A group of security researchers has found a way to bypass digital locks and other security systems that rely on the proximity of a fob. Bluetooth or a smartphone for authentication.
Using what is known as a “link layer relay attack,” security consulting firm NCC Group was able to unlock, start and drive vehicles and unlock and open certain residential smart locks without the Bluetooth-based key anywhere nearby. .
Sultan Qasim Khan, NCC Group’s chief security consultant and researcher, demonstrated the attack on a Tesla Model 3, although he notes that the problem is not specific to Tesla. Any vehicle that uses Bluetooth Low Energy (BLE) for its keyless entry system would be vulnerable to this attack.
Many smart locks are also vulnerable, adds Khan. His firm specifically called the Kwikset/Weiser Kevo models, as these use a touch-to-open feature that relies on passive detection of a nearby Bluetooth fob or smartphone. Since the owner of the lock does not need to interact with the Bluetooth device to confirm that they want to unlock the door, a hacker can transmit the key’s Bluetooth credentials from a remote location and open someone’s door, even if the owner is within walking distance. thousands of kilometers away.
This exploit still requires the attacker to have access to the owner’s actual Bluetooth device or keychain. However, what makes it potentially dangerous is that the actual Bluetooth key does not need to be near the vehicle, lock, or other secure devices.
Instead, Bluetooth signals are transmitted between the lock and key through a pair of intermediate Bluetooth devices connected using another method, usually through a normal Internet link. The result is that the lock treats the hacker’s nearby Bluetooth device as if it were the valid key.
As Khan explains, “we can convince a Bluetooth device that we are close to it, even from hundreds of miles away. […] even when the provider has taken defensive mitigations like encryption and latency capping to theoretically protect these communications from remote attackers.”
The exploit bypasses the usual protections against relay attacks, as it works at a very low level of the Bluetooth stack, so it doesn’t matter if the data is encrypted and adds almost no latency to the connection. The target lock has no way of knowing that it is not communicating with the legitimate Bluetooth device.
Since many Bluetooth security keys work passively, a thief would only need to place one device within a few feet of the owner and the other near the target lock. For example, a pair of thieves could work together to follow the Tesla owner away from his vehicle, transmitting Bluetooth signals to the car so it can be stolen once the owner is far enough away.
These attacks could be carried out even over great distances with sufficient coordination. A person on vacation in London could have their Bluetooth keys beamed to their door locks at her home in Los Angeles, allowing a thief quick access simply by touching the lock.
This also goes beyond cars and smart locks. The researchers note that it could be used to unlock laptops that rely on Bluetooth proximity detection, prevent mobile phones from being locked, bypass building access control systems, and even spoof the location of a medical asset or patient.
NCC Group also adds that this is not a traditional bug that can be fixed with a simple software patch. It’s not even a flaw in the Bluetooth specification. Instead, it’s a matter of using the wrong tool for the job. Bluetooth was never designed for proximity authentication, at least not “for use in critical systems like lockout mechanisms,” the firm notes.
First of all, it is essential to note that this vulnerability is specific to systems that rely solely on passive detection of a Bluetooth device.
For example, this exploit cannot realistically be used to bypass security systems that require you to unlock your smartphone, open a specific app, or perform some other action, such as pressing a button on a keychain. In this case, there’s no Bluetooth signal to relay until you do that, and it generally won’t try to unlock your car, door, or laptop when you’re not near it.
This is also usually not a problem for apps that take steps to confirm your location. For example, the auto-unlock feature on August’s popular smart lock relies on Bluetooth proximity detection, but the app also checks your GPS location to make sure you’re really coming home. It cannot be used to open your door when you are already at home, nor can it open your door when you are miles away from home.
If your security system allows it, you must enable an additional authentication step that requires you to take some action before Bluetooth credentials are sent to your lock. For example, Kwikset has said that customers using an iPhone can enable two-factor authentication in its lockdown app, and it plans to add this to its Android app soon. Kwikset’s Kevo app also disables the proximity unlock functionality when the user’s phone has been idle for an extended period.
Please note that unlocking solutions that use a combination of Bluetooth and other protocols are not vulnerable to this attack. A typical example of this is Apple’s feature that allows people to unlock their Mac with their Apple Watch. Although this uses Bluetooth to detect the nearby Apple Watch initially, it measures actual proximity over Wi-Fi, mitigating that Apple executives specifically said it was added to prevent Bluetooth relay attacks.