BLE ‘relay attack’ bad news for Tesla, digital locks

UK researchers have discovered a simple attack against digital locks using the proximity authentication feature of Bluetooth Low Energy (BLE) wireless data communications protocol.

NCC Group researchers tested their attack on a Tesla Model 3 paired with an iPhone 13 Mini running the Tesla app, and were able to unlock the vehicle with the smartphone while outside  BLE range, 25 metres away. The researchers also say an attacker can operate the vehicle.

The researchers have released three advisories today: a generic advisory covering BLE proximity authentication, one specific to Tesla Model 3 cars, and another for Kwikset/Weiser Kevo smart locks.

Vulnerable locking systems unlock themselves when a trusted BLE device is nearby the target.

In a relay attack, an attacker-controlled device captures traffic between the BLE device (for example, a trusted smart phone) and the lock.

To protect against this, proximity authentication systems measure the latency between the lock and the trusted BLE device, because a replay attack introduces extra latency into this handshake.

However, NCC Group researchers have found a way to “forward link-layer responses within a single connection event and introduces as little as 8 ms of round-trip latency beyond normal operation”.

“As typical connection intervals in proximity authentication system are 30 ms or longer, added latency can generally be limited to a single connection event”, the company claimed.

The tool NCC Group developed is also able to relay connections even when upper layer parameters change.

“Thus, neither link layer encryption nor encrypted connection parameter changes are defences against this type of relay attack”, the advisory stated.

In their Tesla test, the researchers only demonstrated unlocking a Model 3, but because of the similarity in specifications they believe a Model Y has the same vulnerability.

The advisory about the Kevo smart locks noted that two relaying devices were used in the attack.

“BLE communications between the two relaying devices are forwarded, making the smart lock and smartphone/key fob believe they are adjacent when they may actually be great distances apart, and allowing Touch-to-Open operations on Kevo smart locks to succeed.”

NCC Group noted that the Bluetooth Special Interest Group (SIG) “explicitly warns of the possibility of relay attacks. warning that proximity indicated by a BLE connection ‘should not be used as the only protection of valuable assets’.

Despite this recommendation, several members of the Bluetooth industry forum do so.

“NCC Group recommends that the SIG proactively advise its members developing proximity authentication systems about the risks of BLE relay attacks”, the advisory stated.

Where possible, NCC Group says proximity authentication software should require user interaction to operate.

Where modification is impossible, the advisory calls for two things: users should be educated about the risks, and they should have the option of disabling proximity authentication.