Phone-As-Key-Unlock Vulnerability For Tesla Vehicles
A security company recently discovered a vulnerability in the Phone-as-unlock feature of Tesla vehicles. This vulnerability is also present in millions of other vehicles and devices that adhere to BLE standards.
BLE And Its Weakness
Bluetooth Low Energy, also known as Bluetooth 4.0, broke into the tech market as far back as 2011. It was originally meant for data exchange and short-range communication but has now been developed for industrial applications. And it is catching on fast as experts have predicted its market to grow at a compound annual growth rate of 19.68% between now and 2026.
BLE uses beacons that contain a radio transmitter capable of broadcasting BLE signals within a certain range that is dependent on a mobile device. Phones can now be used to unlock and operate certain models of Tesla vehicles, using BLE signals to measure the proximity of the mobile device to the vehicle. This works on the assumption that the authentication key stored on the device can only be transmitted to the vehicle when the device is in Bluetooth range.
Approaching the vehicle with the previously registered phone in hand instantly unlocks it, while the reverse is the case while leaving the car. But now, the NCC Group has discovered a new kind of relay attack that exploits weaknesses in this feature and allows you to unlock the vehicle even when the true device that contains the authentication key is nowhere near.
The Relay Attack
For this, two attackers are needed- X and Y. Here are how it goes.
X stays near the vehicle, within Bluetooth range, while Y is near the device used as authentication. Both X and Y should be devices that are Bluetooth-enabled and have access to a stable internet connection. X impersonates the authenticating device and sends the Tesla a signal, prompting the vehicle to reply with an authentication request. X captures this and relays it to Y, who forwards it to the authenticating phone.
The original phone-as-key device responds promptly with a credential which is captured by Y and relayed to X. This credential is consequently used by X to unlock the car. It is worth noting that X and Y should have a stable internet connection between the two of them to be used for data exchange. Also, two actual teams are unnecessary as Y could easily be a hidden relaying device. When the targeted device comes within the Bluetooth range of the hidden relay, it captures the unique credential and sends it to X.
The relay attack has been tested and proven against the Tesla Model 3. It is also expected to work against the Model Y due to its similarities with the earlier mentioned Model. Also worthy of note is the fact that the relay attack also works when there are defensive mitigations in place to protect against cybernetic incursions.
The susceptibility of BLE to Relay Attacks is well-known among companies that install this tech into their devices. So, they have countermeasures in place to tackle this problem. Some of these include measuring the flow of responses and requests; rejecting authentications when the latency between the lock and the BLE device reaches a certain threshold. This means that relayed communications might be restricted to a one-time handshake because they take more time to authenticate. Another method involves the encryption of the credentials sent by the device during authentication.
Circumvention Using Link-Based Relays
Even with these, the relay attack can still be bypassed.
Successful circumvention involves capturing data from the baseband and the link layer. The baseband, the physical layer, is where radio signals are received and sent to devices. It manages links and physical channels and is also responsible for Bluetooth security. The link layer is the lowest level of the Bluetooth stack, where conventions are created, maintained, advertised, and terminated. Conventional BLE relay attacks work at the Generic Attribute Profile, the GATT layer, which is further up on the Bluetooth stack.
Working at the link layer helps bypass the hurdles— cryptographic defences that protect against GATT-based relays.
Furthermore, Link-based relays have less latency than their GATT-based counterparts as they also go around higher levels up in the stack, serving as bandwidth bottlenecks. It is almost impossible to tell the difference between legitimate authentications and link-layer relay attacks.
ffThe Bluetooth Special Interest Group has repeatedly warned of the susceptibility of BLE to relay attacks and advises that a BLE connection ‘should not be used as the only protection of a valuable asset. The NCC Group also made mentioned the fact that BLE devices, instead of relying on proximity authentications alone, should require user interaction or geolocation to confirm it’s the actual owner of the device trying to gain access and not a relay attack. Yet, vendors and members of the Bluetooth Industry Forum refuse to adhere to these cautions.
Written by The Original PC Doctor on 28/7/2022.