Security researchers at NCC Group have created a new tool capable of launching a new type of Bluetooth Low Energy (BLE) relay attack that bypasses existing protections and mitigations.
Meant to provide significantly reduced power consumption and costs at communication ranges similar to those provided by Bluetooth, BLE is used for a broad range of applications in sectors such as automotive, healthcare, security, home entertainment, and more.
BLE proximity authentication is typically to unlock or keep unlocked products such as cars, smart locks, access control systems, and laptops, as long as a trusted BLE device is in range.
Because BLE proximity authentication is prone to relay attacks, various mitigations were introduced, including detectable levels of latency (strict GATT response time limits), encrypted link layer, and localization techniques.
The new NCC Group tool can conduct a new type of relay attack that operate at the link layer, successfully bypassing existing mitigations. The attack can forward encrypted link layer PDUs and can also detect encrypted changes to connection parameters and adapt to them.
The researchers have tested the attack against Tesla vehicles that rely on a BLE-based passive entry system where users can unlock and operate the vehicle using an authorized mobile device or key fob.
“This system infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE,” NCC Group said in a report.
NCC Group simulated the attack against a 2020 Tesla Model 3 using an iPhone 13 mini with the Tesla app installed, and was “able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle.”
The researchers also note that the relay attack conducted against the Tesla Model 3 was effective even after latency was artificially added “beyond the base level of latency introduced by the relaying tool over a local Wi-Fi network,” suggesting that relay attacks may be conducted over the internetl.
Separately, NCC Group tested their relay attack against Kevo smart lock and say they were able to successfully unlock/lock the affected Kevo smart locks. The touch-to-unlock functionality is disabled if the user phone has been stationary for over 30 seconds, but the attack can be conducted if the user is carrying their phone or if the device is on a moving surface.
Spectrum Brands HHI was informed of the attack in September 2021 and worked with the researchers on mitigations. NCC Group says it informed Tesla of the issue in April 2022, and was told that relay attacks are “a known limitation of the passive entry systems.”
Alerted in early April 2022 of the new attack, Bluetooth SIG said it was aware of the risk posed by relay attacks and confirmed it was working on “more accurate ranging mechanisms.”
Related: BrakTooth: New Bluetooth Vulnerabilities Could Affect Millions of Devices
Related: BleedingTooth: Vulnerabilities in Linux Bluetooth Allow Zero-Click Attacks
Related: SweynTooth: Bluetooth Vulnerabilities Expose Many Devices to Attacks
