The Bluetooth Attack Allows Tesla Cars To Be Broken Into
Aug 03,2022 | Chloe Lacour
The weakness in proximity-based unlocking mechanisms via Bluetooth LE also affects numerous other devices such as smart locks
The best protection is of little use if the means of communication used is vulnerable. A problem that the manufacturers of various devices whose unlock mechanism is based on the Bluetooth Low Energy standard (Bluetooth LE) now have to face.
Because researchers from the NCC Group have discovered a way of using this transmission path via a relay attack to circumvent many security mechanisms on target devices. Not only smart home devices such as networked door locks are vulnerable, but also Tesla's Model 3 and probably also Model Y. The underlying weakness in securing proximity-based authentication is difficult to remedy.
Attack with forwarding
In a relay attack, an attacker intercepts the communication between two points and, if necessary, manipulates it in his interest. In the case of Tesla cars, it's about the signal between the car key and the car. Protection against attacks of this type usually works by partially encrypting the communication and by setting a tolerance limit for the transmission time, since the manipulated data packets arrive later.
However, the NCC Group's attack tool operates on the encrypted level (link layer) and can also detect and react to parameter changes for the transmission. At the same time, it does not manipulate the data itself, but only forwards it. The latency caused by this is eight milliseconds, which is well within the tolerance time for delivery.
Model 3 and Model Y use a proximity-based unlock system. Previously authorized devices - such as a mobile phone or your own car key - must be in the immediate vicinity of the car, after which it will be unlocked automatically. The car's system uses the strength of the Bluetooth signal to measure the distance.
Remote attack conceivable
The researchers managed to intercept the signal from an authorized iPhone that was no longer within Bluetooth range of the car and forwarded it via two transmitters in order to successfully unlock a Tesla Model 3 (the model year 2020). They assume that this can also be done on a Model Y and also using a car key instead of a cell phone. They also believe it is feasible to carry out a remote attack in which the signal from the smartphone or car key is transmitted to a relay device via the Internet and then distributed again via Bluetooth LE.
NCC has already successfully tested the same attack on other devices, such as smart locks. They recommend the integration of new security mechanisms, such as the need for user interaction to confirm an unlock or an alternative, more secure method of measuring distance, but which requires changes to the hardware.
Simple protection for Teslas
Until the manufacturers who want to improve the software deliver updates, it is up to them to inform their customers so that they can take measures themselves. In the case of Teslas, owners have the option of setting up a PIN-based immobilizer. If this is activated, an attacker could still potentially unlock the car with the relay attack, but not drive away without knowing the code.
Technical details of the attack method were not published for security reasons. But even if criminals find out for themselves how the attack can be carried out, massive burglaries cannot be assumed due to the considerable effort involved. However, just in case, we recommend activating the "PIN to Drive" function. (GPI, 19.5.22)