Bluetooth locks lacking

© iStock.

When you unlock a Tesla with a phone, the device and the car both use Bluetooth signals to measure the distance between them. Draw nearer to the car, phone in hand, and the car will unlock automatically. Move further, it automatically locks again. Authentication relies on the proximity between the car and the phone that stores the key. Handy for users, but seriously flawed as well. Sultan Qasim Khan, a researcher at security firm NCC Group, has come up with a hack to unlock millions of Teslas – as well as countless other devices – even if the authenticating phone or key fob are nowhere in range. The system exploits a weakness in the Bluetooth Low Energy (BLE) standard that thousands of device manufacturers rely on.

The hack that Sultan Qasim Khan demonstrated needs two accomplices. One stands next to the car, and the other near the person who’s in possession of the authentication device. The two hackers simply relay, via the internet, the Bluetooth dialogue between the car and the legitimate phone. The hacker next to the car sends a BLE signal to the car, which responds with an authentication request. The captured request is sent on to the accomplice, who in turn transmits it to the authentication phone. The phone responds with a credential, which is immediately returned through the other accomplice to the car, unlocking it. But relay attacks don’t absolutely need two bad actors. A relay system can be stashed away in a garden, a house, a restaurant or an office, lying in wait for a target to move into Bluetooth range of the hidden device.

⇨ Ars Technica, Dan Goodin, “New Bluetooth hack can unlock your Tesla—and all kinds of other devices.”

2022-05-19