Change language

Researchers reproduce Bluetooth attack that could steal Tesla Model 3 and Y

Security researchers at the NCC Group have developed a Bluetooth Low Energy relay attack tool that bypasses all existing authentication protections. BLE technology is used in a wide range of products, from electronics (laptops, mobile phones, smart locks, and building access control systems) to automobiles such as the Tesla Model 3 and Model Y.

In this type of relay attacks, the attacker intercepts the data and can manipulate the information between the two parties. This allows him to transmit the signal as if he were standing right next to the car.

Products that rely on BLE for distance-based authentication protect against known relay attack methods by introducing checks based on the exact number of delays as well as link-level encryption.

The NCC team has developed a tool that operates at the data link layer with a latency of 8ms, which is within the acceptable range of 30ms of a GATT (Generic ATTtribute Profile) response.

“Because this relay attack works at the link layer, it can forward encrypted link layer PDUs. It is also capable of detecting encrypted changes to connection parameters (such as connection interval, WinOffset, PHY mode, and channel map) and continue relaying connections through parameter changes. Thus, neither link-layer encryption nor changing the parameters of an encrypted connection is a defense against this type of relay attacks,” the NCC Group said.

The attack takes about ten seconds to launch and can be repeated indefinitely.

Both the Tesla Model 3 and Model Y use a BLE-based login system, so the NCC attack could be used to unlock and start cars.

While the technical details of this new BLE relay attack have not been released, the researchers say they tested the method on a 2020 Tesla Model 3 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.

"The NCC team was able to use this relay attack tool to unlock and control the vehicle when the iPhone was outside the vehicle's BLE range," the researchers said.

The experiment

During the experiment, it was possible to connect the car and the iPhone through two repeaters, one of which was seven meters from the phone, and the other three meters from the car. The distance between the phone and the car was 25 meters.

The experiment has also been successfully replicated on a 2021 Tesla Model Y, as it uses similar technologies.

Tesla reported the possibility of such attacks on April 21. A week later, the company responded that "relay attacks are a known limitation of the passive login system."

The researchers also notified Spectrum Brands, the parent company of Kwikset (makers of the Kevo smart lock line).

The core Bluetooth specification warns device manufacturers about relay attacks. As such, users may be prompted to disable the remote authentication option, if possible, and switch to an alternative method that requires face-to-face interaction.

Another way for manufacturers would be to use a distance limiting solution such as UWB (Ultra Wide Band) radio technology instead of Bluetooth.

Tesla owners are encouraged to use the PIN to Drive feature. In this case, even if their car is unlocked, the attacker will not be able to drive away in it.

Earlier in 2020

In 2020, the Bluetooth SIG issued a warning about the BLURtooth family of attacks. She noted that a vulnerability in the Bluetooth 4.2 and 5.0 specifications allows intercepting authentication keys and organizing a MitM attack. The BLESA vulnerability in the Bluetooth Low Energy specification allows you to connect to other devices without authorization, simulating the procedure for reconnecting after a connection break.

Later that year, researcher Lennert Wueters showed a way to steal a Tesla Model X by rewriting the firmware of the car's proprietary key. According to him, the key firmware can be updated via Bluetooth, and the validity of the code is not checked in any way.

Michael Zippo
[email protected]


Researchers reproduce Bluetooth attack that could steal Tesla Model 3 and Y News: Questions


Best laptop for Fortnite


Best laptop for Excel


Best laptop for Solidworks


Best laptop for Roblox


Best computer for crypto mining


Best laptop for Sims 4


Best laptop for Zoom


Best laptop for Minecraft


Latest questions


psycopg2: insert multiple rows with one query

12 answers


How to convert Nonetype to int or string?

12 answers


How to specify multiple return types using type-hints

12 answers


Javascript Error: IPython is not defined in JupyterLab

12 answers



Python OpenCV | cv2.putText () method

numpy.arctan2 () in Python

Python | os.path.realpath () method

Python OpenCV | () method

Python OpenCV cv2.cvtColor () method

Python - Move item to the end of the list

time.perf_counter () function in Python

Check if one list is a subset of another in Python

Python os.path.join () method