Security researchers have demonstrated a new Bluetooth relay attack that allows some Tesla vehicles to be unlocked and controlled remotely.
The vulnerability resides in Bluetooth Low Energy (BLE), the technology used by Tesla’s access system that allows drivers to unlock and operate their car at close range using the app or key fob. Most devices and vehicles that rely on this type of proximity-based authentication are designed to protect against a series of relay attacks, which typically work by catching the radio signal used, for example, to unlock a vehicle and replaying it. as if it were an authentic request, by using encryption and introducing checks that can make relay attacks more difficult.
But researchers from the UK-based NCC Group say they have developed a tool for performing a new type of BLE link layer relay attack that bypasses existing solutions, theoretically allowing attackers to unlock and operate vehicles remotely.
Sultan Qasim Khan, senior security advisor at NCC Group, said: in a blog post that it tested the attack on a 2020 Tesla Model 3 using an iPhone 13 mini running a recent but older version of the Tesla app. The iPhone was placed 25 meters away from the vehicle, according to the researchers, with two relay devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely. The experiment was also successfully replicated on a 2021 Tesla Model Y, which also uses phone-as-a-key technology.
While the attack on Tesla vehicles was demonstrated, Khan notes that any vehicle that uses BLE for its keyless entry system could be vulnerable to this attack. in a separate advisorywarns NCC Group that the attack could also be used against the Kwikset and Weiser Kevo line of smart locks, which support BLE passive access through their “touch-to-open” functionality.
“Our research shows that systems that people rely on to monitor their cars, homes and private data use Bluetooth proximity authentication mechanisms that can be easily broken with inexpensive off-the-shelf hardware,” Khan said.
The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group (SIG), an industry group that oversees the development of the Bluetooth standard, which acknowledged the problem but said relay attacks were a known issue with Bluetooth. Tesla officials also said relay attacks were a known limitation of the passive input system. Tesla did not respond to businesstraverse.com’s request for comment. (Tesla scrapped its PR team in 2020.)
“NCC Group recommends that the SIG proactively advise its members in developing proximity authentication systems about the risks of BLE relay attacks,” Khan added. “In addition, documentation should make it clear that relay attacks are practical and should be incorporated into threat models, and that neither link-layer encryption nor expectations of normal response timing are defenses against relay attacks.”
The researchers encourage Tesla owners to use the PIN-to-Drive feature, which requires a four-digit PIN to be entered before the vehicle can be driven, and to disable the passive input system in the mobile app.
Tesla is no stranger to security flaws. Earlier this year, a 19-year-old security researcher said he was able to remotely access dozens of Teslas around the world because security bugs found in an open source logging tool popular with Tesla owners put their cars directly on the Internet. .
