Bluetooth attack can remotely unlock Teslas and smart locks - TechCrunch

Bluetooth attack can remotely unlock Teslas and smart locks – TechCrunch

Security researchers have demonstrated a new Bluetooth relay attack that can remotely unlock and start some Tesla vehicles.

The vulnerability lies in Bluetooth Low Energy (BLE), the technology used by Tesla’s entry system that allows drivers with the app or the ignition key to unlock and start their vehicle from nearby. Most devices and vehicles that rely on this type of proximity-based authentication are designed to guard against a host of relay attacks, which typically work by capturing the radio signal used to unlock a vehicle, for example, and turning it back on again as if it were. A genuine request, using encryption and introducing validations that can make relay attacks more difficult.

But researchers at the UK-based NCC Group say they have developed a tool to perform a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically allowing attackers to unlock and operate vehicles remotely.

Sultan Qasim Khan, chief security advisor at NCC Group, said in a blog post that he tested the attack against a 2020 Tesla Model 3 using an iPhone 13 mini running a recent but older version of the Tesla app. The iPhone was placed 25 meters from the car, according to the researchers, with two relays between the iPhone and the car. Using the tool, the researchers were able to remotely unlock the car. The experiment has also been successfully replicated on the 2021 Tesla Model Y, which also uses “phone as a key” technology.

While the attack was shown on Tesla vehicles, Khan indicated that any vehicle using the BLE keyless entry system could be vulnerable to this attack. In a separate advisory report, the NCC Group warned that the attack could also be used against the Kwikset and Weiser Kevo line of smart locks, which support passive input of BLE through the “touch to unlock” function.

In a video shared with TechCrunch, Khan can be seen walking to a Tesla Model Y holding a laptop with a relay attached, allowing him to wirelessly unlock the car and open the door.

“Our research shows that the systems people rely on to protect their cars, homes, and private data use Bluetooth proximity authentication mechanisms that can be easily broken with inexpensive hardware that is available,” Khan said.

The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group (SIG), the industry group overseeing development of the Bluetooth standard, which acknowledged the problem but said relay attacks were a known problem with Bluetooth technology. Tesla officials also said that relay attacks were a known limitation of the passive entry system. Tesla did not respond to TechCrunch’s request for comment. (Tesla canceled its PR team in 2020).

“The NCC recommends that the SIG proactively advise its members to develop close authentication systems on the risks of BLE relay attacks,” Khan added. “Furthermore, the documentation should make it clear that relay attacks are practical and should be included in threat models, and that link-layer encryption and no normal response timing expectations are defenses against relay attacks.”

Researchers are encouraging Tesla owners to use the PIN to Drive feature, which requires a four-digit PIN to be entered before driving the car, and to disable the passive entry system in the mobile app.

Tesla is no stranger to security flaws. Earlier this year, a 19-year-old security researcher said he was able to remotely access dozens of Teslas cars around the world because security flaws in an open-source registry tool common to Tesla owners exposed their cars live on the Internet.

2022-05-18 15:34:10

Leave a Comment

Your email address will not be published. Required fields are marked *