Adapting existing, off-the-shelf technologies from other industries to cars is a clever thing. That’s why color LCD screens are all over the dash of every new car, and why LED taillights are a thing, and on and on. But that doesn’t mean that every technology is actually suited to the unique challenges of automotive use, and now there’s a sobering demonstration of just this idea, as the Bluetooth-based security systems used on Teslas and other cars have been hacked with some clever, cheap devices and methods by a researcher at the security testing organization NCCGroup.
The researcher (and, according to email correspondence from NCCGroup, a fellow Autopian reader, so thanks!) Sultan Qasim Khan (actually, he’s a Principal Security Consultant and Researcher) demonstrated how the hack can work as he unlocks, starts, and drives off a Tesla Model Y using a laptop connected to a relay device, which in turn was in contact with another remote relay device that was in communication with the original Tesla key.
Essentially, what is happening is that he is replicating the signals from the car owner’s phone and relaying them, potentially quite far away, to another device near the car. And he’s getting past security strategies that require require certain response times in the communication between the vehicle and the driver’s phone (this response time is referred to as latency).
Here’s how NCCGroup describes it:
The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the mobile device or key fob. This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE.
NCC Group has developed a tool for conducting a new type of BLE relay attack operating at the link layer, for which added latency is within the range of normal GATT response timing variation, and which is capable of relaying encrypted link layer communications. This approach can circumvent the existing relay attack mitigations of latency bounding or link layer encryption, and bypass localization defences commonly used against relay attacks that use signal amplification. As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.
This will all make a lot more sense if you just watch what happens:
Okay, so what is this video showing, exactly? Khan does a great job of explaining, but let’s re-cap here. There’s a small device that looks to be based on a Texas Instruments single-board computer with various wireless signal technologies embedded, a sort of board that sells for about $50 online, and that device is placed within Bluetooth range of the Tesla’s iPhone-based “key” which just means the tesla owner’s phone that has been configured to act as a key. This can be a surprisingly large distance, which in the testing reported by NCCGroup was about 21 feet.
Next, a similar device, this one attached to a laptop, is in communication with the closer-to-the-phone device via longer-distance communication protocols, like cellular data signals. This end of the attack would then approach the car, and send the Bluetooth low-energy (BLE) signals from the near-phone device–wherever in the world that is–to the device near the car, which can then open and start the car as though the owner’s phone was in the car.
Here’s a very simple diagram:
Here’s more information from NCCGroup on the test they performed:
Testing on a 2020 Tesla Model 3 running software v11.0 (2022.8.2) with an iPhone 13 mini running version 4.6.1-891 of the Tesla app, NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle. In the test setup, the iPhone was placed on the top floor at the far end of a home, approximately 25 metres away from the vehicle, which was in the garage at ground level. The phone-side relaying device was positioned in a separate room from the iPhone, approximately 7 metres away from the phone. The vehicle-side relaying device was able to unlock the vehicle when within placed within a radius of approximately 3 metres from the vehicle.
It’s worth noting that the above refers to a Model 3 used in the test, and the video shows a Model Y, which makes sense as they both use the same system.
Khan described the method of the attack, and gave some nice, alarming scenarios to haunt your dreams:
“This NCC Group research has proven that attackers can more easily than ever, and very effectively, break into – or outright steal – certain smart cars.
“Using this attack method, I was able to unlock and start the car, then drive away in it. NCC Group has repeatedly and reliably tested and demonstrated this full attack against Tesla Model 3 and Model Y vehicles that it was in rightful possession of as a proof of concept.
“In the same fashion, attackers can also unlock people’s houses to gain access for nefarious reasons; or breach businesses. Perhaps worse, they can enter our personal digital domains via our laptops or phones and sift through our work or invade our communications and innermost thoughts and feelings, and access every photo and video taken of our family, and learn about the places we frequent.
“Systems that millions of people rely on daily to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware.
“This research was focused on a class of vulnerability known as a “relay attack”. In a relay attack, messages between the key fob/phone and vehicle (or other device being unlocked) are forwarded to each other by relaying devices. This effectively increases the range over which the vehicle and key fob/phone can communicate. Thus, a phone/key fob and vehicle can be made to believe they are close to one another, when in reality they may be long distances apart – even on opposite sides of the world for digital relays like what I have developed.
“Here’s a basic scenario: A victim is at home. Their phone is in the bedroom, and their car in the driveway, locked. The attacker places one relay device in the garden—close enough for Bluetooth signals to travel—and carries the other relay device close to the car. They can then unlock the car, start and drive it away. Once the device is in place near the fob or phone, the attacker can send commands from anywhere in the world.
“In another scenario, an attacker can go to a restaurant or office full of people, and leave a relay device hidden under a table, in a closet or in a bush beside the building. Vehicles belonging to people inside would be parked in a nearby lot. Thieves can take their pick.”
Now, this sort of relay-type attack has been done before, but Kahn and his team are the first to demonstrate it working with the sort of Bluetooth signals used by phones and key fobs. They explain that a bit here:
Neither normal GATT response latency nor successful communications over an encrypted link layer can be used as indications that a relay attack is not in progress. Consequently, conventional mitigations against prior BLE relay attacks are rendered ineffective against link layer relay attacks.
GATT refers to Generic ATTribute and deals with how two BLE devices communicate with one another. And while I admit I don’t know what a “link layer” is, I do know that this is the method that was key to making this work, and Khan’s team seems to be the first to accomplish such a link layer attack over Bluetooth.
None of this is necessarily Tesla-specific, as other carmakers use similar systems. What this is really demonstrating is that while these Bluetooth-based security systems are convenient, Bluetooth was designed to let your computer and other devices have things like wireless headphones, keyboards, mice, game controllers, and that sort of thing. It was never intended to be a protocol for keeping something like a car secure, and we’re seeing the implications of that here.
The other big issue with this vulnerability is that it can’t be fixed with a software update, as it’s an inherent limitation of the Bluetooth low-energy protocol. NCCGroup did have this recommendation:
Users should be educated about the risks of BLE relay attacks, and encouraged to use the PIN to Drive feature. Consider also providing users with an option to disable passive entry. To reduce opportunities for relay attacks, consider disabling passive entry functionality in the mobile app when the mobile device has been stationary for more than a minute. Also consider also having the mobile application report the mobile device’s last known location during the authentication process with the vehicle, so that the vehicle can detect and reject long distance relay attacks.
For reliable prevention of relay attacks in future vehicles, secure ranging using a time-of-flight based measurement system (such as Ultra Wide Band) must be used.
I suppose the takeaway here is that specific protocols for secure automotive use should be developed for these sorts of phone-as-key systems, since using the same protocol that your old Wii used to talk to the Wiimotes just isn’t very secure, shockingly. If you have a car that uses this sort of Bluetooth-based setup, you may want to go back to a key fob or at least be on the lookout for strange small circuit boards in your home and yard.