The NCC Group’s security experts have created a tool to perform a Bluetooth Low Energy (BLE) relay attack that bypasses all existing defenses to authenticate on target devices.
BLE technology can be found in a wide range of goods, including laptops, smartphones, smart locks, and building access control systems, as well as cars like the Tesla Model 3 and Model Y.
It’s difficult to push out patches for this security issue, and even if the reaction is quick and organized, it’ll take a long time for the upgrades to reach impacted items.
The Attack’s Mechanism Tesla Model 3, Y
An attacker intercepts and manipulates communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself, in this form of relay attack.
This puts the attacker in the center of the transmission, giving them the ability to relay the signal as if they were standing right next to the car.
Products that use BLE for proximity-based authentication include checks based on specific amounts of latency as well as link-layer encryption to protect against known relay attack methods.
The NCC Group has developed a tool that operates at the link layer and has a latency of 8ms, which is within the GATT (Generic ATTribute Profile) response’s acceptable 30ms range.
“Because this relay attack occurs at the link layer, encrypted link layer PDUs can be forwarded.” It can also detect encrypted changes to connection settings (such connection interval, WinOffset, PHY mode, and channel map) and keep relaying connections despite the changes. As a result, neither link layer encryption nor encrypted connection parameter changes are effective defenses against this relay attack.” NCC Group
The assault takes roughly ten seconds to run and may be repeated indefinitely, according to Sultan Qasim Khan, a senior security consultant at NCC Group.
Because the Tesla Model 3 and Model Y both use a BLE-based entry mechanism, NCC’s attack might be used to unlock and start the vehicles.
While the technical details of this novel BLE relay attack have not been released, the researchers claim to have tested the method on a Tesla Model 3 from 2020 running version 4.6.1-891 of the Tesla software on an iPhone 13 mini.
“NCC Group was able to unlock and operate the vehicle using this newly designed relay attack tool when the iPhone was outside the vehicle’s BLE range.” NCC Group –
They were able to transfer communication from the iPhone to the car via two relay devices, one seven meters away from the phone and the other three meters away from the car, during the trial. The phone and the car were about 25 meters apart.
Because it uses similar technologies, the experiment was also successfully reproduced on a Tesla Model Y from 2021. The following is an example of the attack:
Tesla was notified of these findings on April 21st. “Relay attacks are a known limitation of the passive entry mechanism,” the business answered a week later.
Spectrum Brands, the parent company of Kwikset, was also alerted by the researchers (makers of the Kevo line of smart locks).
What can be done NCC Group’s research on this new proximity attack is available in three different advisories: one for BLE in general, one for Tesla cars, and one for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.
The Bluetooth Core Specification warns device manufacturers about relay attacks and advises against using proximity-based authentication for important goods.
Users are left with limited options, one of which is to disable it if at all possible and utilize an alternate authentication mechanism that involves user participation.
Another option is for manufacturers to use UWB (ultra-wideband) radio technology instead of Bluetooth for distance bounding.
Tesla owners are recommended to use the ‘PIN to Drive’ function, which prevents an assailant from driving away with their car even if it is unlocked.
The relay attack would also be impossible to carry out if the mobile app’s passive entry functionality was disabled when the phone was stationary.
If none of the above options are available on your device, be aware of the risk of relay attacks and take further precautions.
