When you use your phone to unlock Tesla, your device and car use Bluetooth signals to measure their proximity to each other. Move closer to the car with the phone in your hand, and the door unlocks automatically. Stand back and he is blocked. This proximity authentication works based on the fact that the key stored on the phone can only be transferred when the locked device is in the Bluetooth range.
Now the researcher has developed a hack that allows him to unlock millions of Teslas and countless other devices, even if the phone or keychain for authentication is hundreds of yards or miles away. The hack, which exploits the weaknesses of the Bluetooth Low Energy standard, followed by thousands of device manufacturers, can be used to unlock doors, open and control vehicles, and gain unauthorized access to many laptops and other security-sensitive devices.
When convenience comes back to us
“A car crash hundreds of kilometers away demonstrates how our connected world exposes us to threats from the other side of the country, and sometimes even from the other side of the world,” said Sultan Qasim Khan, chief consultant and security researcher. in the security firm NCC Group, told Ars. “This study bypasses typical countermeasures against remote car unlocking and changes the way we should think about the security of low-power Bluetooth communications.”
This hacking class is known as a relay attackclose cousin of human attack in the middle. In its simplest form, a relay attack requires two attackers. In the case of a locked Tesla, the first attacker, whom we will call Attacker 1, is in close proximity to the car as long as it is out of range of the phone that authenticates. Meanwhile, attacker 2 is in close proximity to the legitimate phone used to unlock the car. An attacker 1 and an attacker 2 have an open Internet connection that allows them to share data.
The attacker 1 uses its own Bluetooth-enabled device to impersonate the phone that authenticates, and sends a signal to Tesla, forcing Tesla to respond to authentication requests. An attacker 1 captures the request and sends it to the attacker 2, who in turn forwards the request to the phone for authentication. The phone responds with credentials, which the attacker 2 immediately captures and passes back to the attacker 1. The attacker 1 then sends the credentials to the machine.
So intruder 1 unlocked the car. Here is a simplified scheme of the attack, taken from a Wikipedia article at the link above, followed by Fr. video demonstration Khan unlocks Tesla and leaves with him, even if there is no authorized phone nearby.
Relay attacks in the real world don’t have to have two actual attackers. The relay device can be hidden in the garden, coat room or other inaccessible place in the house, restaurant or office. When the target arrives at its destination and moves within the Bluetooth range of the hidden device, it retrieves secret credentials and transmits them to a device located near the vehicle (controlled by an attacker 1).
The susceptibility of BLE, short for Bluetooth Low Energy, to relay attacks is well known, so device manufacturers have long relied on countermeasures to prevent the above scenario. One of the protective functions is to measure the flow of requests and responses and to deny authentication when the delay reaches a certain threshold, because relay communication usually takes longer than legitimate. Another protection is the encryption of credentials sent by the phone.
Khan’s relay attack with BLE overcomes these relaxations, making such hacks viable against a large base of devices and products that were previously supposed to harden against such attacks.