We’ve conducted the world’s first link layer relay attack on Bluetooth Low Energy (BLE), the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more.
Our research shows that systems that people rely on to guard their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware — in effect, a car can be hacked from the other side of the world.
Through the research, we demonstrate, as proof of concept, that a link layer relay attack conclusively defeats existing applications of BLE-based proximity authentication and prove that very popular products are currently using insecure BLE proximity authentication in critical applications. By forwarding data from the baseband at the link layer, the hack gets past known relay attack protections, including encrypted BLE communications, because it circumvents upper layers of the Bluetooth stack and the need to decrypt.
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” said NCC Group Principal Security Consultant and Researcher, Sultan Qasim Khan, who conducted this research. “All it takes is 10 seconds—and these exploits can be repeated endlessly.
“This research circumvents typical countermeasures against remote adversarial vehicle unlocking, and changes the way engineers and consumers alike need to think about the security of Bluetooth Low Energy communications,” he added. “It’s not a good idea to trade security for convenience— we need better safeguards against such attacks.
Recommendations
This is not a traditional bug that can be fixed with a simple software patch, nor an error in the Bluetooth specification. In fact, this research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved— BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms. There are steps that can and should be taken to guard against these attacks:
- Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer)
- System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone)
- Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed
Potential attack surface
Since the technology is so common, the potential attack surface is vast. It includes:
- Cars with automotive keyless entry – an attacker can unlock, start and drive a vehicle. NCC Group has confirmed and disclosed a successful exploit of this for Tesla Models 3 and Y (over 2 million of which have been sold)
- Laptops with a Bluetooth proximity unlock feature enabled – this attack allows someone to unlock the device
- Mobile phones – a criminal could prevent the phone from locking
- Residential smart locks – an attacker could unlock and open the door without mechanically picking or cutting the lock. NCC Group has conducted a successful exploit on Kwikset/Weiser Kevo smart locks, which has been disclosed to the vendor
- Building access control systems – allowing an attacker to unlock and open doors while also impersonating someone else (whose phone or fob is being relayed)
- And asset and medical patient tracking – someone could spoof the location of an asset or patient
“This research offers more evidence that risks in the digital world are increasingly becoming risks in the physical world as well. As more and more of the environment becomes connected, the potential keeps growing for more attackers to penetrate cars, homes, businesses, schools, utility grids, hospitals, and more,” Khan concluded.
Disclosure
NCC Group disclosed details to companies behind the products tested before issuing research publicly, and has discussed mitigation approaches with the Bluetooth Special Interest Group (SIG).
Technical advisories
https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/
https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/
https://research.nccgroup.com/2022/05/15/technical-advisory-kwikset-weiser-ble-proximity-authentication-in-kevo-smart-locks-vulnerable-to-relay-attacks/
======================
NCC Group services
Today’s hardware and IoT producers must consider security in all phases of commercial product development, from first design to end-of-life. NCC Group Hardware and Embedded Services leverage decades of real-world engineering experience to provide pragmatic guidance on architecture and design, component selection, and manufacturing.