Bluetooth technology, now a days, is being used for a number of things from unlocking smart locks to unlocking a Tesla car. The technology is fairly simple to use. All it requires is for the user to be in the close proximity of the device to be unlocked to automatically unlock a door or a car. But now, researchers have developed a hack that allow them to unlock millions of Tesla Model 3, Model Y cars and other devices such as smart locks, smartphones, laptops and smartwatches even from miles way using Bluetooth Low Energy technology. What’s more concerning is that this hack can bypass all security and authentication measures built into the targeted devices. Also Read - Microsoft, Amazon come to Tesla Employees' rescue after Elon Musk wants them to return to office
“Our research shows that systems that people rely on to guard their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware — in effect, a car can be hacked from the other side of the world,” NCC Group wrote in a blog post. Also Read - Musk announces hiring freeze for Tesla, may layoff 10 percent employees: Report
How this hack works
According to a report by ArsTechnica, the hack users a type of attack called a ‘relay attack’ to hack into devices and cars. The technique requires ‘man-in-the-middle’ to carry out the hack. In case of the Tesla car, which the researchers used as a proof-of-concept, the first attacker is close proximity of the car, while the second attacker is sitting miles away. Both the attackers are connected to each other via internet. Also Read - Elon Musk reveals date when working prototype of Tesla Bot will be revealed
The first attacker uses his Bluetooth-enabled device to impersonate the phone that would otherwise unlock the car by sending an authentication request. This attacker captures the request data being send to the car via Bluetooth and sends it to the second attacker, who, in turn, modifies the data and relays it back to the first attacker. Then, the first attacker sends this data using the same Bluetooth LE connectivity to the car and unlocks it.
Now, there need not be two attackers all the time. The attacker can simply place a relaying device in the middle (where the car is parked) to hack the device.
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” said NCC Group Principal Security Consultant and Researcher, Sultan Qasim Khan, who conducted this research.
“All it takes is 10 seconds—and these exploits can be repeated endlessly,” he added.
How can I protect myself
NCC recommends that users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed.