From anywhere in the world, a simple device can deceive any Bluetooth lock. Millions of digital locks, including those on Tesla cars, can be broken by hackers capable of exploiting Bluetooth technology, according to researchers from NCC Group.
Basic vulnerability info
The researchers created a tool that can execute a Bluetooth Low Energy (BLE) relay attack, which bypasses all existing protections to authenticate on target devices. The BLE technology is used in an array of products, which range from laptops, to smartphones, to smart watches, to smart locks, to building access control systems, to cars.
How it works
Typically, a key fob designed to wirelessly unlock a product can “communicate” with the product itself, upon command. In a particular type of relay attack, a cyber adversary can theoretically intercept and manipulate the communication, allowing for theft of or entry into:
- Cars with automotive keyless entry
- Mobile phones
- Laptop with Bluetooth proximity unlock feature
- Residential smart locks
- Building access control systems
- Vehicles produced by numerous manufacturers
Although the technical details surrounding this new BLE relay attack have not been released, researchers described testing the attack method on a Tesla Model 3 from 2020 using an iPhone 13 mini that ran version 4.6.1-891 of the Tesla app.
In a video shared with Reuters, an NCC Group researcher managed to unlock and drive the car using a series of relaying devices, which deceived the car into ‘thinking’ that its owner’s phone was nearby, when in fact the phone was more than 80 feet away. This strongly suggested that hackers could take control over vehicles located anywhere in the world, from anywhere in the world.
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it — even from hundreds of miles away — but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” says security researcher Sultan Qasim Khan.
What’s worse is that the hardware necessary for a successful BLE attack is inexpensive and can be found for low prices online.
This BLE security vulnerability is a non-traditional bug. It cannot be fixed with a patch. Delivering a fix for this issue will not be easy. Although industry may provide immediate responses and may come up with viable technological solutions, it will take some time for end-users to receive and apply updates.
Solving for BLE security
As indicated previously, the flaw found in Bluetooth Low Energy receivers could potentially affect everyone; from organizations locking building doors to individuals who want to lock cars, phones, laptops, or other personal devices.
At the industry level, security researchers recommend that manufacturers limit risks related to vehicle hijacking by disabling proximity key functionality when a user’s phone has been stationary for a certain duration of time. They also suggest a dual-factor authentication model, requiring users to tap a button on the phone to unlock devices.
At the individual level, researchers suggest that owners of Bluetooth enabled vehicles enable the “PIN to Drive” feature and turn off Bluetooth when not using it. Both of these measures can prevent vehicle theft.