UK-based NCC Group’s security researchers have revealed a new Bluetooth relay attack that can be exploited to remotely unlock and operate select Tesla cars after evading all current authentication measures on the Tesla cars. The vulnerability lies in Bluetooth Low Energy (BLE), the technology employed by Tesla’s entry system that enables drivers with the app or key fob to unlock and operate their cars from nearby.
Furthermore, most devices and vehicles that depend on this kind of proximity-based authentication are created to protect against a range of relay attacks, which generally function by capturing the radio signal used for unlocking a vehicle, for instance, and replaying it again as if it were an authentic request, by using encryption and introducing checks that can make Bluetooth relay attacks more complicated.
The Bluetooth Relay Attack Will Unlock Tesla Cars Without Any Struggle
Sultan Qasim Khan, a senior security consultant at NCC Group, said in a blog post that it tested the Bluetooth relay attack against a 2020 Tesla Model 3 using an iPhone 13 mini operating a recent but older version of the Tesla app. The iPhone was positioned 25 meters away from the vehicle, according to the investigators, with two relaying devices between the iPhone and the car. Using the Bluetooth relay attack, the researchers were able to unlock the vehicle remotely.
Bluetooth Proximity Mechanisms Can be Easily Broken with Cheap Hardware
The experiment was further replicated successfully on a 2021 Tesla Model Y, which also employs “phone-as-a-key” technology. In a video, Khan can be seen walking up to the Tesla Model Y holding a laptop with a relay device attached which will initiate the Bluetooth relay attack, allowing him to wirelessly unlock the car and open the door. “Our research shows that systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware,” said Khan.
Source: NCC Group