Tesla Bluetooth Locks Can Be Hacked, Warns NCC Group

Researchers at Manchester-based NCC Group have uncovered a Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, including Tesla vehicles, at risk.

The British security group said it made the discovery after it conducted the world’s first link layer relay attack on BLE, which is the standard protocol used for sharing data between devices.

BLE has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more.

BLE vulnerability

The discovery comes after Tesla recently issued a recall for some 107,293 China-made Model 3 and Model Y vehicles, due to overheating that may cause the centre touchscreen display to malfunction.

Now after NCC Group found the BLE vulnerability, it means that Tesla (and other cars, smart doors and mobile devices), can be remotely unlocked by hackers.

“Our research shows that systems that people rely on to guard their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware – in effect, a car can be hacked from the other side of the world,” announced NCC Group.

Its proof of concept, which it demonstrated to Reuters, shows that “a link layer relay attack conclusively defeats existing applications of BLE-based proximity authentication and prove that very popular products are currently using insecure BLE proximity authentication in critical applications.”

According to NCC, by forwarding data from the baseband at the link layer, the hack gets past known relay attack protections, including encrypted BLE communications, because it circumvents upper layers of the Bluetooth stack and the need to decrypt.

“What makes this powerful is not only that we can convince a Bluetooth device that we are near it- even from hundreds of miles away – but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” said NCC Group principal security consultant and researcher, Sultan Qasim Khan, who conducted this research.

“All it takes is 10 seconds – and these exploits can be repeated endlessly.

“This research circumvents typical countermeasures against remote adversarial vehicle unlocking, and changes the way engineers and consumers alike need to think about the security of Bluetooth Low Energy communications,” Khan added. “It’s not a good idea to trade security for convenience- we need better safeguards against such attacks.”

Tesla did not immediately respond to a Reuters request seeking comment.

Mitigation/Recommendations

NCC Group said that “this is not a traditional bug that can be fixed with a simple software patch, nor an error in the Bluetooth specification.”

It seems that BLE-based authentication “was not originally designed for use in critical systems such as locking mechanisms.”

There NCC Group recommends the following:

• Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer);
• System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone);
• Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed.

“This research offers more evidence that risks in the digital world are increasingly becoming risks in the physical world as well,” Khan concluded. “As more and more of the environment becomes connected, the potential keeps growing for more attackers to penetrate cars, homes, businesses, schools, utility grids, hospitals, and more.”

NCC Group said it has “disclosed details to companies behind the products tested before issuing research publicly, and has discussed mitigation approaches with the Bluetooth Special Interest Group (SIG).”