Using a new Bluetooth assault, hackers can hijack your Tesla Model 3, Y.
Unlock your Tesla with the new Bluetooth – Overview
A novel Bluetooth relay attack that can remotely unlock and drive select Tesla automobiles has been shown by security experts.
The flaw is in Bluetooth Low Energy (BLE), the technology used by Tesla’s entry system, which allows drivers to unlock and operate their car from a distance using an app or key fob.
Most proximity-based authentication devices and vehicles are built to withstand various relay attacks, typically capturing the radio signal used to unlock a car and replaying it as if it were an original request.
Employing encryption and introducing checks make relay attacks more difficult.
Researchers from the NCC Group in the United Kingdom have developed a tool for carrying out a new BLE link-layer relay attack that bypasses existing mitigations, allowing attackers to unlock and operate vehicles remotely.
The researchers said the iPhone was put 25 meters away from the vehicle, with two relaying devices between the iPhone and the automobile.
The researchers were able to unlock the car remotely using the technique.
The experiment was also successfully duplicated on a Tesla Model Y from 2021 with the same “phone-as-a-key” technology.
While the assault was shown on Tesla vehicles, Khan warns that any car with a BLE keyless entry device could be vulnerable.
According to a separate advisory from NCC Group, the assault could also be used against the Kwikset and Weiser Kevo smart lock lines, which offer BLE passive entry through their “touch-to-open” capability.
“Our research demonstrates that systems that people rely on to protect their automobiles, houses, and private data use Bluetooth proximity authentication procedures that are easily bypassed with inexpensive off-the-shelf hardware,” Khan said.
Tesla & the Bluetooth Special Interest Group (SIG), an industry group that supervises the development of the Bluetooth standard, received the information.
While conceding the problem, the SIG argued that relay attacks were a known Bluetooth vulnerability.
According to Tesla officials, relay assaults were also a recognized flaw of the passive entry system.
Tesla did not reply to TechCrunch’s request for comment. (Tesla’s public relations team was terminated in 2020.)
“The SIG should aggressively inform its members developing proximity authentication systems about the hazards of BLE relay attacks,” Khan added.
“Moreover, documentation should make it clear that relay attacks are possible and should be included in threat models, and that neither link-layer encryption nor standard response timing assumptions are adequate defenses against relay attacks.”
Tesla owners should disable the passive entry mechanism in the mobile app and employ the PIN to Drive function, which requires a four-digit pin to be input before the vehicle can be driven.
Tesla has a history of security vulnerabilities. For example, a 19-year-old security researcher claimed that he could remotely access dozens of Teslas worldwide due to security flaws discovered in an open-source logging application popular with Tesla owners, which exposed their cars to the internet.