PanamaTimes

Wednesday, Feb 21, 2024

New Bluetooth hack can unlock your Tesla—and all kinds of other devices

New Bluetooth hack can unlock your Tesla—and all kinds of other devices

All it takes to hijack Bluetooth-secured devices is custom code and $100 in hardware.

When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range.

Now, a researcher has devised a hack that allows him to unlock millions of Teslas—and countless other devices—even when the authenticating phone or key fob is hundreds of yards or miles away. The hack, which exploits weaknesses in the Bluetooth Low Energy standard adhered to by thousands of device makers, can be used to unlock doors, open and operate vehicles, and gain unauthorized access to a host of laptops and other security-sensitive devices.


When convenience comes back to bite us


“Hacking into a car from hundreds of miles away tangibly demonstrates how our connected world opens us up to threats from the other side of the country—and sometimes even the other side of the world,” Sultan Qasim Khan, a principal security consultant and researcher at security firm NCC Group, told Ars. “This research circumvents typical countermeasures against remote adversarial vehicle unlocking and changes the way we need to think about the security of Bluetooth Low Energy communications.”

This class of hack is known as a relay attack, a close cousin of the person-in-the-middle attack. In its simplest form, a relay attack requires two attackers. In the case of the locked Tesla, the first attacker, which we’ll call Attacker 1, is in close proximity to the car while it’s out of range of the authenticating phone. Attacker 2, meanwhile, is in close proximity to the legitimate phone used to unlock the vehicle. Attacker 1 and Attacker 2 have an open Internet connection that allows them to exchange data.

Attacker 1 uses her own Bluetooth-enabled device to impersonate the authenticating phone and sends the Tesla a signal, prompting the Tesla to reply with an authentication request. Attacker 1 captures the request and sends it to Attacker 2, who in turn forwards the request to the authenticating phone. The phone responds with a credential, which Attacker 2 promptly captures and relays back to Attacker 1. Attacker 1 then sends the credential to the car.

With that, Attacker 1 has now unlocked the vehicle. Here’s a simplified attack diagram, taken from the above-linked Wikipedia article, followed by a video demonstration of Khan unlocking a Tesla and driving away with it, even though the authorized phone isn’t anywhere nearby.



NCC Group demo Bluetooth Low Energy link layer relay attack on Tesla Model Y.


Relay attacks in the real world need not have two actual attackers. The relaying device can be stashed in a garden, coat room, or other out-of-the-way place at a home, restaurant, or office. When the target arrives at the destination and moves into Bluetooth range of the stashed device, it retrieves the secret credential and relays it to the device stationed near the car (operated by Attacker 1).

The susceptibility of BLE, short for Bluetooth Low Energy, to relay attacks is well known, so device makers have long relied on countermeasures to prevent the above scenario from occurring. One defense is to measure the flow of the requests and responses and reject authentications when the latency reaches a certain threshold, since relayed communications generally take longer to complete than legitimate ones. Another protection is encrypting the credential sent by the phone.

Khan’s BLE relay attack defeats these mitigations, making such hacks viable against a large base of devices and products previously assumed to be hardened against such attacks.


On the (link) level


The key to the successful bypass is that, unlike previous BLE relay attacks, it captures data from the baseband—where radio signals are sent to and received from the devices—and does so at the link layer, the very lowest level of the Bluetooth stack, where connections are advertised, created, maintained, and terminated. Previous BLE relay attacks worked at the GATT—short for Generic Attribute Profile—layer, which is much higher up the stack.


Because the link layer is where the credential is encrypted, the new method defeats cryptographic defenses that defend against GATT-based relays. Link layer relays also have significantly less latency than GATT relays because they bypass levels higher up the stack that act as a bandwidth bottleneck. That makes link layer relays indistinguishable from legitimate communications.

Khan’s attack uses custom software and about $100 worth of equipment. He has confirmed it works against the Tesla Model 3 and Model Y and Kevo smart locks marketed under the Kwikset and Weiser brand names. But he says virtually any BLE device that authenticates solely on proximity—as opposed to also requiring user interaction, geolocation querying, or something else—is vulnerable.

“The problem is that BLE-based proximity authentication is used in places where it was never safe to do so,” he explained. “BLE is a standard for devices to share data; it was never meant to be a standard for proximity authentication. However, various companies have adopted it to implement proximity authentication.”

Because the threat isn’t caused by a traditional bug or error in either the Bluetooth specification or an implementation of the standard, there’s no CVE designation used to track vulnerabilities. Khan added:

In general, any product relying on BLE proximity authentication is vulnerable if it does not require user interaction on the phone or key fob to approve the unlock and does not implement secure ranging with time-of-flight measurement or comparison of the phone/key fob’s GPS or cellular location relative to the location of the device being unlocked. GPS or cellular location comparison may also be insufficient to prevent short distance relay attacks (such as breaking into a home’s front door or stealing a car from the driveway, when the owner’s phone or key fob is inside the house).

Making BLE authentication safer


With no patch or fix in sight, what can be done? The answer: require something more than just perceived proximity before trusting the phone or key fob as authentic. One mechanism is to check the location of the authenticating device to ensure that it is, in fact, physically close to the locked car or other device.

Another countermeasure is to require the user to provide some form of input to the authenticating device before it’s trusted. Phone-based security keys that comply with the recently introduced WebAuthn standard, for instance, require not only that the device be close to the machine or account being unlocked but also that a user present the device with a valid fingerprint, facial scan, or PIN. That prevents this attack from working on those devices.

Another countermeasure is to use a phone’s accelerometer to measure its movements. When a device has been stationary for a given amount of time, the proximity key functionality is disabled.

A Kwikset representative said that its iOS app for Kevo has a timeout feature that activates once a device has been stationary for 30 seconds. It also provides an option for requiring a PIN before the device is trusted. Those features aren’t yet available in the company’s Android app. The representative said the company expects the PIN option to be available in the Android app by late September. The attack works only on Kwikset’s Kevo line, the representative said.

Representatives of The Bluetooth Special Interest Group, the body that oversees the Bluetooth standard, issued a statement that read in part: “The Bluetooth Special Interest Group (SIG) prioritizes security, and Bluetooth specifications include a collection of features that provide developers the tools they need to secure communications between Bluetooth devices and implement the appropriate level of security for their products. All Bluetooth specifications are subject to security reviews during the development process.”

Tesla representatives didn’t respond to an email seeking comment for this article.

NCC Group issued a statement about the hack here and has published advisories here, here, and here.

In fairness to both the lock maker and electric car manufacturer, they are only two of the many device makers affected by this new attack. The point of the research isn’t to single out one or two offenders but rather to make clear that BLE authentication based on proximity alone was never something anticipated in the standard and should have been abandoned long ago.

“Over the last decade, industry has turned a blind eye to the risks of relay attacks against proximity authentication systems,” Khan said. “This research demonstrates that Bluetooth Low Energy relay attacks are practical and effective against popular products and highlights the need for the industry to rethink the risk-to-convenience tradeoff for Bluetooth passive entry.”

Newsletter

Related Articles

PanamaTimes
Global Law Enforcement Dismantles Lockbit Ransomware Operation
Russian opposition leader Alexey Navalny has died at the Arctic prison colony
The President of Argentina Javier Mile does not fly private, he flies commercial, with the citizens he represents. And they LOVE him for it.
Bitcoin Reaches $50,000 for First Time in Over Two Years
Belo Horizonte: Brazil's Rising Carnival Hotspot for 2024
In El Salvador, the 'Trump of Latin America' stuns the world with a speech slamming woke policing after winning a landslide election
Tucker’s interview with Putin is over 50M views on X within the first 5 hours.
Finnish Airline, Finnair, is voluntarily weighing passengers to better estimate flight cargo weight
President Nayib Bukele has proudly announced El Salvador's remarkable achievement of becoming the safest nation in the Western Hemisphere.
Former Chilean President Sebastian Piñera Dies in Helicopter Crash
This farmer seems to understand science a bit more than the event organizer, Klaus Schwab.
Facebook turns 20: From Mark Zuckerberg's dormitory to a $1trn company
The Coolest Dictator in the World" on the Path to Victory in El Salvador
Macron, France and fake news
Indian-Origin Man 'King' Arrested For Smuggling $16 Million Drugs Into US
Can someone teach Americans that not every person with slanted eyes is Chinese?
Europe's Farmers Feeding the People, Protesting Against Politicians Who Do Nothing for Their Country and Serve Only Themselves at Taxpayers' Expense
Paris Restaurant That Inspired 'Ratatouille' Loses $1.6 Million Worth Of Wine
Brazilian Police Investigate Bolsonaro's Son for Alleged Illegal Spying
Police in Brazil Raid Residence of Bolsonaro Associate Over Allegations of Illegal Spying
Border Dispute Escalates as Texas Governor Vows Increased Razor Wire
OpenAI Enhances ChatGPT-4 Model, Potentially Addressing AI "Laziness" Issue
The NSA finally acknowledges spying on Americans by acquiring sensitive data
Report Reveals Toxic Telegram Group Generating X-Rated AI-Generated Fake Images of Taylor Swift
US Border Patrol States 'No Plans' to Remove Razor Wire Installed in Texas
Bitcoin Experiences Approximately 20% Decline in Value
Klaus Schwab recently appointed himself as the Earth's "trustee of the future."
DeSantis Drops Out, Endorses Trump.
Nikki Haley said former President Trump is "just not at the same level" of mental fitness as he was while president in 2016.
Residents of a southern Mexican town set the government palace on fire in response to the police killing of a young man
Samsung Launches AI-Driven Galaxy S24, Ushering in New Smartphone Era
Judge Questions SEC's Regulatory Overreach in Coinbase Lawsuit
The Ecuador prosecutor who was investigating the television studio attack, has been assassinated.
Is artificial intelligence the solution to cyber security threats?
Vivek Ramaswamy suspends his US election campaign and endorses Trump.
Viral Satire: A Staged Satirical Clip Mistaken as Real Footage from the 2024 World Economic Forum in Davos
The AI Revolution in the Workforce: CEOs at Davos Predict Major Job Cuts in 2024
Ecuador Reports 178 Hostages in Prison Gang Standoff
The Startling Cuban Espionage Case That Has Rattled the US Government
Two Armed Men in Ecuador, Dressed as Batman and The Joker Storm the Streets.
Armed Gang Raids Ecuadorian TV Station Following State of Emergency Declaration
Anti-Democratic Canada: Journalist Arrested for Questioning Canadian Finance Minister on Support of Terrorist Group
Ecuador's 'Most-Wanted' Criminal Vanishes from Prison
Mexican Cartel Supplied Wi-Fi to Locals Under Threat of Fatal Consequences for Non-Compliance
Border Surge Leads to Over 11,000 Migrants Waiting in Northern Mexico
Outsider Candidates Triumph in Latin American Elections
As Argentina Goes to the Polls, Will the Proposal to Replace the Peso with the Dollar Secure Votes?
Fatal Shark Attack Claims Life of Boston Woman Paddleboarding Near Bahamas Resort, According to Police
Former Bolivian President Evo Morales Denied Eligibility for 2025 Re-Election
Venezuela's Maduro Condemns 'Provocation' as UK Sends Warship to Guyana Venezuela's President Maduro has condemned the UK's deployment of the warship HMS Trent to Guyana as a hostile act amid ongoing border tensions
×