Security researchers at UK-based NCC Group have demonstrated a new Bluetooth relay attack that can be used to remotely unlock and operate select Tesla cars after bypassing all existing authentication measures on the vehicle.
The flaw lies in Bluetooth Low Energy (BLE) technology, which is today used in a wide range of products, including smartphones, laptops, smart locks, building access control systems, as well as automobiles like the Tesla Model 3 and Model Y.
Tesla employs the technology to let users unlock and control their vehicle from a distance using an app or a key fob.
“We’ve conducted the world’s first link layer relay attack on Bluetooth Low Energy (BLE), the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more, “the researchers wrote in an online post.
While the researchers are yet to publish the technical details of their new BLE relay attack tool, they claim to have tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
During the experiment, the researchers were able to send communication from the iPhone to the car through two relay devices, one located seven meters away from the iPhone and the other three meters away from the car.
The researchers used “relaying devices” to make the automobile believe its owner device (iPhone) was close while it was actually 25 meters away.
The experiment was also successfully replicated on a Tesla Model Y from 2021.
Tesla was notified of these results on April 21st. About a week later, the company responded by stating “that relay attacks are a known limitation of the passive entry system.”
Spectrum Brands, the parent company of Kwikset (makers of the Kevo line of smart locks), was also alerted by the researchers.
The NCC Group has released their findings in three different advisories: one for BLE in general, one for Tesla vehicles, and one for Kwikset / Weiser smart locks.
Each advisory details the issue on the devices and how it impacts a broader set of product from other manufacturers.
According to the NCC Group, the vulnerability is not like a traditional issue that can be fixed with a software patch.
It added that BLE-based authentication was not intended for use in locking mechanisms.
“This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved,” the researchers said.
They recommend that Tesla owners deactivate the passive entry mechanism in the mobile app and use the ‘PIN to Drive’ function, which requires a four-digit pin to be input before the car can be driven.
Tesla has a history of security vulnerabilities.
Earlier this year, a 19-year-old security researcher claimed to have uncovered a security flaw in third-party software provided for Tesla vehicles that could enable hackers to take control of some of the vehicle’s functionality from outside.
The researcher said he was able to remotely access some functions of more than 25 Tesla cars in 13 countries by exploiting the flaw, without the owners’ knowledge.
In 2020, other researchers claimed they had discovered multiple security vulnerabilities in Tesla’s firmware update mechanism after reverse engineering the display and instrument cluster of a Tesla Model 3.