Researchers have developed a new tool that can perform a new type of relay attack against devices that perform proximity-based authentication using Bluetooth LE technology, enabling an attacker to trick a victim’s device such as a laptop, smart lock, or even a vehicle into unlocking.
Proximity authentication over Bluetooth LE is implemented in a number of different environments and products, and is designed to allow a trusted nearby device to unlock another. Some vehicles, including Teslas, that use cell phones as a key use this method, as do some devices such as laptops, smartwatches, and phones. Many Bluetooth-enabled consumer devices also use BLE-based proximity authentication. Relay attacks, in which a malicious device transmits an authentication signal from a legitimate device, are a known problem with these systems and typical defenses include encrypting requests sent through the link layer and/or limiting response time. The tool developed by the NCC Group researchers only adds 8 milliseconds of latency to the response time, which wouldn’t be enough to exceed typical rate limits.
“With further direct optimization of the tool, it will be possible to ensure that the added latency is one or less communication event for any communication interval permitted under the Bluetooth specification,” according to the advice given by Sultan Qasim Khan of the NCC Group.
Real BLE devices typically require multiple connection events to respond to GATT requests or notifications and have inherent variability in the timing of their response. Thus, the response time offered by this relay attack is within the range of the normal response timing difference.”
BLE proximity authentication systems usually measure the distance of a device with its response time, so if a device is too far from the device to be unlocked, the response time will be too long and the authentication will not work. Relay attacks overcome this by transmitting the signal from the remote machine to the target machine.
“Documentation should make it clear that relay attacks are practical and should be included in the threat model.”
The researchers tested the attack on the 2020 Tesla Model 3, running the attack tool on the iPhone 13 mini. The iPhone was out of the vehicle’s Bluetooth range, about 25 meters from the car, with two relays between the iPhone and the car. Using the tool, the researchers were able to remotely unlock the car.
“If an attacker can place a relay device within the signal range of a target BLE device (Victim A’s device) that is trusted to closely authenticate by another device (Victim B’s device), then he can perform a relay attack to unlock and launch Victim B’s device,” the consultant says.
“Neither the normal GATT (Global Attribute Profile) response latency nor successful connections over an encrypted link layer can be used as indicators that a relay attack is not in progress. Thus, traditional mitigations of earlier BLE relay attacks become ineffective against link-layer relay attacks.”
The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group, which acknowledged the problem but said relay attacks were a known problem with Bluetooth technology. Tesla officials also said that relay attacks were a known limitation of the passive entry system.
The NCC recommends that the SIG proactively advise its members to develop rough authentication systems about the risks of BLE relay attacks. Furthermore, the documentation should make it clear that relay attacks are practical and should be included in threat models, and that neither link-layer encryption nor normal response timing expectations are defenses against relay attacks,” the advisory states.