Unlocking someone else’s door when passing or a vehicle stolen – Insufficient security in Bluetooth Low Energy (BLE) may make this possible. This was reported by security researchers who developed a new relay attack. This would make it possible to unlock the Tesla 3 and Tesla Y electric cars and drive away, even if the cell phone used as the main surrogate is 25 meters away. This is likely to be the case regularly with vehicles parked in front of private homes.
Many electronic devices such as laptops and smartphones use BLE technology, but it is also used to control access to buildings and vehicles. Basically, this should only work if the key is close to the lock. Redundant relay attacks mimic the place between the lock and the key, which sends the signals.
Defensive measures make this more difficult, but according to an NCC Group report, those measures have now been rescinded. Your security researchers have successfully modified the link layer encryption so that access is possible even from a distance of 25 metres. They use one or even two iterators for this, and they’re still well below the maximum latency allowed. In addition to Teslas, lattice door locks from the Weiser and Kevo brands were also affected.
Tesla confirms security restrictions
According to security researchers, the bluetooth attack lasts only about ten seconds and can be repeated indefinitely. Both the Tesla Model 3 and the Model Y use BLE for authentication. With the BLE attack, electric cars can be unlocked and driven. Security researchers used the iPhone 13 Mini with version 4.6.1-891 of the Tesla app for this purpose computer bleeding.
The NCC Group informed Tesla of this last month. The company then explained that “such attacks are a known limitation of the passive access system.” Spectrum Brands, the company behind the Kwikset, Weiser and Kevo series of connected locks, was also briefed.
Tips: Activate the driver’s PIN, temporarily disable access
The Bluetooth SIG, a cross-company umbrella organization for Bluetooth standards, has also been reported. This also indicates the already known risks of these relay attacks. More accurate scope mechanisms are under development. The Bluetooth specification itself already warns of such attacks. They recommend against using authentication that depends only on the proximity of valuable hardware.
Even if the Bluetooth vulnerability has not yet been exploited, users must switch to alternative methods of authentication. Tesla owners can enable the “Enter PIN to Drive” feature. Then potential BLE attackers can only unlock the car, but they can’t get away from it. Additionally, users can turn off passive access in the app when they are not on the move. This makes a BLE attack impossible.
One alternative to BLE is Ultrawideband (UWB), such as that used in shareable virtual car keys offered by BMW and Google. UWB distance limits are a more effective measure against relay attacks.
(vacation)
Lifelong foodaholic. Professional twitter expert. Organizer. Award-winning internet geek. Coffee advocate.