Last updated 14-Aug-2022
Tesla are reasonably secure cars, and with the inbuilt tracking, many assume that theft is unlikely if not impossible. That is simply not the case, in this guide we explain why, and the steps you can take.
It might seem a daft question, but some people do question why anyone would steal a Tesla stating "you can see where your car is through the app, and surely Tesla can send an over the air update to render the car unusable."
Well that is largely true however it's not the complete picture:
Security, and the lengths you decide to go are a personal choice, often reflecting your perceived risk in a given location. If the car is in a very low crime area, you may feel some of the measures are not needed, whereas parked in a dark public car park may result in more stringent measures including physical measures being worthwhile.
Many owners make use of the Tesla App whilst owning their car. This gives a range of features including locating and unlocking the car. The app can also send a "keyless start" which bypasses Pin to Drive (P2D) and allows the car to be, as the name suggests, driven without the key.
The security around the app is somewhat questionable as the required codes are the same as those many people give to third party's such as Teslafi and Teslamate for capturing statistics about their car. There are also third party apps such as Tesla Watch which even exploit the weaknesses of the API to give the owner some convenient extra features or shortcuts.
The problem with third party apps is any breach of their security is a breach of yours. If they can get hold of your security tokens they can easily locate, open and drive away in your car.
Many talk about multi factor authentication (MFA) on their Tesla account and this is an option that Tesla offer. While this is good practice in general, it has little to do with Token security.
As Tesla allows keyless entry, the car will open automatically when it detects the key is in the presence of the vehicle. Tesla call this "Passive entry". When physical key fobs are being used (not the phone key or card key), these give off a signal which the car will detect. The further away these keys are from the vehicle, the weaker the signal, and within a relatively short radius of the car, only a few meters, the signal is too weak and the car stops detecting the key.
With the right technology however, this signal can be boosted and relayed to the car. The typical scenario is the key is near the front door of a house, and the car some short distance away, but out of range. Placing a receiver near the front door can result in the key signal being picked up, this is then relayed to a transmitter which is near the car, and the car therefore sees the signal and unlocks, not realising the signal has been relayed.
Whether your Tesla is susceptible to this type of attach varies based on model, age of car and country. Only key fobs with the TESLA logo printed on the flat side support the passive locking and unlocking feature. Key fobs with the MODEL 3 or Y logo printed on the flat side cannot passively lock and unlock the car. With these later keys according to Tesla, for increased security, passive locking and unlocking disables after being stationary for five minutes while within vehicle range when the vehicle is not in use (for example, you are standing outside your vehicle). In this situation, you must shake or press a button on the key fob to re-enable passive locking and unlocking. We believe this also applies when the key is out of range, but irrespective, the guidance below of a faraday pouch or box is still a good idea.
Older cars, such as Model S and Model X initially had an older key type which had other vulnerabilities but, in many instances, can be upgraded. If in doubt, talk to you nearest service centre.
Harder to do, but not impossible, is a Bluetooth relay attack. Mobile phones acting as Bluetooth keys in general can be a problem in home settings as the range is generally further than a key fob, and this can mean a phone inside the property is still within range of the car. Even if it's not in range directly, the relay exploit can be performed on phones further away in the property than a key fob.
Items such as the keycard can be cloned. If this is the case, then the user has the same capabilities as you do. It does require physical access to the keycard for a period of time. This type of fraud is similar to credit card cloning so care should be taken with all your cards.
Anyone with access to the keycard and your car may also register an additional device to the car without your permission unless the car has been placed in valet mode. They can then use this device at a later time to gain access. To try and avoid detection, they may reuse an existing key profile. Valet mode is protected by a simple pin and depending on how long they have the car, even this can be overcome.
Tesla do NOT use dead lock technology which prevents doors from being opened from within if the car is locked. Coupled with the fact Tesla use frameless windows means it is relatively easy to force a gap between the window and the door frame enabling a device to be slid through and the door opened. There is no real fix for this.
What you can do however, is add physical devices to the car, typically devices that fit around the steering wheel, that even when the car is open and in drive, driving is impossible. This can act as a deterent.
We make a number of suggestions on our recommended accessories page.
Another suggestion on physical security is to leave the car plugged in and charging. This can add a short delay to anyone wanting to jump in the car, but it's worth remembering that if they can drive the car, they can unlock the charging cable, and the cable itself may be an opportunity for a thief.
Tesla do not fit locking wheel nuts (technically they're actually bolts). There is much debate about whether wheel theft is still as common as it was in the past. Tesla specify a high torque when doing up wheel bolts, and the locking wheel bolt mechanism is therefore put under greater strain than on other makes of car which may cause them to fail. Tesla do sell them however, and if you feel this may be a threat, then they are a consideration. It's worth noting that specialist tools are readily available which will remove locking wheel nuts/bolts, all they will do is slow down any potential thief.
Most people are familiar with the Tesla app and the ability to see the car position remotely. This isn't however fool proof, the position does not update if the car is on a trailer, and the connectivity can be relatively easily blocked.
Third party trackers do exist, and some are mandated by insurance companies. An alternative, cheaper option however is to leave Apple Airtags or Tile Pros in the car so that you can potentially track the car even if they disable the cars connectivity. It would be quite a good feeling to use any thief's own mobile phone to tell you where the car is.
Security measures fall into a two areas, protecting the vulnerabilities, and discouraging your car from being a target. There are no absolute right or wrong things here, and each owner must determine the extent they wish to protect their car. What we do want however, is to encourage any choice to be an informed choice, for instance thinking Pin 2 Drive would always prevent a car being driven, or a car can always be located in the app are sadly false assumptions.
But it's also worth pointing out that Tesla cars are still a relatively rare car to be stolen. A visible laptop on the back seat of any car is temptation to a potential thief to put a brick through a window, but beyond that type of theft, actual thefts are still thankfully rare, especially on the newer models. A few sensible precautions, many of which are applicable to any make of car, will help reduce the probability of your car being a target, and help thwart a thief if they still decide to try.
Ways you can support tesla-info