Bluetooth Flaw Allows Remote Unlocking of Digital Locks
Locks that use Bluetooth Low Energy to authenticate keys are vulnerable to remote unlocking. The research focused on Teslas, but the exploit is generalizable.
In a video shared with Reuters, NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device attached to a laptop which bridged a large gap between the Tesla and the Tesla owner’s phone.
“This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world,” the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol—technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device.
Although Khan demonstrated the hack on a 2021 Tesla Model Y, NCC Group said any smart locks using BLE technology, including residential smart locks, could be unlocked in the same way.
Another news article.
EDITED TO ADD (6/14): A longer version of the demo video.
T • May 20, 2022 8:00 AM
The Bluetooth Proximity Profile specification (https://www.bluetooth.com/specifications/specs/proximity-profile-1-0-1/) clearly states:
“6.2 Distance Measurement Security
Note that for the Bluetooth Core Specification [1] v4.0 (and possibly later versions) even if the link between the Proximity Monitor and Proximity Reporter has security enabled, the two devices can be spoofed into assuming that the other device is close. So the Proximity Profile should not be used as the only protection of valuable assets.
One simple attack would utilize the fact that a MIC is not added to empty packets. For the Bluetooth Core Specification [1] v4.0 it’s recommend that use cases that require a moderate security level ensure that there is some authenticated data traffic on the link between the Proximity Monitor and the Proximity Reporter. If no other profile is causing data to be exchanged, the Proximity Monitor might read the Alert Letvel characteristic of the Link Loss Service occasionally. The average frequency of the data traffic must be chosen as a trade-off between the security requirement of the use case and the added battery drain in the tiny device
More advanced attacks might use some form of relay to extend the range of between the two devices. There is currently no known way to protect against such attacks using Bluetooth technology.”
This profile was intended to be a convenience feature (e.g. automatically locking a personal computer when the user walks away), not a security mechanism for high-value assets…
There are a variety of wireless protocols that are attempting to address the security aspects, such as Bluetooth HADM (High Accuracy Distance Measurement) or IEEE 802.11az (Enhancements for Positioning)… although they generally rely on implementation of mechanisms not defined by the standards to actually detect and stop active attackers.
The trouble is that the end-product manufacturers are not experts in these standards and do not understand (or care) what needs to be done to use them securely.