BLE Phone-as-a-Key vulnerability allows access to Tesla Model 3 • The Register

Tesla Model 3 and Y owners, beware: Your vehicle’s passive entry feature could potentially be fooled by a new form of relay attack.

Discovered and tested by NCC Group researchers, the attack allows anyone with a tool similar to NCC’s to transmit the Bluetooth Low Energy (BLE) signal from a smartphone that has been paired to a Tesla back to the vehicle . Far from simply unlocking the door, the hack lets the attacker start the car and drive away as well.

In their tests, the NCC Group said they were able to perform a relay attack that allowed researchers to open a Tesla Model 3 from a house containing the vehicle’s paired device (on the other side of the building). house), about 25 meters away.

Using phone and vehicle-side relay devices made from $50 Bluetooth development modules, the team was able to gain full access to the Tesla when the vehicle-side relay was brought to 3 meters.

While NCC only tested the attack on a Tesla Model 3, Sultan Khan, senior security researcher at NCC and author of the advisory, said the technology used in the Tesla app is the same when connecting to a Model 3, or Y. Khan also suspected that the Model 3 and Y key fobs were also likely affected, although these were not tested either.

The advisor added:

A key problem

Tesla doesn’t have a good history when it comes to security researchers finding ways to unlock its cars. In 2014, a group of Chinese university students managed an attack on the Model S that allowed them to open doors, sound the horn and more while the vehicle was in motion, and a second Chinese group did the same in 2016. In the same year, the Tesla app was hijacked to allow attackers to track, locate, unlock and start vehicles. Two years later, Belgian researchers managed to clone Tesla keychains, giving them full control over the affected vehicle.

A bluetooth problem

At the same time that the NCC Group released their Tesla BLE Relay Hack Advisory, they released a second advisory authored by Khan. In this advisory, he explains how NCC’s novel method of hijacking a Tesla works with anything that relies on BLE to confirm the presence of an authorized user.

In the advisory, Khan explains that BLE proximity relay attacks have been known for years. Luckily for fans of the protocol, existing relay attacks introduce a lot of latency. “Products typically try to prevent relay attacks by imposing strict Generic Attribute Protocols (GATT) response time limits and/or using link-layer encryption,” Khan said.

Developed by NCC Group, the new tool works at the link layer, which Khan says reduces latency to acceptable GATT ranges. That way, it’s able to bypass latency bounding and link-layer encryption, Khan said.

It’s worth noting that the Bluetooth Core Specification makes no claim that BLE proximity signals are secure. In the 2015 updates to the Proximity Profile specifications, the Bluetooth Special Interest Group (SIG) stated that “the Proximity Profile should not be used as the sole protection of valuable assets” and that “there is currently no known way to protect against such protect against attacks with Bluetooth technology.”

Car owners should disable passive access

Khan said the Tesla Product Security Team was notified of the bug in April. Their response was that this is a known limitation of the passive entry system.

Tesla owners who are concerned about a relay attack should use the PIN-to-Drive feature in their Tesla and disable passive access:

Khan also said adding controls like the app reporting the device’s last known location and flight time could protect owners, but Tesla needs to fix that, and Khan told Bloomberg that the company said it had no plans , to do that.

Since this attack potentially affects so many devices used to secure so many things, this is a serious problem. Khan said the Bluetooth SIG was notified of the bug, telling him that “more precise removal mechanisms are under development.”

We’ve asked the Bluetooth SIG to tell us more about these mechanisms and their availability, but don’t have a response yet. ®

About Willie Ash

Check Also

MediaTek Genio 1200 Linux System-on-Module supports Cortex-A78/A55 AIoT development kit

ADLINK Technology just introduced the SMARC 2.1 compliant LEC-MTK-I12000 System-on-Module (SoM) powered by a MediaTek …