Security researchers at the NCC Group have developed a Bluetooth Low Energy relay attack tool that bypasses all existing authentication protections. BLE technology is used in a wide range of products, from electronics (laptops, mobile phones, smart locks, and building access control systems) to automobiles such as the Tesla Model 3 and Model Y.
In this type of relay attacks, the attacker intercepts the data and can manipulate the information between the two parties. This allows him to transmit the signal as if he were standing right next to the car.
Products that rely on BLE for distance-based authentication protect against known relay attack methods by introducing checks based on the exact number of delays as well as link-level encryption.
The NCC team has developed a tool that operates at the data link layer with a latency of 8ms, which is within the acceptable range of 30ms of a GATT (Generic ATTtribute Profile) response.
“Because this relay attack works at the link layer, it can forward encrypted link layer PDUs. It is also capable of detecting encrypted changes to connection parameters (such as connection interval, WinOffset, PHY mode, and channel map) and continue relaying connections through parameter changes. Thus, neither link-layer encryption nor changing the parameters of an encrypted connection is a defense against this type of relay attacks,” the NCC Group said.
The attack takes about ten seconds to launch and can be repeated indefinitely.
Both the Tesla Model 3 and Model Y use a BLE-based login system, so the NCC attack could be used to unlock and start cars.
While the technical details of this new BLE relay attack have not been released, the researchers say they tested the method on a 2020 Tesla Model 3 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
"The NCC team was able to use this relay attack tool to unlock and control the vehicle when the iPhone was outside the vehicle's BLE range," the researchers said.
During the experiment, it was possible to connect the car and the iPhone through two repeaters, one of which was seven meters from the phone, and the other three meters from the car. The distance between the phone and the car was 25 meters.
The experiment has also been successfully replicated on a 2021 Tesla Model Y, as it uses similar technologies.
Tesla reported the possibility of such attacks on April 21. A week later, the company responded that "relay attacks are a known limitation of the passive login system."
The researchers also notified Spectrum Brands, the parent company of Kwikset (makers of the Kevo smart lock line).
The core Bluetooth specification warns device manufacturers about relay attacks. As such, users may be prompted to disable the remote authentication option, if possible, and switch to an alternative method that requires face-to-face interaction.
Another way for manufacturers would be to use a distance limiting solution such as UWB (Ultra Wide Band) radio technology instead of Bluetooth.
Tesla owners are encouraged to use the PIN to Drive feature. In this case, even if their car is unlocked, the attacker will not be able to drive away in it.
Earlier in 2020
In 2020, the Bluetooth SIG issued a warning about the BLURtooth family of attacks. She noted that a vulnerability in the Bluetooth 4.2 and 5.0 specifications allows intercepting authentication keys and organizing a MitM attack. The BLESA vulnerability in the Bluetooth Low Energy specification allows you to connect to other devices without authorization, simulating the procedure for reconnecting after a connection break.
Later that year, researcher Lennert Wueters showed a way to steal a Tesla Model X by rewriting the firmware of the car's proprietary key. According to him, the key firmware can be updated via Bluetooth, and the validity of the code is not checked in any way.