While BLE technology is used in a wide range of electronics — such as home smart locks, commercial building access, laptops, and smartphones — the research team at NCC Group honed in on Tesla, and how the exploit affects the company’s Model 3 and Model Y cars. The researchers also said that deploying fixes for this issue will be a complicated and time-consuming process.
Details About the BLE Exploit
Tesla Model 3 and Y owners can unlock and start their vehicles with an app on their smartphone. This service relies on BLE technology, which allows the user to turn their smartphone into an authentication device, like a key. While this technology has many benefits, a new glaring security issue has come to light. Researchers at NCC Group have developed a tool that allows for a new type of relay attack (similar to a man-in-the-middle attack) against devices using BLE technology. The NCC Group’s tool enables a user to intercept and manipulate the communications between the two devices. This way, an attacker can potentially use the tool to gain access to or make the central device perform tasks — such as unlocking and starting cars, unlocking and entering homes or commercial buildings, or gaining access to personal electronics. Concerns about the possibility of relay attacks on BLE devices have been around for many years. So far, safeguards such as latency bounding and link layer encryption have been successful in protecting BLE devices. Latency bounding prevents communication with a device that is over BLE’s latency limit (also called the GATT response). However, the NCC Group’s relay attack tool can bypass these protections. Its tool does not push the device latency above the 30ms limit, and is able to communicate over the devices’ encrypted network. Furthermore, the NCC Group says that its tool works with any device which uses a BLE connection as a confirmation of physical proximity.
Experiment on Tesla Cars
The researchers tried out their tool on a 2020 Tesla Model 3 and used an iPhone 13 Mini running version 4.6.1-891 of the Tesla app as the authenticating device. They were able to deliver communications from the iPhone via two separate relay devices placed at different spots. The researchers could unlock and operate the vehicle by placing their relaying tool between the phone and the car. Therefore, they concluded that attackers can take advantage of this flaw by placing a relaying device within the BLE signal range of the authorized device. While the researchers have not replicated the experiment on a Tesla Model Y, they expect that the same type of attack would be successful, as both cars use a similar BLE entry system. Furthermore, the researchers said that it should be possible for attackers to carry out long-distance relay attacks as well. However, they are yet to carry out an experiment of this kind. Here are some other notes from the experiment:
One relaying device was placed seven meters away from the phone. Another relaying device was placed three meters away from the car. The distance between the iPhone and the car was 25 meters.
NCC Group’s Recommendations
The NCC Group pointed out that BLE connects should not be the only level of protection for valuable assets. The Group has also criticized the Bluetooth SIG, for promoting certain BLE tools as being relay attack resistant despite carrying risks. It urged the SIG, which oversees Bluetooth standards and licensing of Bluetooth technologies around the world, to advise its members about the risks of BLE relay attacks. The NCC also offered recommendations for BLE users to protect themselves:
Switch to an alternative authentication method. Preferably, one which requires user interaction. Tesla owners are advised to use the “PIN to Drive” feature, which offers an extra layer of security to operate the vehicle. Disabling passive entry functionality on the mobile app.
If you found this story interesting, check out our complete guide to Bluetooth safety.