Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Devise New Type of Bluetooth LE Relay Attacks

Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations.

Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations.

Meant to provide significantly reduced power consumption and costs at communication ranges similar to those provided by Bluetooth, BLE is used for a broad range of applications in sectors such as automotive, healthcare, security, home entertainment, and more.

BLE proximity authentication is typically to unlock or keep unlocked products such as cars, smart locks, access control systems, and laptops, as long as a trusted BLE device is in range.

Because BLE proximity authentication is prone to relay attacks, various mitigations were introduced, including detectable levels of latency (strict GATT response time limits), encrypted link layer, and localization techniques.

The new NCC Group tool can conduct a new type of relay attack that operate at the link layer, successfully bypassing existing mitigations. The attack can forward encrypted link layer PDUs and can also detect encrypted changes to connection parameters and adapt to them.

The researchers have tested the attack against Tesla vehicles that rely on a BLE-based passive entry system where users can unlock and operate the vehicle using an authorized mobile device or key fob.

“This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE,” NCC Group said in a report.

NCC Group simulated the attack against a 2020 Tesla Model 3 using an iPhone 13 mini with the Tesla app installed, and was “able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle.”

The researchers also note that the relay attack conducted against the Tesla Model 3 was effective even after latency was artificially added “beyond the base level of latency introduced by the relaying tool over a local Wi-Fi network,” suggesting that relay attacks may be conducted over the internetl.

Separately, NCC Group tested their relay attack against Kevo smart lock and say they were able to successfully unlock/lock the affected Kevo smart locks. The touch-to-unlock functionality is disabled if the user phone has been stationary for over 30 seconds, but the attack can be conducted if the user is carrying their phone or if the device is on a moving surface.

Spectrum Brands HHI was informed of the attack in September 2021 and worked with the researchers on mitigations. NCC Group says it informed Tesla of the issue in April 2022, and was told that relay attacks are “a known limitation of the passive entry systems.”

Alerted in early April 2022 of the new attack, Bluetooth SIG said it was aware of the risk posed by relay attacks and confirmed it was working on “more accurate ranging mechanisms.”

Related: BrakTooth: New Bluetooth Vulnerabilities Could Affect Millions of Devices

Related: BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Related: SweynTooth: Bluetooth Vulnerabilities Expose Many Devices to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.