U.K.-based cybersecurity firm NCC Group has uncovered a new relay attack that allows an attacker to breach and access devices, appliances, and cars using Bluetooth Low Energy. The company successfully demonstrated the relay attack on a Tesla Model 3 and Kwikset/Weiser Kevo smart locks.
Researchers at NCC Group have found a way to bypass security systems in devices with Bluetooth Low Energy (BLE) and compromise users through a novel relay attack. Specifically, the devices leveraging Bluetooth proximity authentication are at risk.
BLE proximity authentication is used across various sectors such as residential security, entertainment, automotive, healthcare, etc. The potential attack surface includes keyless cars, laptops, mobile phones, residential smart locks, building access control systems, asset and medical patient tracking and other Phone-as-a-Key systems.
NCC Group was able to unlock, start and drive a vulnerable vehicle using the relay attack technique. Even the famous electric vehicle maker Tesla, which prides itself on the robust cybersecurity measures in its cars, could be attacked. But the attack path passes through the BLE tech and not through Tesla’s security systems.
Principal security consultant Sultan Qasim Khan successfully demonstrated the BLE relay on Tesla Models 3 and Y and Kwikset/Weiser Kevo smart lock for residential buildings.
To be clear, the possibility of a relay attack on systems implemented with BLE isn’t because of a bug or a vulnerability in BLE. Instead, it exists because BLE’s intended use has been stretched far beyond what it was designed for. Use cases such as locking mechanisms aren’t what BLE was intended to enable.
Khan said, “This research circumvents typical countermeasures against remote adversarial vehicle unlocking, and changes the way engineers and consumers alike need to think about the security of Bluetooth Low Energy communications. It’s not a good idea to trade security for convenience — we need better safeguards against such attacks.â€
Potential BLE attacks
Relay attacks aren’t uncommon in BLE and can be detected through high round-trip latency (30 ms or longer) in purpose-built GATT request and response forwarding. High latency is indicative of a higher response time, which means authentication will fail. The attacker can relay a signal remotely to the target in relay attacks.
Relay attacks in BLE systems are also mitigated using link-layer encryption (AES-128 Cipher Block Chaining-Message Authentication Code Mode) and triangulation-based localization techniques.
However, the BLE relay attack confirmed by Khan involves a threat actor operating at the link layer. Here, an attacker can forward encrypted link layer protocol data units (PDUs) and detect changes to connection parameters, even if they’re encrypted, and continue to relay connections through parameter changes. Consequently, neither link-layer encryption nor encrypted connection parameter changes can be used as a defense mechanism.
See More: Spring4Shell Exploitation Can Fully Compromise a Host, but Is It as Dangerous as Log4Shell?
Moreover, the round-trip latency is as little as 8 ms, which is low enough to avoid detection or obfuscate the fact that the BLE device may not be connected to an illegitimate device. This opens up the possibility of an attack being carried out from a distant location.
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it — even from hundreds of miles away — but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,†Khan added.
NCC Group confirmed this by placing an iPhone 25 meters (which is outside of the BLE range) from a Tesla Model 3 with the v11.0 (2022.8.2) software build. A phone-side relaying device was kept 7 meters from the phone, while a vehicle-side relaying device was kept at 3 meters from the vehicle. Khan successfully breached, opened and operated the electric car.
The tool developed by Khan to break BLE in Tesla carsOpens a new window and Kwikset/Weiser Kevo smart locksOpens a new window isn’t available publicly for obvious reasons. NCC Group has disclosed the relay attack technique to both companies and the Bluetooth Special Interest Group.
Recommendations to mitigate these new BLE relay attacks
- Disable proximity key functionality when the user’s phone (through accelerometer) or the key fob has been stationary for some time. Users can also set a “user motion state†to identify the user.
- A second factor for authentication or verification of user presence, such as requesting a tap on an unlock button in an app on the phone, could help.
- Disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed.
- Since Bluetooth or BLE can be tricked into believing the user is nearby, users can use GPS for geofencing to confirm the user’s location.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!