Pentester pops open Tesla Model 3 using low-cost Bluetooth module

Anything that uses proximity-based BLE is vulnerable, claim researchers

Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

In a real-life scenario, a victim could be in a building just out of range of their Tesla while standing near a crook with a relay gadget on them. This gadget relays signals from the victim's phone to the Tesla outside via another miscreant with a gadget, who jumps in and steals the unlocked vehicle.

In its testing, NCC Group said it was able to perform a relay attack that opened a Tesla Model 3 in which the vehicle's paired device was located in a house approximately 25 metres from the vehicle. Using phone-side and vehicle-side relaying devices made from $50 Bluetooth development modules, the team said it managed to gain full access to the Tesla when the vehicle-side relay was brought within 3 metres. 

While NCC only tested the attack on a Tesla Model 3, Sultan Khan, senior security researcher at NCC and the author of the advisory, said the technology used in the Tesla app is the same when connecting to a Model 3 or Y. Khan also theorized that Model 3 and Y key fobs were also likely affected, though those weren't tested either.

The advisory added:

As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.

A problem of keys

Tesla hasn't had a good history when it comes to security researchers finding ways to unlock its cars. In 2014, a group of Chinese university students managed an on a attack Model S that allowed them to open doors, sound the horn and more while the vehicle was in motion, and a second Chinese group did much the same in 2016. That same year, the Tesla app was exploited to allow attackers to track, locate, unlock and start vehicles. Two years later, Belgian researchers managed to clone Tesla keyfobs, giving them full control of the affected vehicle.

A problem of Bluetooth

At the same time NCC Group released its Tesla BLE relay advisory, it published a second advisory authored by Khan. In that advisory, he explains how NCC's novel method to hijack a Tesla works against anything relying on BLE to confirm the presence of an authorized user.

In the advisory, Khan states that BLE proximity relay attacks have been known about for years. Fortunately for fans of the protocol, existing relay attacks introduce too much latency. "Products commonly attempt to prevent relay attacks by imposing strict Generic Attribute Protocols (GATT) response time limits and/or using link layer encryption," Khan said. 

The tool developed by NCC Group for its research operates at the link layer, which Khan said reduces latency down to acceptable GATT ranges. By doing so, it's able to circumvent latency bounding and link layer encryption, Khan said. 

It's worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated "the Proximity Profile should not be used as the only protection of valuable assets," and additionally "there is currently no known way to protect against such attacks using Bluetooth technology."

Car owners should disable passive entry

Khan said that the Tesla Product Security team was notified in April of the flaw. Their response was that it was a known limitation of the passive entry system. 

Tesla owners concerned about a relay attack should use the PIN to Drive feature in their Tesla, as well as disabling passive entry:

Controls > Settings > Doors & Locks > Passive Entry > OFF

Khan also said adding checks like having the app report the device's last known location and time-of-flight ranging could protect owners, but that's on Tesla to fix, and Khan told Bloomberg the automaker said it has no plans to do so.

Because this attack potentially affects so many devices used to secure so many things, it's a serious issue. Khan said that Bluetooth SIG was notified of the flaw and it told him "more accurate ranging mechanisms are under development."

We've asked the Bluetooth SIG to tell us more about those mechanisms and their availability, but have yet to hear back. ®

Broader topics

Other stories you might like

  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading

Biting the hand that feeds IT © 1998–2022