A group of security experts has discovered a method to bypass digital locks and other security systems that rely on the proximity of a Bluetooth fob or smartphone for authentication. NCC Group, a security consulting business, was able to unlock, start, and drive vehicles, as well as unlock and open certain residential smart locks, using what is known as a “link layer relay attack.”
Sultan Qasim Khan, the lead security consultant and researcher at NCC Group, demonstrated the assault on a Tesla Model 3, but he points out that the issue isn’t exclusive to Tesla. Any vehicle with a keyless entry system that uses Bluetooth Low Energy (BLE) is vulnerable to this attack.
Khan adds that many smart locks are also vulnerable. His company especially mentioned the Kwikset/Weiser Kevo versions, which have a touch-to-open technology that depends on passive detection of a Bluetooth fob or smartphone nearby.
Because the lock’s owner does not need to engage with the Bluetooth device to affirm they desire to unlock the door, a hacker from a remote place can relay the key’s Bluetooth credentials and access someone’s door even if the homeowner is thousands of miles away.
How does it work?
This exploit still requires the attacker to have physical access to the owner’s Bluetooth device or key fob. The real Bluetooth key, on the other hand, does not need to be anywhere near the vehicle, lock, or other secured equipment, which makes it potentially dangerous.
Instead, Bluetooth signals are transferred between the lock and key via a pair of intermediate Bluetooth devices linked via another mechanism – generally over a conventional internet connection. As a result, the lock treats the hacker’s nearby Bluetooth device as the valid key.
As Khan explains, “we can convince a Bluetooth device that we are near it even from hundreds of miles away. Even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance.”
Because the exploit operates at a very low level of the Bluetooth stack, it does not matter whether the data is encrypted, and it adds almost no latency to the connection. The target lock is unaware that it is not connecting with a legitimate Bluetooth device.
Because many Bluetooth security keys run in the background, a burglar would only need to place one device near the owner and the other near the target lock. A pair of robbers, for example, could work together to follow a Tesla owner away from their vehicle, transmitting Bluetooth signals back to the car so that it could be taken after the owner was sufficiently distanced.
With adequate coordination, these strikes may be carried out across great distances. A person on vacation in London may have their Bluetooth keys sent to their door locks in Los Angeles, allowing a criminal to get access swiftly by simply touching the lock. This extends beyond automobiles and smart locks. It may be used to unlock computers that rely on Bluetooth proximity detection, prevent mobile phones from locking, circumvent building access control systems, and even spoof the position of an asset or a medical patient, according to the researchers.
To read our blog on “Tesla sued former employee for stealing the secrets of its supercomputer,” click here
