"BLE Vulnerability May Be Exploited to Unlock Cars, Smart Locks, Building Doors, Smartphones"
NCC Group researchers uncovered a Bluetooth Low Energy (BLE) vulnerability that attackers could use to unlock Teslas, residential smart locks, building access systems, mobile phones, computers, and various other devices. BLE is a data-sharing protocol established by the Bluetooth Special Interest Group (Bluetooth SIG) that is commonly utilized in critical applications for proximity authentication. According to the researchers, the identified vulnerability is not a traditional bug that can be rectified with a simple software patch or an error in the Bluetooth protocol. It stems from the use of BLE for applications for which it was not originally designed. They explain that many devices use Bluetooth Low Energy (BLE)-based proximity authentication in which the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. For years, the possibility of relay attacks against BLE proximity authentication has been known, but existing tools came with detectable levels of latency and were incapable of relaying connections using link layer encryption. The researchers developed a new BLE link layer relay tool that decreases round-trip latency to the point where it falls within the range of normal response timing variation, and can detect encrypted changes to connection parameters while still relaying connections. They successfully tested the tool and attack against Tesla Model 3 as well as Kwikset and Weiser Kevo smart locks. According to Sultan Qasim Khan, NCC Group principal security consultant and researcher, they were able to conduct the attack on devices from other automakers and technology companies, and the hardware (relays) required for the attack to work can be acquired for a low price online. However, attackers would also need to obtain the researchers' software or construct their own in order to carry out the attack. This article continues to discuss the BLE vulnerability, the BLE link layer relay tool developed by the NCC Group researchers, and recommendations for guarding against attacks launched through the BLE vulnerability.