# V9 Features: PIN to Drive



## Tesla Newbie (Aug 2, 2017)

Can someone please explain how PIN to Drive works? Specifically, I’m wondering if there is a unque PIN for each driver, and, if so, if the car uses the identified driver to determine which profile and which Bluetooth connection to make active.

If all is true, this would appear to solve the issues we’ve discussed in many threads about the car not knowing who is in the driver’s seat when more than one driver approaches the car at the same time. 

Sorry if this has been asked and answered. I’m a regular reader of the forum, but there’s a lot of important conversation that gets buried in the software update threads.


----------



## Bigriver (Jan 26, 2018)

No, there is not a unique PIN for each driver. One PIN is set for the car and all drivers need to enter it before the car can drive.


----------



## FRC (Aug 4, 2018)

Bigriver said:


> No, there is not a unique PIN for each driver. One PIN is set for the car and all drivers need to enter it before the car can drive.


Is this simply a security measure, or is there some other benefit?


----------



## BluestarE3 (Oct 12, 2017)

FRC said:


> Is this simply a security measure, or is there some other benefit?


Security.


----------



## GDN (Oct 30, 2017)

Simply a security measure. Everyone that drives the car must know the 4 digit code. If you forget the code you must log in with your Tesla account credentials.


----------



## Tesla Newbie (Aug 2, 2017)

Thanks for the quick responses. 

Seems like a missed opportunity to solve the multiple authorized driver issues by using a unique PIN to identify who’s at the wheel and set the appropriate profile and Bluetooth connection. 

(Again, for anyone who hasn’t read the other threads, the issue is that when a couple uses both of their phones as keys and as Bluetooth audio sources, the car doesn’t know which is the driver’s phone, and therefore which profile to use and which Bluetooth connection to establish, when the two people walk toward the car at the same time.)

Also, from a security perspective, might be nice to create miscellaneous “Guest”, “Valet” and other PINS linked to profiles with corresponding capabilities. (I realize that this is what Valet mode is for, but the PIN capability would give us additional control.)

I’ll put this in the Tesla suggestion box unless the conversation here convinces me I’m not thinking about this clearly.


----------



## nonStopSwagger (May 7, 2018)

Is pin to drive needed for cars made after June 2018? A friend with a model S told me the keyfob signal jacking exploit doesnt work on newer cars.


----------



## Tesla Newbie (Aug 2, 2017)

nonStopSwagger said:


> Is pin to drive needed for cars made after June 2018? A friend with a model S told me the keyfob signal jacking exploit doesnt work on newer cars.


I didn't realize this was introduced as a result of an exploit. I thought it was simply to prevent someone from stealing your car after stealing your phone (which admittedly is no different than someone stealing your other car after stealing your keys, although in that situation you at least have your phone to call for help.)


----------



## Bigriver (Jan 26, 2018)

nonStopSwagger said:


> Is pin to drive needed for cars made after June 2018? A friend with a model S told me the keyfob signal jacking exploit doesnt work on newer cars.


It is my understanding that there was some security issue with Model S fobs which was corrected sometime this year with a new fob. It was an issue exclusive to model S and the new model S fob brings it in line with the technology of the model X fob, which never had the issue. I have no tech understanding of what "the issue" was though.

I had understood the pin to drive option is just another security layer, which I appreciate. It was first rolled out to Model S/X in September, I believe, and is just now rolling to Model 3. @Tesla Newbie, I agree it would be lovely if they would use the PIN to drive to distinguish drivers.


----------



## GDN (Oct 30, 2017)

nonStopSwagger said:


> Is pin to drive needed for cars made after June 2018? A friend with a model S told me the keyfob signal jacking exploit doesnt work on newer cars.


With the model S you are correct, there were some older ones that behaved differently than newer ones. I believe it was the technology in the fob, and so they have some opportunity to upgrade.



Tesla Newbie said:


> I didn't realize this was introduced as a result of an exploit. I thought it was simply to prevent someone from stealing your car after stealing your phone (which admittedly is no different than someone stealing your other car after stealing your keys, although in that situation you at least have your phone to call for help.)


However, don't confuse that with the 3. The exploit was with the S.

All 3's, to our knowledge, have the same technology from an unlocking/fob/security perspective and are not prone to the problem.


----------



## FRC (Aug 4, 2018)

I have not yet activated PIN to drive, and I'm not sure I want/need to. I lose no sleep worrying about theft and I love the "get in and go" aspect of my Model3. I'm assuming PIN to drive means "get in, enter your PIN, and go". Is this correct, and how detailed is the required PIN?


----------



## GDN (Oct 30, 2017)

FRC said:


> I have not yet activated PIN to drive, and I'm not sure I want/need to. I lose no sleep worrying about theft and I love the "get in and go" aspect of my Model3. I'm assuming PIN to drive means "get in, enter your PIN, and go". Is this correct, and how detailed is the required PIN?


The pin is 4 numbers and it must be entered before the car will even recall your setting by putting your foot on the brake. However, it's a bit odd, I also had to put my foot on the brake once to get the pin pad to appear on the screen. I then entered my 4 digits, touched the "accept" or whatever the button says and then with a second tap of the brake pedal all of my settings came back.

I'm guessing this isn't for everyone, but for those that must park outside or other situations it might be a good thing. It might also prevent your teenager or others from picking up your phone and taking your car, etc. However, with the pin pad popping up on the dash, it's pretty likely that anyone in your car with you would fairly easily be able to know your code after watching a few times, unless you hide it well while you tap it in.

I've turned it on to experiment and don't feel I have a huge need for it, my work parking lot and building are both secured by keycard, so I don't have much worry. My partner however, works in a PT clinic in a strip mall. Officially they aren't supposed to have their phone on them, so he leaves it in a desk drawer. His small office space isn't locked and they have between 50 to 70 patients in and out of the office during a typical day. It's kind of easy someone could slip in and pick up the phone, thus having the car key as well. So it is a perfect for that scenario. This makes it more secure than any of his co-workers who might leave their regular keys in a drawer. Someone could pick those up, head outside and in no time would have a vehicle.


----------



## FRC (Aug 4, 2018)

GDN said:


> The pin is 4 numbers and it must be entered before the car will even recall your setting by putting your foot on the brake. However, it's a bit odd, I also had to put my foot on the brake once to get the pin pad to appear on the screen. I then entered my 4 digits, touched the "accept" or whatever the button says and then with a second tap of the brake pedal all of my settings came back.
> 
> I'm guessing this isn't for everyone, but for those that must park outside or other areas it might be a good thing. It might also prevent your teenager or others from picking up your phone and taking your car, etc. However, with the pin pad popping up on the dash, it's pretty likely that anyone in your car with you would fairly easily be able to know your code after watching a few times, unless you hide it well while you tap it in.


All the rest of ya'll be sure to set up your PIN's so that the thieves will know that attempted Tesla theft is a waste of time. That way I can skip it!


----------



## Achooo (Oct 20, 2018)

FRC said:


> All the rest of ya'll be sure to set up your PIN's so that the thieves will know that attempted Tesla theft is a waste of time. That way I can skip it!


Haha. Heard immunity!


----------



## Jason F (Jul 6, 2018)

Tesla Newbie said:


> Thanks for the quick responses.
> 
> Seems like a missed opportunity to solve the multiple authorized driver issues by using a unique PIN to identify who's at the wheel and set the appropriate profile and Bluetooth connection.
> 
> ...


What you want is a login, not a pin. A 4 digit pin shouldn't be used as a login. You also don't want multiple PINs that will work.


----------



## Tesla Newbie (Aug 2, 2017)

Jason F said:


> What you want is a login, not a pin. A 4 digit pin shouldn't be used as a login. You also don't want multiple PINs that will work.


Help me understand that.

From what has been explained, the purpose of the PIN is to prevent someone with my phone from driving my car without my permission (implied because he can only use it if knows the PIN). For the sake of this discussion, let's assume that facility is useful to me.

At the same time, I have a very real need to solve what I believe is an issue with cars with multiple authorized drivers because the cars can't identify who is in the driver's seat, resulting in situations where, for example, the driving profile is for Person 1 and the Bluetooth connection is to Person 2. (The problem is made worse by the fact that we don't know which phone connected without tapping the Bluetooth icon. That's a simple tap of course, but unfortunate and a bit annoying to have to do every time we get in the car together.)

I respect that you appear to be trained in these details and I'm not, so please educate a novice. For my needs, the problem would be solved in cases where the car detects two authorized phones to simply pop up a window with the names associated with each phone so I can tap the record corresponding to the driver. (This also assumes a related enhancement to associate Bluetooth connections to driver profiles so that a single tap sets both the profile and connects the phone.) However, with the introduction of the PIN to Drive, I saw the opportunity address both of these issues with one user action; ie, entering his unique PIN to identify himself, which allows him to use the car, and sets the profile and Bluetooth connection.

What's the harm?

Stressing . . . I'm not trained in these matters, and no snark intended. Just open to learn.


----------



## DaveC (Aug 6, 2018)

Just getting into this PIN issue when I attempted to change my drive setting from Chill to Normal/Standard. I don't recall ever setting a PIN when I set the car to Chill. So I used my account login and was able to make the change. But I didn't see a way to create/change a PIN. How does one do this?


----------



## Slumbreon (Jun 23, 2018)

GDN said:


> However, don't confuse that with the 3. The exploit was with the S.
> 
> All 3's, to our knowledge, have the same technology from an unlocking/fob/security perspective and are not prone to the problem.


I believe this is incorrect. All vehicles with passive unlock/start are theoretically susceptible to the boosting attack, including the 3, the S was just the one that was targeted. Depending on the range of the transmitter (your phone) and the particular frequencies used, some cars are easier to build the exploit tools for - but they are all susceptible.

Attack: Use tech to listen to whatever signals are emanating from the phone/fob, copy them to a transmitter near the car, do the same from car back to the tech near the phone/fob. Result: phone/fob and car think they are near each other. Profit.

There may be some ways using latency/timing analysis to try and detect a boosted and relayed signal, but I'm not aware if any company is doing this.


----------



## racekarl (Jul 31, 2018)

Slumbreon said:


> Attack: Use tech to listen to whatever signals are emanating from the phone/fob, copy them to a transmitter near the car, do the same from car back to the tech near the phone/fob. Result: phone/fob and car think they are near each other. Profit.


I don't think the process is that simple - it surely was in the '70s and '80s when criminals could easily re-play garage door opener signals, but wireless security has come a long way since then.

Bluetooth, for example, requires both devices to authenticate each other using secret keys created during pairing before they will exchange messages. The scenario you described should not be possible because your replay device would not be able to authenticate itself to the car without the secret key stored on your device.

The model S exploit was only possible because Tesla used weak 40 bit encryption for the secret keys in the Model S fobs. That made it possible to intercept the signal then brute-force crack the encryption key, which allowed the attacker to authenticate themselves - simply re-playing the signal from the fob would not be sufficient to gain access to the car.

Edit: just re-read your post and I see what you're getting at is a little bit different - you're proposing creating a long-distance connection between two authenticated devices. I still think that would be pretty complex for the model 3. Bluetooth uses frequency hopping to mitigate against that type of attack. Your "man in the middle" system would still have to crack the authentication between the devices in order to hop frequencies in the same order and timing.


----------



## MelindaV (Apr 2, 2016)

Tesla Newbie said:


> The problem is made worse by the fact that we don't know which phone connected without tapping the Bluetooth icon.


The BTLE phone as a key function though is not the same as the BT audio connection. 
You could have a phone used as a key that is not set up as an audio BT connection. So in that case, if the phone with the key function is phone A and is not an audio bt connection, and phone B is not a key but has an audio BT connection, the phone B would come up on the screen as the BT connected phone, but not the one used as a a key. You would need to look under the keys screen to see the connected keys.


----------



## msjulie (Feb 6, 2018)

> I have a very real need to solve what I believe is an issue with cars with multiple authorized drivers


I think the right 'fix' for is less button taps on the profile - you can already tap on the name of the current selected driver, go to profile settings and pick another one - I just now thought I should try long press on the name to see if that does anything clever but it's cold outside right now so.. nope


----------



## Slumbreon (Jun 23, 2018)

racekarl said:


> Edit: just re-read your post and I see what you're getting at is a little bit different - you're proposing creating a long-distance connection between two authenticated devices. I still think that would be pretty complex for the model 3. Bluetooth uses frequency hopping to mitigate against that type of attack. Your "man in the middle" system would still have to crack the authentication between the devices in order to hop frequencies in the same order and timing.


Correct, boost attacks, what was seen against Model S (as opposed to a replay attack) doesn't need to break the encryption at all - just relay the encrypted signals to/from the Phone/fob and car to make the car think the phone/fob is nearby. Bluetooth frequency hopping uses 79 well-known frequencies iirc, it would require the attack tech to listen and relay on all frequencies. My point wasn't that it would be easy, but that cars that support passive access/start, model 3 included, are theoretically susceptible should the right attack tools be built. Use of pin-to-drive is a direct counter to this susceptibility.

Edit: added clarity that boost attacks, not replay attacks, is what was used on Model S.


----------



## Tesla Newbie (Aug 2, 2017)

MelindaV said:


> The BTLE phone as a key function though is not the same as the BT audio connection.
> You could have a phone used as a key that is not set up as an audio BT connection. So in that case, if the phone with the key function is phone A and is not an audio bt connection, and phone B is not a key but has an audio BT connection, the phone B would come up on the screen as the BT connected phone, but not the one used as a a key. You would need to look under the keys screen to see the connected keys.


Sure, but don't these scenarios underscore my point? The fact that the phones as keys, the driver profiles, and the phones as BT connections (calls/audio) are all independent definitions make for situations that only techies and those who consume these forums can understand. Your post was clear to me and others on this site, but I'm sure that many people in my life would have been lost at hello. The solutions I've proposed here don't prevent the configurations you described; they just attempt to untangle it for someone who doesn't want to think about it every time he or she sits in the drivers seat.

(And now my usual caveat that this is only an issue for cases where multiple family members each have a phone as key, a driver profile, and a Bluetooth connected phone.)


----------



## JWardell (May 9, 2016)

racekarl said:


> I don't think the process is that simple - it surely was in the '70s and '80s when criminals could easily re-play garage door opener signals, but wireless security has come a long way since then.
> 
> Bluetooth, for example, requires both devices to authenticate each other using secret keys created during pairing before they will exchange messages. The scenario you described should not be possible because your replay device would not be able to authenticate itself to the car without the secret key stored on your device.
> 
> ...


It's actually simpler than that. They are just amplifying the radio signals that are already there. Similar to a cell phone booster that you can put in your attic. 
It's always been a downside of comfort access features to cars...without needing a physical button press, most cars just look for the signal to be strong enough and assume that means the keys are physically close.

Apple put a ton of effort into this by calculating speed of light time-of-flight before it allowed devices to unlock each other instead of just signal strength.

The best defense is to just store your keys further inside your house, not next to the door.


----------



## Kizzy (Jul 25, 2016)

Tesla Newbie said:


> Seems like a missed opportunity to solve the multiple authorized driver issues by using a unique PIN to identify who's at the wheel and set the appropriate profile and Bluetooth connection.
> […]
> Also, from a security perspective, might be nice to create miscellaneous "Guest", "Valet" and other PINS linked to profiles with corresponding capabilities. (I realize that this is what Valet mode is for, but the PIN capability would give us additional control.)





Tesla Newbie said:


> Help me understand that.
> 
> From what has been explained, the purpose of the PIN is to prevent someone with my phone from driving my car without my permission (implied because he can only use it if knows the PIN). For the sake of this discussion, let's assume that facility is useful to me.
> 
> ...


The more valid PINs there are, the more likely (mathematically) that someone can guess one correctly. For Tesla to allow this feature would basically mean they're allowing customers (who may not understand security) to weaken this security device.

Let's explore this (more mathy folks, feel free to correct me):

For a 4-digit PIN, there are 10,000 possible combinations (0000-9999). An unauthorized user has 1 in 10,000 chance to guess a correct PIN.

Now, let's say you have a large family and several friends for a group of 10 users, each with a different PIN. It is now 10 times as likely that an unauthorized user can guess a PIN correctly with a 10 in 10,000-or 1 in 1,000-chance.

These numbers don't take into account the tendency of some people to use very simple PINs (sequential or repeated numbers) which may be the first ones tried by an unauthorized user.

An additional complication is that each user needs to have their own unique PIN-and that needs to be enforced. That process could get a little clunky if a user tries to use a number already in use for a PIN.

As @msjulie has referenced, we already have a method to choose the correct profile. I'd like to suggest automatically opening the user profile menu to allow for quick selection of the one needed when entering the car.


----------



## C.Ross (Apr 7, 2018)

This is probably a stupid question. I may have missed it - but is “PIN to drive” now an option on the Model 3?


----------



## GDN (Oct 30, 2017)

C.Ross said:


> This is probably a stupid question. I may have missed it - but is "PIN to drive" now an option on the Model 3?


Yes. On wide release SW from last year.


----------

