Bluetooth Low Energy vulnerability and the Tesla car theft

Sicherheit (Pexels, allgemeine Nutzung)[German]There is a vulnerability in the Bluetooth Low Energy implementation that allows remote access to corresponding Bluetooth devices (door locks, electronic devices and cars). Among others, the US car manufacturer Tesla had to admit that its electric car models Tesla Model 3 and Tesla Y can be unlocked, started and thus stolen in this way.

Bluetooth Low Energy (BLE) vulnerability

Bluetooth Low Energy (BLE)

is a standard protocol for data exchange between devices used by companies for proximity authentication to unlock millions of vehicles, smart locks in residential buildings, access control systems for commercial buildings, smartphones, smartwatches, laptops and more.

Bluetooth Low Energy (BLE) vulnerability

Security researchers at NCC Group have conducted the world's first link-layer relay attack on Bluetooth Low Energy (BLE), according to the tweet above and this message. The security researchers were able to prove with their proof-of-concept (PoC) that very popular products currently use insecure BLE proximity authentication in critical applications. By forwarding data from the baseband at the link layer, the hack circumvents known protections for relay attacks, including encrypted BLE communications, by bypassing the upper layers of the Bluetooth stack and the need for decryption.  Sultan Qasim Khan, Principal Security Consultant and Researcher at NCC Group, who conducted this research, writes:

The power of this attack is not only that we can convince a Bluetooth device that we are in its vicinity – even from hundreds of miles away – but also that we can do so even if the manufacturer has taken defensive measures, such as encryption and latency mitigation, to theoretically protect these communications from remote attackers.

All it takes for a successful attack is 10 seconds of time – and these attacks can be repeated endlessly. According to the researchers, the hack carried out bypasses typical countermeasures against remote vehicle unlocking. This changes the way engineers and consumers need to think about the security of Bluetooth Low Energy communications, the security researchers write, and call for better safeguards against such attacks. The Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks  contains more information.

Tesla theft via remote access

What brings special attention to the whole story is the fact that many car manufacturers use BLE to unlock their vehicles. Malwarebytes published the article Car owners warned of another theft-enabling relay attack on May 17, 2022, and sees a dam breaking in terms of car theft via such relay attacks. A person goes near the electronic key used to unlock and start the vehicle. Then the intercepted signal from the vehicle key is relayed by radio to a second receiver. This then sends the signals to unlock the vehicle. The following video shows the principle of this attack on keyless vehicle systems, which has been known for years. With the BLE vulnerability, however, these attacks may work over longer distances.

(Source: YouTube)

This is likely to hit vehicle manufacturers and car owners hard. Also affected is industry leader Tesla, whose Model 3 and Tesla Y electric vehicle models use this BLE technology for unlocking. The Bluetooth Low Energy (BLE)-based passive access system allows users with an authorized mobile device or key fob to unlock and operate the vehicle from nearby without requiring user interaction on the mobile device or key fob. The system detects the mobile device or key fob from a certain distance based on signal strength (RSSI) and via latency measurements of cryptographic challenge-response operations performed over BLE.

However, if an attacker succeeds in placing a relaying device within the BLE signal range of a cell phone or key fob, they can perform a relay attack to unlock and operate the matching, i.e., authorized, vehicle (Tesla Model 3 or Model Y).

NCC Group has developed a tool to perform a novel link-layer BLE relay attack with additional latency within the range of normal GATT response time variations and capable of relaying encrypted communications at the link layer. This approach can bypass the existing mitigations of relay attacks through latency mitigation or link-layer encryption and circumvent localization protections commonly used against relay attacks with signal amplification. Because the latency added by this relay attack is within the limits accepted by the Model 3 (and likely Model Y) passive access system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.

The NCC Group has published the Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks on this issue. In a trial, the attack was tested on the Model 3. The Model Y is also likely to be affected, the researchers write. The attack was successful using an iPhone 13 mini and iOS app version 4.6.1-891 under vehicle software v11.0. In the test setup, the iPhone was placed on the top floor at the end of a house, about 25 meters from the vehicle, which was in the garage at ground level. The phone-side relay device was placed in a different room than the iPhone, about 7 meters from the phone. The vehicle-side relay device was able to unlock the vehicle when it was within about 3 meters of the vehicle. Reminds me on my article Software: Our grave as future car owners?

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *