A Bluetooth Low Energy (BLE) vulnerability discovered by NCC Group researchers may be used by attackers to unlock Teslas (or other cars with automotive keyless entry), residential smart locks, building access systems, mobile phones, laptops, and many other devices.
About the BLE vulnerability
Bluetooth Low Energy (BLE) is a data sharing protocol developed by the Bluetooth Special Interest Group (Bluetooth SIG) and is widely used for proximity authentication in critical applications.
The discovered vulnerability is “not a traditional bug that can be fixed with a simple software patch, nor an error in the Bluetooth specification,” the researchers noted. Instead, it arises from the use of BLE for purposes for which it has not been originally designed.
“Many products implement Bluetooth Low Energy (BLE)-based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby,” they explained, and added that the possibility of relay attacks against BLE proximity authentication has been known for years, but existing tools came with detectable levels of latency and were not capable of relaying connections employing link layer encryption.
The researchers, though, created a new BLE link layer relay tool that minimizes round-trip latency enough that it falls within the range of normal response timing variation, and can spot encrypted changes to connection parameters and continue relaying connections despite them.
Affected vehicles and devices
“What makes [our tool] powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance. All it takes is 10 seconds—and these exploits can be repeated endlessly,” said Sultan Qasim Khan, NCC Group principal security consultant and researcher.
They have successfully tested the tool and attack against Tesla Model 3 (and they say Model Y is also probably vulnerable) and Kwikset and Weiser Kevo smart locks.
Khan told Bloomberg News that they were able to conduct the attack on other automakers and technology companies’ devices, and that the hardware (relays) needed for the attack to work can be found for cheap online. Still, attackers would also need to get their hands on the software developed by the researchers – or develop their own – to be able to pull off the attack.
Other devices attackers can target include laptops with a Bluetooth proximity unlock feature enabled, mobile phones, other smart locks and building access control systems, and devices for asset and medical patient tracking.
This security issue affects only systems that rely on passive detection of a Bluetooth device and won’t be exploitable where the unlocking depends on a combination of communication protocols.
Attack mitigation steps
As noted before, this BLE vulnerability cannot be fixed by updating the firmware, but there are things that can be done to guard against these attacks.
“Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer). System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone),” the researchers advised.
Even worried users of affected products can do something to protect their assets: they can either disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when they don’t need it.