Tesla Unlock Using Bluetooth
Security researchers have demonstrated a new Bluetooth relay attack that can remotely unlock and operate some Tesla vehicles.
The vulnerability lies in Bluetooth Low Energy (BLE), the technology used by Tesla’s entry system that allows drivers with the app or key fob to unlock and operate their car from nearby. Most devices and vehicles that rely on this kind of proximity-based authentication are designed to protect against a range of relay attacks, which typically work by capturing the radio signal used for unlocking a vehicle, for example, and replaying it again as if it were an authentic request, by using encryption and introducing checks that can make relay attacks more difficult.
But researchers at U.K.-based NCC Group say they have developed a tool for conducting a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically enabling attackers to remotely unlock and operate vehicles.
Bored Ape Yacht Club Instagram hacked, attackers steal $2.8M worth of NFTs
Sultan Qasim Khan, a senior security consultant at NCC Group, said in a blog post that it tested the attack against a 2020 Tesla Model 3 using an iPhone 13 mini running a recent but older version of the Tesla app. The iPhone was placed 25 meters away from the vehicle, according to the researchers, with two relaying devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely. The experiment was also replicated successfully on a 2021 Tesla Model Y, which also uses “phone-as-a-key” technology.
While the attack was demonstrated against Tesla vehicles, Khan notes that any vehicle that uses BLE for its keyless entry system could be vulnerable to this attack. In a separate advisory, NCC Group warns that the attack could also be used against the Kwikset and Weiser Kevo line of smart locks, which support BLE passive entry through their “touch-to-open” functionality.
In a video shared with TechCrunch, Khan can be seen walking up to the Tesla Model Y holding a laptop with a relay device attached, allowing him to wirelessly unlock the car and open the door.
The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group (SIG), an industry group that oversees the development of the Bluetooth standard, which acknowledged the issue but said that relay attacks were a known problem with Bluetooth. Tesla officials also said that relay attacks were a known limitation of the passive entry system. Tesla did not respond to TechCrunch’s request for comment. (Tesla scrapped its public relations team in 2020.)
The researchers encourage Tesla owners to use the PIN to Drive feature, which requires a four-digit pin to be entered before the vehicle can be driven, and to disable the passive entry system in the mobile app.
Tesla Unlock Using Bluetooth