A vulnerability in the Bluetooth technology can be exploited to remotely unlock tens of millions of digital locks worldwide, including those on Tesla cars.
Sultan Qasim Khan, a researcher at the NCC Group successfully exploited the flaw to open and drive a Tesla Model 3 and Y model using a device attached to a laptop.
The relay device managed to bridge a large gap between the Tesla and the owner’s phone, making it possible for Khan to drive the car.
If any product is dependent on a trusted Bluetooth connection, then the product is vulnerable to intrusion, even if the attacker is from another continent.
Despite this vulnerability being of concern, it is primarily due to how inexpensive off-the-shelf hardware can easily be used to defeat proximity authentication mechanisms in Bluetooth devices.
It’s so easy to do so that one does not have to understand coding to be able to exploit it. Instead, a Bluetooth developer board is needed to do so, as well as ready-made programs.
The Tesla Model 3 and Y are not alone in being vulnerable; other keyless entry vehicles with automotive keyless entry as well are. Owing to this flaw, an attacker is able to get into someone else’s car, unlock it and drive it.
The same applies to all laptops, smartphones, as well as tablets that have Bluetooth proximity, and unlock features enabled. If you have upgraded your traditional lock to a smart lock, you may also be at risk for theft.
The NCC Group has exploited various smart locks manufactured by Kwikset/Weiser Kevo, and this information regarding the exploitation was already reported to the respective companies.
BLE-based authentication was not originally designed to be used in locking mechanisms, so this vulnerability was not like a typical bug that could be fixed by a software patch.
No claims are made regarding the resistance of Bluetooth to relay attacks in the Bluetooth Core Specification. In addition, Section 6 of the Proximity Profile expressly mentions that it is possible to launch a relay attack when using the profile (v1.0.1, updated in 2015).
Some Bluetooth SIG members claim they can defend against relay attacks, but their systems are still vulnerable. That’s why the NCC Group recommends that the SIG should immediately inform its members about the risks related to BLE relay attacks when developing proximity authentication systems.
Developers should be encouraged to either implement a user-interaction-based security solution or use technology like UWB time-of-flight technology to secure the Bluetooth devices.
It is recommended that users should be educated about the risks associated with relay attacks for existing systems where hardware modification is not possible.
Moreover, it is also a smart idea to allow users to disable the inferred proximity-based passive entry feature.