NCC Group performs the world's first link-layer-relay attack (hack) on Bluetooth Low Energy and uncovers vulnerabilities in proximity-based mechanisms, which NCC Group says also kills millions of cars such as the Tesla 3 or Y, as well as mobile devices and locking systems are at risk.
Global cyber security expert NCC Group announced today that it has carried out the world's first link layer relay attack on Bluetooth Low Energy (BLE). BLE is a device-to-device standard protocol used by businesses for short-range authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smartwatches, laptops, and more.
Bluetooth Low Energy (BLE) successfully attacked
This proves that any product that relies on a trusted BLE connection is vulnerable to attack, even from the other side of the world. By forwarding baseband data at the link layer, the hack bypasses known protections for relay attacks, including encrypted BLE communications, as it bypasses the upper layers of the Bluetooth stack and the need for decryption. In fact, systems that people rely on to protect their cars, homes, and personal data use Bluetooth authentication mechanisms that can be easily cracked with cheap off-the-shelf hardware.
Sultan Qasim Khan, Principal Security Consultant and researcher at NCC Group, who conducted this research, was able to demonstrate as proof of concept that a link layer relay attack clearly defeats the existing applications of BLE-based proximity authentication.
Laptops, smartphones - even Tesla 3 hacked
This means that products that rely on the proximity of a trusted BLE device for authentication can now be unlocked by an attacker relaying commands from anywhere - meaning a car can be hacked from the other side of the world.
Because the technology is so widespread, the potential attack surface is huge. It includes:
- Cars with keyless entry - an attacker can unlock, start and drive a vehicle. The NCC Group has confirmed and announced a successful attack on the Tesla Model 3 and Y (of which over 2 million have been sold).
- Laptops with Bluetooth Proximity Unlock feature enabled - this attack allows someone to unlock the device
- Cell phones - a criminal could prevent the phone from locking itself
- Smart locks for residential buildings - an attacker could unlock and open the door without mechanically picking or cutting the lock. The NCC Group has carried out a successful attack on Kwikset/Weiser Kevo smart locks that the manufacturer has been made aware of.
- Building access control systems – an attacker can unlock and open doors while impersonating another person (whose phone or fob is being transmitted)
- Asset and medical patient location – someone could fake the location of an asset or a patient
The discovery proves that very popular products are currently using insecure BLE authentication in critical applications. Meanwhile, the current versions of the BLE specification do not provide proper means for secure ranging, and BLE link-layer encryption and GATT response time limits also do not prevent relay attacks.
Relay attack – no patch will help here either
The NCC Group warns that this is neither a conventional bug that can be fixed with a simple software patch, nor a flaw in the Bluetooth specification. Rather, this investigation illustrates the danger of using technologies for purposes other than those intended, especially when it comes to security issues: BLE-based proximity authentication was not initially intended for use in critical systems such as locking mechanisms.
“The power of this technology lies not only in the fact that we can convince a Bluetooth device that we are nearby - even if it is hundreds of kilometers away - but also in that we can do so even when if the manufacturer has taken protective measures such as encryption and latency limitation to theoretically protect these communications from remote attackers,” says Sultan Qasim Khan. "All it takes is 10 seconds - and these attacks can be repeated endlessly.
After 10 seconds everything happened
"This research bypasses typical countermeasures against vehicle unlocking by remote attackers and changes the way engineers and consumers need to think about the security of Bluetooth low energy communications," he added. “It is not a good idea to trade security for convenience – we need better protections against such attacks.
“This research shows that risks in the digital world are increasingly becoming risks in the physical world. As more areas of the environment become connected, the potential for attackers to penetrate cars, homes, businesses, schools, utility networks, hospitals and more grows,” said Khan.
Measures to protect against these attacks:
- Manufacturers can mitigate the risk by disabling proximity key functionality when the user's phone or key fob is idle for a period of time (based on the accelerometer).
- System manufacturers should allow customers to provide a second factor of authentication or confirmation of user presence (e.g., by tapping an unlock button in an app on the phone).
- Users of affected products should disable the passive unlock feature, which does not require explicit user consent, or disable Bluetooth on mobile devices when not needed.
The NCC Group has published technical advisories on the vulnerabilities affecting Bluetooth Low Energy, Tesla and Kwikset/Weiser.
Hacking a car from hundreds of miles away clearly demonstrates how our connected world leaves us vulnerable to threats from across the country and sometimes even from the other side of the world.
More at NCCgroup.com
About NCC Group
The NCC Group aims to make the world a safer place. As a global expert in cybersecurity and risk mitigation, more than 14.000 customers worldwide trust NCC Group to protect their most important assets from the ever-evolving threats. With its knowledge, experience and global footprint, NCC Group is uniquely positioned to help organizations assess, evolve and manage the evolving cyber risks they face.