Sponsored

stuckpx

Active Member
Joined
Aug 3, 2022
Threads
3
Messages
28
Reaction score
36
Location
Seattle, WA
Vehicles
R1T, Porsche Boxster
From opening Tesla's charger ports, to hacking truck key fobs and even hotel room card keys the Flipper Zero has done it all. So when I got mine delivered last week, I had to try it on my R1T with the sole purpose of finding out, is the Rivian hackable with this device? Here's what I found

The Card Keys: These are MiFare Desire cards, these use some of the most secure encryption which can't be emulated currently and word on the street is that probably "never".

The Key Fob: I had to look up what frequency does the key fob use to see if i can capture its signal (most u.s key fobs use 315mhz) and Holy smokes batman! Rivian key fobs operate in the 2.4 Ghz range! Thats Bluetooth! So in short the keyfob isn't really a key fob but a mini bluetooth device. Making it not vulnerable to any of the typical key fob replay attacks! Thats amazing if you ask me!

Props to the Rivian security team! Good job folks! Love all the attention to detail in every aspect of this vehicle. Considering this is a v1 product, we can't wait to see what you have in store for us in the years to come!
Sponsored

 

SeaGeo

Well-Known Member
First Name
Brice
Joined
Jan 12, 2021
Threads
47
Messages
4,707
Reaction score
8,906
Location
Seattle
Vehicles
Xc60 T8
Occupation
Engineer
The keyfob being bluetooth also seems to be part of the reason it can be slow to respond.
 

COdogman

Well-Known Member
First Name
Brian
Joined
Jan 21, 2022
Threads
22
Messages
3,287
Reaction score
6,918
Location
Colorado
Vehicles
Tacoma TRD Pro
Occupation
Dog Wrangler
I am always happy to read these reports from white hatted people like yourself, but then my second thought is that I’m glad you’re not my next door neighbor so you can’t experiment on all my stuff. No offense! :sun:
 

Ralph

Well-Known Member
First Name
Ralph
Joined
Jun 14, 2021
Threads
1
Messages
421
Reaction score
426
Location
Fayetteville, AR
Vehicles
R1T, Outback
The keyfob being bluetooth also seems to be part of the reason it can be slow to respond.
And *may* be a reason that it is "less than perfect" for many users at proximity sensing. At least at present with multiple users.
 

Sponsored

harkco

Well-Known Member
First Name
Kevin
Joined
Feb 28, 2019
Threads
18
Messages
278
Reaction score
474
Location
Texas
Vehicles
2022 R1T LE / 2018 Lexus GX
The FOB using bluetooth also explains why my headphones always pause when I walk by my truck in the garage.
 

mwexler2

Well-Known Member
First Name
Mike
Joined
Sep 18, 2021
Threads
6
Messages
252
Reaction score
400
Location
Boulder Creek
Vehicles
Model Y, Prius Plug-in
Occupation
Software Engineer

GHuff

Well-Known Member
First Name
John
Joined
Feb 25, 2021
Threads
3
Messages
113
Reaction score
152
Location
Tyler
Vehicles
Tesla
The FOB using bluetooth also explains why my headphones always pause when I walk by my truck in the garage.
If you are playing music using Spotify, it likely has nothing to do with the FOB. Spotify will "jump" between which device is playing (your Rivian and headphones/phone) when you are close enough to the Rivian. I've experienced the same thing and It is pretty annoying.
 

Inkedsphynx

Well-Known Member
Joined
May 27, 2021
Threads
4
Messages
1,005
Reaction score
1,988
Location
Washington
Vehicles
'22 LE R1T, '21 CB500FA, '21 CMX1100A
As others have said, BT isn't exactly free of security holes, but I do appreciate Rivian's choices as what they've gone with is more secure than other (cheaper) options. As a professional in the InfoSec space, this makes me happy :)
 

Madsen203

Well-Known Member
First Name
Michael
Joined
Jul 18, 2022
Threads
4
Messages
278
Reaction score
324
Location
Bay Area
Vehicles
Tesla Model Y
Occupation
Manager
They have Bluetooth range extenders as well. This is what is commonly used to “hack” a Tesla parked in the driveway if owner phone is nearby.

I’d prefer a standard key that has immediate response and accurate proximity functionality rather than the delayed set up in current form. How often are cars being stolen or broken into with this security “hole”? Seems like a non issue for 99.9% of people.
 

Sponsored

Inkedsphynx

Well-Known Member
Joined
May 27, 2021
Threads
4
Messages
1,005
Reaction score
1,988
Location
Washington
Vehicles
'22 LE R1T, '21 CB500FA, '21 CMX1100A
They have Bluetooth range extenders as well. This is what is commonly used to “hack” a Tesla parked in the driveway if owner phone is nearby.

I’d prefer a standard key that has immediate response and accurate proximity functionality rather than the delayed set up in current form. How often are cars being stolen or broken into with this security “hole”? Seems like a non issue for 99.9% of people.
It's only a non-issue because the security for those types of devices is relatively robust. If you give someone a vulnerability to exploit, someone will exploit that vulnerability. First rule of InfoSec 😆
 

Blakeney

Well-Known Member
First Name
Jeremy
Joined
Jan 25, 2022
Threads
10
Messages
78
Reaction score
55
Location
Orem Utah
Vehicles
2021 Ram 1500 Limited, 2020 Kia Telluride SX
2.4ghz is also Zigbee protocol
 
OP
OP

stuckpx

Active Member
Joined
Aug 3, 2022
Threads
3
Messages
28
Reaction score
36
Location
Seattle, WA
Vehicles
R1T, Porsche Boxster
I am always happy to read these reports from white hatted people like yourself, but then my second thought is that I’m glad you’re not my next door neighbor so you can’t experiment on all my stuff. No offense! :sun:
LOL! :)
 

kylealden

Well-Known Member
First Name
Kyle
Joined
Feb 25, 2021
Threads
19
Messages
1,113
Reaction score
3,358
Location
Seattle
Vehicles
Rivian R1T LE, Tesla Model Y, BMW F800GSA, '69 CJ5
Occupation
Product Management
The keyfob being bluetooth also seems to be part of the reason it can be slow to respond.
I've noticed the taillights flash and you can often hear a little "thunk" as the car wakes up when you get close enough for the key to handshake with the truck. My experience is that no inputs work until that handshake happens. It's not the vague "maybe I'm close neough for the radios to hear me" that folks are used to - it's more of a "session established, you may now press unlock." Which is both better and worse.
 

JoulesVerne

Well-Known Member
Joined
Feb 17, 2022
Threads
4
Messages
65
Reaction score
80
Location
NY
Vehicles
2022 Rivian R1T LE, 2022 Ioniq 5 SEL
They have Bluetooth range extenders as well. This is what is commonly used to “hack” a Tesla parked in the driveway if owner phone is nearby.
If you disable PaaK while at home you are protected from this particular attack. A bad actor would have to first trick the vehicle into thinking it is elsewhere. Presumably by spoofing GPS signals.

Hopefully the vehicle only refreshes its location when queried by Rivian infrastructure (ex. in response to a request by the app.)
Sponsored
 
Last edited:

Sponsored

 
Sponsored
Top