity. The trick is making it as difficult as possible, but there really is no bullet proof way to make it impossible to steal a vehicle, either through hi tech or low tech means.

Sponsored

 

[Mach-Lee]

So I read about a Tesla Model 3 that got stolen on Reddit. It was parked in his driveway, locked and charging. They stole it and went on multiple joyrides all night before abandoning it nearby. He has one RFID card and two PAAKs as his only access methods. He got some data from Tesla and it shows it was opened and driven using BLE (Bluetooth). Leading theories on how this happened were:

1. BLE relay attack was able to pick up his or his wife's phone's signal inside while sleeping.
2. The thief hacked into their Tesla account with compromised credentials, then added another driver which grants someone else permission to drive using their own phone.
3. The thief has Tesla service access and is able to drive any Tesla (there are a lot of implications if service access was truly compromised)
4. Some other unknown attack vector.

Tesla is not able to determine which BLE key was used to drive the car, which would be helpful here. Footage from the car is also not available since he didn't opt into data sharing, nor was there a safety critical event (crash) that would trigger a data upload.

He has since changed his Tesla password (which was random generated), enabled multi-factor authentication on his Tesla account, and added an access PIN he has to type in on the screen every time the car is driven.

Part 1
Part 2
Part 3

Luckily we would only be susceptible to #1. If someone gets your FordPass credentials, they can see where you car is and unlock it, but they aren't able to drive the car unless they can guess your backup passcode (which hopefully is not the same as your FordPass password, if so you better change it). I would like to see Ford add multi-factor authentication, this is used for Ford Credit but not across the board yet. The PIN code on the screen would also be nice as a form of 2FA for high-crime areas.

 

[ChehRob]

Face recognition could also work well, cameras are already in place to ensure driver attention to road.

 

[RickMachE]

Facial recognition is weak.

 

[Spacey]

I believe that's a regulatory requirement in the UK. That's why the MMEs there get an old school generic Ford fob.

Update as of February 2025. In the U.K the generic fob is being swapped out for a Mustang Mach E fob for free. This fob goes to sleep so I don't know why Ford North America can't do the same thing?

 

[generaltso]

Update as of February 2025. In the U.K the generic fob is being swapped out for a Mustang Mach E fob for free. This fob goes to sleep so I don't know why Ford North America can't do the same thing?

They could, but it would cost more. There’s no incentive for them to do so in places where it’s not mandated.

 

[johnnycombo]

I keep my fobs in a metal cookie can in the house and when I carry my spare I keep it in a metal Altoids mint can and use my Ford pass app.

Sponsored