Security: Car stolen in several minutes.

[Tâm]

I want to learn how secure Lucid is against car thefts.

This is what I think: If a hacker can physically access the CAN bus in a car, it’s possible to steal, provided there's sufficient time for the job.

The video in the article below recorded how thieves could steal a Lexus RX in 90 seconds by accessing the headlight through the wheel arch.

Headlights are controlled by ECU (electronic control unit). A thief can reprogram the ECU to unlock the door and drive away after accessing a headlight. Thus, it's called CAN Injection.

Watch Thieves Steal an SUV in 90 Seconds, the Key Fob Doesn't Need To Be Nearby

It's unknown if a PIN requirement would prevent a thief from driving away or if the thief could also bypass the PIN.

However, there are quicker ways to steal a modern car: Copying or amplifying the fob's signal can unlock the door and drive away as if the fob is inside the car. The videos show a relay attack where an antenna/tablet can pick up the fob's signal inside the house while the car is outside. The signal is then amplified so the car can pick up a strong fob's signal as if the fob is next to or inside the car:

After these incidents, there's an option for a PIN requirement for this particular brand even when the thief can open the doors. It’s a hassle for an owner to choose the option to enter the PIN at each drive session, but I haven't heard a car with a PIN requirement to drive is stolen by a relay attack.

Lucid does have a PIN option when you leave the card to the valet, but the valet can bypass the PIN by reaching up to the ceiling above the right shoulder where the “Y” is.

 

[Bobby]

I want to learn how secure Lucid is against car thefts.

This is what I think: If a hacker can physically access the CAN bus in a car, it’s possible to steal, provided there's sufficient time for the job.

The video in the article below recorded how thieves could steal a Lexus RX in 90 seconds by accessing the headlight through the wheel arch.

Headlights are controlled by ECU (electronic control unit). A thief can reprogram the ECU to unlock the door and drive away after accessing a headlight. Thus, it's called CAN Injection.

Watch Thieves Steal an SUV in 90 Seconds, the Key Fob Doesn't Need To Be Nearby

It's unknown if a PIN requirement would prevent a thief from driving away or if the thief could also bypass the PIN.

However, there are quicker ways to steal a modern car: Copying or amplifying the fob's signal can unlock the door and drive away as if the fob is inside the car. The videos show a relay attack where an antenna/tablet can pick up the fob's signal inside the house while the car is outside. The signal is then amplified so the car can pick up a strong fob's signal as if the fob is next to or inside the car:

After these incidents, there's an option for a PIN requirement for this particular brand even when the thief can open the doors. It’s a hassle for an owner to choose the option to enter the PIN at each drive session, but I haven't heard a car with a PIN requirement to drive is stolen by a relay attack.

Lucid does have a PIN option when you leave the card to the valet, but the valet can bypass the PIN by reaching up to the ceiling above the right shoulder where the “Y” is.

some thieves are very smart and sophisticated. My only sure fire way of counteracting this is to have really good insurance.

 

[GMan]

I want to learn how secure Lucid is against car thefts.

This is what I think: If a hacker can physically access the CAN bus in a car, it’s possible to steal, provided there's sufficient time for the job.

The video in the article below recorded how thieves could steal a Lexus RX in 90 seconds by accessing the headlight through the wheel arch.

Headlights are controlled by ECU (electronic control unit). A thief can reprogram the ECU to unlock the door and drive away after accessing a headlight. Thus, it's called CAN Injection.

Watch Thieves Steal an SUV in 90 Seconds, the Key Fob Doesn't Need To Be Nearby

It's unknown if a PIN requirement would prevent a thief from driving away or if the thief could also bypass the PIN.

However, there are quicker ways to steal a modern car: Copying or amplifying the fob's signal can unlock the door and drive away as if the fob is inside the car. The videos show a relay attack where an antenna/tablet can pick up the fob's signal inside the house while the car is outside. The signal is then amplified so the car can pick up a strong fob's signal as if the fob is next to or inside the car:

After these incidents, there's an option for a PIN requirement for this particular brand even when the thief can open the doors. It’s a hassle for an owner to choose the option to enter the PIN at each drive session, but I haven't heard a car with a PIN requirement to drive is stolen by a relay attack.

Lucid does have a PIN option when you leave the card to the valet, but the valet can bypass the PIN by reaching up to the ceiling above the right shoulder where the “Y” is.

What would reaching up into the "Y" accomplish?

Also, I would think Lucid could disable the car remotely if stolen. I'm not sure what the process would be for them to verify the request as being authenticated, or even if they have a process established for this purpose. Ideally, the owner could self-service this request thru the Lucid portal (or potentially the app).

 

[Tâm]

What would reaching up into the "Y" accomplish?

Y accomplishment: Bypassing the PIN.

When you give your key card to someone like a valet, you must also give them your PIN. They then can enter it on the Pilot screen to turn on the propulsion and drive the car away.

If they don't know your PIN, they need to stretch their arm to the ceiling to touch the card to the "Y" location to bypass your PIN. It's as if you gave them your fob or phone key without needing a PIN to turn on the propulsion and drive away.

I prefer the system that requires a changeable PIN for propulsion, and the valet or thief can't bypass the PIN even when they have my fob or card with them. For that system, a fob or card can let a vale or thief to the car's interior but not the propulsion. To drive away, a valet or thief must get a changeable PIN from me that I can change anytime.

 

[Tâm]

Also, I would think Lucid could disable the car remotely if stolen. I'm not sure what the process would be for them to verify the request as being authenticated, or even if they have a process established for this purpose. Ideally, the owner could self-service this request thru the Lucid portal (or potentially the app).

Not sure about Lucid but for GM OnStar:

• First, file a police report, and let the police know you have OnStar.
• Then call OnStar
• Using Stolen Vehicle Assistance,*  we’ll help law enforcement recover your car.

By that time, hopefully, the car has not crossed the border into Mexico or Canada or in a shipping container oversea!

 

[joec]

Your phone will tell you exactly where you car is when it gets stolen. Show that to the cops. That's how I got my eBike back when it was stolen a few years ago.

As Bobby says, if the thieves are more sophisticated than that, and they know how to disable the car from sending its GPS out to the Internet, the only thing that will help you at that point is insurance. The car is gone.

Joyriders are not going to take a Lucid anytime soon. Not unless they are hopped up on something.

Actual car theft, particularly theft of EVs, is very low compared to historical highs in the 70s and 80s. There are far bigger things to worry about, as far as I'm concerned.

 

[borski]

Your phone will tell you exactly where you car is when it gets stolen. Show that to the cops. That's how I got my eBike back when it was stolen a few years ago.

As Bobby says, if the thieves are more sophisticated than that, and they know how to disable the car from sending its GPS out to the Internet, the only thing that will help you at that point is insurance. The car is gone.

Joyriders are not going to take a Lucid anytime soon. Not unless they are hopped up on something.

Actual car theft, particularly theft of EVs, is very low compared to historical highs in the 70s and 80s. There are far bigger things to worry about, as far as I'm concerned.

the issue is that in the tesla, it is trivial to disable remote access. in the lucid, i'm not sure you can? you may be able to sign out, potentially; or restore to factory settings. that I don't know.

 

[traumaflo]

Does the facial recognition feature add anything to security here?

 

[Lucid510]

One possible solution is have 2FA with the drivers profile The Lucid Air is equipped with a camera monitoring the driver for alertness, it could add facial recognition before the car is able to start. This is similar to how Android and Apple allows the phone to be unlocked. The other option is have a finger print scan on the pilot panel.

 

[Bobby]

Does the facial recognition feature add anything to security here?

No because it is not necessary to drive. It just sets the profile. I actually don’t use it since I only have one profile set up.

 

[joec]

I would never trust the facial recognition in the Lucid to be anything resembling secure. It’s based on a camera only. Nowhere near as sophisticated as what Apple is doing with LiDAR on FaceID.

 

[Tâm]

the issue is that in the tesla, it is trivial to disable remote access...

Initially, there's no security PIN for Tesla cars. After a series of car thefts and thieves were able to click off the remote access from the car display, Tesla implemented the PIN system. Thieves and friends can no longer click the remote access off if they don't have the PIN. "Friends" mentioned here because some friends borrow a Tesla and used to be able to turn off the remote access but not anymore unless they know the PIN.