Bluetooth Spec Says it is not Secure – They Are Right
There have been many issues over the years with passive (keyless) entry systems, including but not limited to vehicles.
In this case, researchers at the NCC Group used a “relay attack” to not only unlock a Tesla Model 3, but also start it and drive away.
A relay attack works like this. You take one phone and put it near the key fob and another phone and put it near the car. These two phones talk to each other and with $50 worth of bluetooth hardware, they are able to relay the signal from the fob to phone 1 to phone 2 to the car.
Some of these relay attacks don’t work because there is a time delay introduced in this type of attack, but these researchers figured out how to work within the timeout window.
While they only tested a model 3, they think the attack will also work on a model Y.
Tesla has a history of problems like this. In 2014 researchers were able to unlock a Tesla. In 2016 another group was able to create a similar attack. Also in 2016, the Tesla app was compromised to track, locate and start vehicles. In 2018 Belgian researchers were able to clone the Tesla keyfob and get full access to the car.
It’s worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated “the Proximity Profile should not be used as the only protection of valuable assets,” and additionally “there is currently no known way to protect against such attacks using Bluetooth technology.”
https://www.theregister.com/2022/05/17/ble_vulnerability_lets_attackers_steal/
Credit: The Register
These researchers say that this is not a bug that can be fixed with a software patch, nor is it an error in the specification. Instead, it is a problem with using the protocol for something that it was not designed to do (security).
Tesla says that they are not going to fix it. They do say that you can disable the proximity feature.
The researchers also say that this attack will work on any other Bluetooth proximity device such as other cars, smart locks, building access systems, mobile phones, laptops and many other devices.
This is one of those cases where convenience won out over security. Credit: Helpnet Security