Cybersecurity firm NCC Group has just demonstrated that millions of locks worldwide can be unlocked by hackers using a vulnerability in Bluetooth technology, and a Tesla was the company’s prime example.
Tesla vehicles, such as the Model 3 and Model Y, use a technology called Bluetooth Low Energy (BLE) that allows owners to unlock and control their vehicles via their phones within a short distance of the vehicle. This does not require any user interaction with the device. As for the vulnerability, all the hardware you need to hack/break in and drive these cars away is easy to find, as the NCC Group says it only needs “cheap out-of-the-box hardware” to get a hack into a car or device using BLE technology from anywhere in the world. Yes, this hack can be done anywhere – the hacker doesn’t have to be in your driveway to gain access.
Reuters reports that in a video shared with them, “NCC Group researcher Sultan Qasim Khan was able to open and then control a Tesla using a small relay device connected to a laptop and which had a large bridged the gap between the Tesla and the Tesla owner’s phone.”
Specifically, it was a 2021 Tesla Model Y, but the NCC Group says the exploit works on all Tesla Model 3s and Ys. And while the focus here has been entirely on Teslas, it’s important to note that all BLE-based proximity authentication systems are vulnerable. In addition to cars, the technology is being used for “smart locks for homes, access control systems for commercial buildings, smartphones, smart watches, laptops and more,” according to the NCC Group.
“What makes this powerful is not only that we can convince a Bluetooth device that we’re close – even hundreds of miles away – but that we can do it even if the vendor has taken defensive measures such as encryption and latency throttling to theoretically protect these communications from remote attackers,” Khan said. “All it takes is 10 seconds — and these exploits can be repeated endlessly.”
Other automakers are introducing “phone-as-key” features that use BLE technology to function. For example, Hyundai has already launched such a feature in the US. That said, the market penetration for those cars is much lower than any Tesla vehicles currently using the technology — the NCC Group claims at least 2 million Teslas on the road are now vulnerable to this attack.
Unfortunately, the NCC Group has no grand answers to the problem and criticizes those who use BLE as a security system, because it is a use of the technology that goes beyond its ‘intended purpose’. Using BLE proximity authentication was never designed for use in locking mechanisms requiring security, but companies have adopted it anyway.
It suggests that manufacturers can reduce the risk of the hack by disabling proximity key functionality when a user’s phone has been stationary for a while based on the phone’s accelerometer. It also suggests a dual-factor authentication model that requires you to tap a button on your phone to unlock the car, as opposed to passive access. Finally, the company suggests that you simply turn off Bluetooth on your phone when you don’t need it. That is of course inconvenient, but it can prevent your car from being stolen in the meantime.
If you’d like to read more about how the NCC Group discovered this vulnerability and the technology behind it, detailed research can be found here and here.
Related video: