Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Researchers Devise New Type of Bluetooth LE Relay Attacks

Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations.

Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations.

Meant to provide significantly reduced power consumption and costs at communication ranges similar to those provided by Bluetooth, BLE is used for a broad range of applications in sectors such as automotive, healthcare, security, home entertainment, and more.

BLE proximity authentication is typically to unlock or keep unlocked products such as cars, smart locks, access control systems, and laptops, as long as a trusted BLE device is in range.

Because BLE proximity authentication is prone to relay attacks, various mitigations were introduced, including detectable levels of latency (strict GATT response time limits), encrypted link layer, and localization techniques.

The new NCC Group tool can conduct a new type of relay attack that operate at the link layer, successfully bypassing existing mitigations. The attack can forward encrypted link layer PDUs and can also detect encrypted changes to connection parameters and adapt to them.

The researchers have tested the attack against Tesla vehicles that rely on a BLE-based passive entry system where users can unlock and operate the vehicle using an authorized mobile device or key fob.

“This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE,” NCC Group said in a report.

NCC Group simulated the attack against a 2020 Tesla Model 3 using an iPhone 13 mini with the Tesla app installed, and was “able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle.”

The researchers also note that the relay attack conducted against the Tesla Model 3 was effective even after latency was artificially added “beyond the base level of latency introduced by the relaying tool over a local Wi-Fi network,” suggesting that relay attacks may be conducted over the internetl.

Separately, NCC Group tested their relay attack against Kevo smart lock and say they were able to successfully unlock/lock the affected Kevo smart locks. The touch-to-unlock functionality is disabled if the user phone has been stationary for over 30 seconds, but the attack can be conducted if the user is carrying their phone or if the device is on a moving surface.

Spectrum Brands HHI was informed of the attack in September 2021 and worked with the researchers on mitigations. NCC Group says it informed Tesla of the issue in April 2022, and was told that relay attacks are “a known limitation of the passive entry systems.”

Alerted in early April 2022 of the new attack, Bluetooth SIG said it was aware of the risk posed by relay attacks and confirmed it was working on “more accurate ranging mechanisms.”

Related: BrakTooth: New Bluetooth Vulnerabilities Could Affect Millions of Devices

Related: BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks

Related: SweynTooth: Bluetooth Vulnerabilities Expose Many Devices to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...