A group of security researchers has found a way to avoid digital locks and other security systems that rely on the proximity of a Bluetooth fob or smartphone for authentication.
Using what is known as a “link-layer relay attack,” security consulting firm NCC Group was able to unlock, launch, and drive vehicles and unlock and unlock certain residential smart locks without the Bluetooth key anywhere in the vicinity.
Sultan Qasim Khan, NCC Group’s chief security consultant and researcher, has demonstrated the attack on Tesla Model 3, although he notes that the problem is not specific to Tesla. Any vehicle that uses Bluetooth Low Energy (BLE) for its keyless entry system would be vulnerable to this attack.
Many smart locks are also vulnerable, Khan adds. His company specifically called the Kwikset / Weiser Kevo models because they use a touch-open feature that relies on passive detection of a Bluetooth fob or smartphone nearby. Because the owner of the lock does not need to interact with the Bluetooth device to confirm that they want to unlock the door, a hacker can issue the Bluetooth credentials of the key from a remote location and open someone’s door even if the homeowner is thousands of miles away.
How it works
This exploit still requires the attacker to have access to the owner’s actual Bluetooth device or key. However, what makes it potentially dangerous is that the real Bluetooth key does not need to be anywhere near the vehicle, lock, or other secured device.
Instead, Bluetooth signals are transmitted between the lock and key via a pair of intermediate Bluetooth devices connected by another method – typically via a regular internet connection. The result is that the lock treats the hacker’s nearby Bluetooth device as if it were the valid key.
As Khan explains, “We can convince a Bluetooth device that we’re close to it – even hundreds of miles away […] even when the vendor has taken defensive mitigations such as encryption and latency to theoretically protect these communications from attackers remotely. “
The operation bypasses the usual relay attack protection because it operates at a very low level of the Bluetooth stack, so it doesn’t matter if the data is encrypted, and it adds almost no latency to the connection. The target lock has no way of knowing that it is not communicating with the legitimate Bluetooth device.
Because many Bluetooth security keys work passively, a thief would only need to place one device within a few feet of the owner and the other near the target lock. For example, a pair of thieves could work in tandem to track a Tesla owner away from their vehicle, relaxing the Bluetooth signals back to the car so that it could be stolen once the owner was far enough away.
These attacks could be carried out even over vast distances with enough coordination. A London holidaymaker could have their Bluetooth keys issued to their door locks at home in Los Angeles, allowing a thief to quickly gain access by simply touching the lock.
This also goes beyond cars and smart locks. Researchers note that it could be used to unlock laptops that rely on Bluetooth proximity detection, prevent cell phones from locking, prevent built-in access control systems, and even falsify the location of an asset or medical patient.
NCC Group also adds that this is not a traditional bug that can be fixed with a simple software patch. It’s not even a defect in the Bluetooth specification. Instead, it’s about using the wrong tool for the job. Bluetooth was never designed for proximity authentication – at least not “for use in critical systems such as locking devices,” the company notes.
First, it is essential to remember that this vulnerability is specific to systems that rely exclusively on passive detection of a Bluetooth device.
For example, this exploit cannot realistically be used to bypass security systems that require you to unlock your smartphone, open a specific app, or perform other actions, such as pushing a button on a key. In this case, there’s no Bluetooth signal to relax until you do that – and you won’t generally try to unlock your car, door, or laptop when you’re not near it.
This is also not usually a problem for applications that take steps to confirm your location. For example, the automatic unlock function in the popular August smart lock relies on Bluetooth proximity detection, but the app also checks your GPS location to make sure you’re actually back home. It cannot be used to unlock your door when you are already at home, nor can it open your door when you are miles away from home.
If your security system allows this, you should enable an extra authentic step that requires you to take some action before the Bluetooth credentials are sent to your lock. For example, Kwikset said that customers who use iPhone can enable two-factor authentication in their key app, and it plans to add this to its Android app soon. Kwikset’s Kevo app also disables proximity unlock feature when the user’s phone has been idle for an extended period of time.
Note that unlocking solutions that use a mix of Bluetooth and other protocols is not vulnerable to this attack. A typical example of this is the Apple feature, which allows people to unlock their Mac with their Apple Watch. Although this uses Bluetooth to detect the Apple Watch up close initially, it measures the actual proximity via Wi-Fi – a mitigation that Apple executives specifically said it was added to prevent Bluetooth relay attacks.