This vulnerability affects hundreds of thousands of Bluetooth Low Energy (BLE) devices.
By exploiting the hole uncovered by the NCC Group, the first link layer relay assault was successfully carried out. When the Tesla Model 3’s key fob was out of range, the firm utilised a relay attack tool to unlock and even drive the vehicle.
Bluetooth proximity authentication systems (which are used to unlock devices within a particular range) can be easily hacked using cheap off-the-shelf hardware, which makes this vulnerability a worry. A Bluetooth developer board and ready-made apps can be used by an attacker without any knowledge of coding.
According to a press statement from NCC Group, Sultan Qasim Khan, a senior security consultant and researcher, further explained the research he conducted into this new BLE vulnerability and how it can even overcome encryption.
It’s not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can accomplish it even if the vendor has taken defensive mitigations like encryption and latency bounding to purportedly safeguard these conversations from attackers at a distance. It just takes 10 seconds, and you can keep doing it indefinitely. As a result of this research, Bluetooth Low Energy security has been fundamentally rethought by developers and customers alike,” the researchers write in a press release.
There is a large area of potential attack.
The attack surface for this vulnerability has grown enormously due to the widespread use of Bluetooth Low Energy in both consumer and corporate devices.
Auto keyless entry systems in other models of Tesla and Y could be exploited to allow an attacker to gain access to a victim’s vehicle and take control of it. Additionally, laptops and smartphones equipped with the Bluetooth proximity unlock capability are also vulnerable.
If you’ve changed from a standard lock to a smart lock, even your own home could be burgled. Kwikset/Weiser Kevo smart locks were effectively attacked by the NCC Group, which has made this information available to the corporation. Both large and small firms’ access control systems can be compromised by an intruder pretending to be a legitimate employee in order to get access to sensitive areas.
Critical systems aren’t recommended for use here.
As Wibree, Bluetooth Low Energy was first created by Nokia in 2006 with the goal of delivering lower power consumption and costs while maintaining a similar range to that of present Bluetooth devices. As an example, Bluetooth Low Energy (BLE)-enabled headphones could last longer before needing a recharge.
BLE-based proximity authentication was not intended for use in critical systems like vehicle locks or smart locks, as noted by the NCC Group.
Neither a standard bug that can be corrected with a software patch nor a flaw in the Bluetooth specification itself causes this new vulnerability, which is a shame.
Defending yourself from BLE-based attacks
Using this issue in the wild, the NCC Group suggests that you disable passive unlocking on your devices and switch off Bluetooth capability when it isn’t necessary to protect yourself from hackers.
Using data from an accelerometer, manufacturers can disable key functionality in a user’s phone or key fob after it has been stationary for some time. As a key fob for cars that enable Bluetooth Low Energy (BLE), system vendors should give consumers the option of adding a second factor of authentication or user presence attestation by tapping an unlock button in an app on the phone.
For further information on the Bluetooth Special Interest Group (SIG), Tom’s Guide contacted them and received this statement:.
There are a number of security elements in the Bluetooth Specification (SIG) that developers can use to safeguard communications between Bluetooth devices and implement acceptable levels of security for their products. During the creation of any Bluetooth specifications, security is a consideration.
Bluetooth is an open standard, and the Bluetooth SIG encourages security researchers to actively evaluate the specifications. A vulnerability response programme, in conjunction with the security research community, is another service provided by the SIG to the developer community to assist them in implementing the necessary level of security in their Bluetooth devices. There are a number of resources available to help developers make the right security decisions for their Bluetooth-enabled products and solutions.”
Automobile manufacturers and device manufacturers are likely to begin developing defences against the new attack type now that the NCC Group has successfully carried out a link layer relay attack against BLE. To protect your devices until this vulnerability is being addressed, you should disable Bluetooth whenever you aren’t using it.