Bluetooth hack compromises Teslas, digital locks and more | Digital Trends Spanish

This exploit still requires the attacker to have access to the owner’s actual Bluetooth device or keychain. However, what makes it potentially dangerous is that the actual Bluetooth key does not need to be near the vehicle, lock, or other secure devices.

Instead, Bluetooth signals are transmitted between the lock and key through a pair of intermediate Bluetooth devices connected using another method, usually through a normal Internet link. The result is that the lock treats the hacker’s nearby Bluetooth device as if it were the valid key.

As Khan explains, “we can convince a Bluetooth device that we are close to it, even from hundreds of miles away. […] even when the provider has taken defensive mitigations like encryption and latency capping to theoretically protect these communications from remote attackers.”

The exploit bypasses the usual protections against relay attacks, as it works at a very low level of the Bluetooth stack, so it doesn’t matter if the data is encrypted and adds almost no latency to the connection. The target lock has no way of knowing that it is not communicating with the legitimate Bluetooth device.

Since many Bluetooth security keys work passively, a thief would only need to place one device within a few feet of the owner and the other near the target lock. For example, a pair of thieves could work together to follow the Tesla owner away from his vehicle, transmitting Bluetooth signals to the car so it can be stolen once the owner is far enough away.

These attacks could be carried out even over great distances with sufficient coordination. A person on vacation in London could have their Bluetooth keys beamed to their door locks at her home in Los Angeles, allowing a thief quick access simply by touching the lock.

This also goes beyond cars and smart locks. The researchers note that it could be used to unlock laptops that rely on Bluetooth proximity detection, prevent mobile phones from being locked, bypass building access control systems, and even spoof the location of a medical asset or patient.

NCC Group also adds that this is not a traditional bug that can be fixed with a simple software patch. It’s not even a flaw in the Bluetooth specification. Instead, it’s a matter of using the wrong tool for the job. Bluetooth was never designed for proximity authentication, at least not “for use in critical systems like lockout mechanisms,” the firm notes.

First of all, it is essential to note that this vulnerability is specific to systems that rely solely on passive detection of a Bluetooth device.

For example, this exploit cannot realistically be used to bypass security systems that require you to unlock your smartphone, open a specific app, or perform some other action, such as pressing a button on a keychain. In this case, there’s no Bluetooth signal to relay until you do that, and it generally won’t try to unlock your car, door, or laptop when you’re not near it.

This is also usually not a problem for apps that take steps to confirm your location. For example, the auto-unlock feature on August’s popular smart lock relies on Bluetooth proximity detection, but the app also checks your GPS location to make sure you’re really coming home. It cannot be used to open your door when you are already at home, nor can it open your door when you are miles away from home.

If your security system allows it, you must enable an additional authentication step that requires you to take some action before Bluetooth credentials are sent to your lock. For example, Kwikset has said that customers using an iPhone can enable two-factor authentication in its lockdown app, and it plans to add this to its Android app soon. Kwikset’s Kevo app also disables the proximity unlock functionality when the user’s phone has been idle for an extended period.