Tesla Security

Last updated 14-Aug-2022

Tesla are reasonably secure cars, and with the inbuilt tracking, many assume that theft is unlikely if not impossible. That is simply not the case, in this guide we explain why, and the steps you can take.

Why would anyone steal a Tesla?

It might seem a daft question, but some people do question why anyone would steal a Tesla stating "you can see where your car is through the app, and surely Tesla can send an over the air update to render the car unusable."

Well that is largely true however it's not the complete picture:

  • It's easy to block the signal between the car and Tesla, so the car can't communicate where it is.
  • Joyriders may just want to drive (or race) your car for a few hours and then abandon it, maybe even set fire to it.
  • Tesla parts are expensive, and cars can be stolen to be stripped of parts.
It's unlikely a Tesla will be stolen to be resold, although this is possible, and may be the case where the car is exported to another country which Tesla do not currently cover.

Tesla Lock

Security, and the lengths you decide to go are a personal choice, often reflecting your perceived risk in a given location. If the car is in a very low crime area, you may feel some of the measures are not needed, whereas parked in a dark public car park may result in more stringent measures including physical measures being worthwhile.

Account Security

Many owners make use of the Tesla App whilst owning their car. This gives a range of features including locating and unlocking the car. The app can also send a "keyless start" which bypasses Pin to Drive (P2D) and allows the car to be, as the name suggests, driven without the key.

The security around the app is somewhat questionable as the required codes are the same as those many people give to third party's such as Teslafi and Teslamate for capturing statistics about their car. There are also third party apps such as Tesla Watch which even exploit the weaknesses of the API to give the owner some convenient extra features or shortcuts.

The problem with third party apps is any breach of their security is a breach of yours. If they can get hold of your security tokens they can easily locate, open and drive away in your car.

Many talk about multi factor authentication (MFA) on their Tesla account and this is an option that Tesla offer. While this is good practice in general, it has little to do with Token security.

  • Avoid giving any third party your tokens unless you absolutely trust them.
  • The only way to expire Tokens is to change your Tesla account password.
  • Usual internet precautions and the use of MFA is advisable but does not prevent token abuse.


Signal Relay vulnerability

As Tesla allows keyless entry, the car will open automatically when it detects the key is in the presence of the vehicle. Tesla call this "Passive entry". When physical key fobs are being used (not the phone key or card key), these give off a signal which the car will detect. The further away these keys are from the vehicle, the weaker the signal, and within a relatively short radius of the car, only a few meters, the signal is too weak and the car stops detecting the key.

With the right technology however, this signal can be boosted and relayed to the car. The typical scenario is the key is near the front door of a house, and the car some short distance away, but out of range. Placing a receiver near the front door can result in the key signal being picked up, this is then relayed to a transmitter which is near the car, and the car therefore sees the signal and unlocks, not realising the signal has been relayed.

Whether your Tesla is susceptible to this type of attach varies based on model, age of car and country. Only key fobs with the TESLA logo printed on the flat side support the passive locking and unlocking feature. Key fobs with the MODEL 3 or Y logo printed on the flat side cannot passively lock and unlock the car. With these later keys according to Tesla, for increased security, passive locking and unlocking disables after being stationary for five minutes while within vehicle range when the vehicle is not in use (for example, you are standing outside your vehicle). In this situation, you must shake or press a button on the key fob to re-enable passive locking and unlocking. We believe this also applies when the key is out of range, but irrespective, the guidance below of a faraday pouch or box is still a good idea.

Older cars, such as Model S and Model X initially had an older key type which had other vulnerabilities but, in many instances, can be upgraded. If in doubt, talk to you nearest service centre.

Harder to do, but not impossible, is a Bluetooth relay attack. Mobile phones acting as Bluetooth keys in general can be a problem in home settings as the range is generally further than a key fob, and this can mean a phone inside the property is still within range of the car. Even if it's not in range directly, the relay exploit can be performed on phones further away in the property than a key fob.

  • P2D can help prevent the car being driven even if opened in this way
  • Keep keyfobs well away from doorways and windows. Ideally store key fobs in "faraday" pouches or boxes, these are specially designed containers that block the signal.
  • Consider turning off passive entry on older MS and MX which have the option as this will prevent the attack, but this can cause slight inconvenience requiring the key fob to be physically used. Model 3 and Model Y do not have an option to turn off the feature.
  • The keycard is the least prone to attack of this type, but is the least convenient to use.

Cloning and granting access

Items such as the keycard can be cloned. If this is the case, then the user has the same capabilities as you do. It does require physical access to the keycard for a period of time. This type of fraud is similar to credit card cloning so care should be taken with all your cards.

Anyone with access to the keycard and your car may also register an additional device to the car without your permission unless the car has been placed in valet mode. They can then use this device at a later time to gain access. To try and avoid detection, they may reuse an existing key profile. Valet mode is protected by a simple pin and depending on how long they have the car, even this can be overcome.

  • Be mindful who you leave your keys with and use valet mode. Garages and valet parking attendants may have access to your keycard for a period of time that gives them sufficient time to close the key. Whilst Valet mode restricts this, it suffers from the same general vulnerability of P2D.
  • Check the keys that are setup when you return to your car. Ensure no additional keys have been setup.
  • Using a keyfob with garages and valet parking is more secure as these are harder to clone and the users can not add a key without the keycard.

Physical Security

Tesla do NOT use dead lock technology which prevents doors from being opened from within if the car is locked. Coupled with the fact Tesla use frameless windows means it is relatively easy to force a gap between the window and the door frame enabling a device to be slid through and the door opened. There is no real fix for this.

What you can do however, is add physical devices to the car, typically devices that fit around the steering wheel, that even when the car is open and in drive, driving is impossible. This can act as a deterent.

We make a number of suggestions on our recommended accessories page.

Another suggestion on physical security is to leave the car plugged in and charging. This can add a short delay to anyone wanting to jump in the car, but it's worth remembering that if they can drive the car, they can unlock the charging cable, and the cable itself may be an opportunity for a thief.

Tesla do not fit locking wheel nuts (technically they're actually bolts). There is much debate about whether wheel theft is still as common as it was in the past. Tesla specify a high torque when doing up wheel bolts, and the locking wheel bolt mechanism is therefore put under greater strain than on other makes of car which may cause them to fail. Tesla do sell them however, and if you feel this may be a threat, then they are a consideration. It's worth noting that specialist tools are readily available which will remove locking wheel nuts/bolts, all they will do is slow down any potential thief.

  • Physical measures provide a visual deterent which may prevent thiefs even trying
  • Sentry mode flashing the car headlights can deter thieves, although can be wasteful on energy.
  • Pin 2 Drive may help slow a thief down once in the car.
  • Locking wheel nuts may be required if you visit areas where this type of crime is still occuring.
  • Never leave valuables within the car, and if you do make sure they are out of sight.
  • Where you leave your car can act as a form of protection, a well lit parking space, covered by CCTV can all help encourage a potential thief to walk on past.

Tracking

Most people are familiar with the Tesla app and the ability to see the car position remotely. This isn't however fool proof, the position does not update if the car is on a trailer, and the connectivity can be relatively easily blocked.

Third party trackers do exist, and some are mandated by insurance companies. An alternative, cheaper option however is to leave Apple Airtags or Tile Pros in the car so that you can potentially track the car even if they disable the cars connectivity. It would be quite a good feeling to use any thief's own mobile phone to tell you where the car is.

Conclusion

Security measures fall into a two areas, protecting the vulnerabilities, and discouraging your car from being a target. There are no absolute right or wrong things here, and each owner must determine the extent they wish to protect their car. What we do want however, is to encourage any choice to be an informed choice, for instance thinking Pin 2 Drive would always prevent a car being driven, or a car can always be located in the app are sadly false assumptions.

But it's also worth pointing out that Tesla cars are still a relatively rare car to be stolen. A visible laptop on the back seat of any car is temptation to a potential thief to put a brick through a window, but beyond that type of theft, actual thefts are still thankfully rare, especially on the newer models. A few sensible precautions, many of which are applicable to any make of car, will help reduce the probability of your car being a target, and help thwart a thief if they still decide to try.

tesla-info on facebook Contact tesla-info on linkedin tesla-info on twitter tesla-info on youtube tesla-info on Discord

By using our site, you acknowledge that you have read and understand our Privacy and Cookie Policy. Your use of the tesla-info website is subject to these policies and terms. All data is provided on a reasonable endeavours basis but errors and omissions may exist. No data should be relied upon as being accurate and additional checks should be made if the information is material to any purchase or use of the car.
Ways you can support tesla-info