A researcher with NCC Group, one of the world’s largest security consulting firms, with 14,000 clients, has discovered a world-first hack on Bluetooth technology that lets cybercriminals more easily than ever break into and steal smart cars (including Teslas); unlock people’s houses; and breach corporate buildings and secure areas.
Perhaps worse, the hack would let attackers enter our personal digital domains via our laptops and phones and sift through our work, invade our communications, access every photo and video taken, and learn about the places we frequent.
The consequences are enormous, and could affect millions.
Systems that millions rely on daily to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware.
Principal Security Consultant and Researcher, Sultan Qasim Khan has conducted the world’s first link layer relay attack on Bluetooth Low Energy (BLE) – the proximity authentication used to unlock these devices.
Any products relying on a trusted BLE authentication are vulnerable to attacks even from the other side of the world—a perfect illustration of the benefits and threats of a connected universe.
The proof-of-concept works at the link layer (the lowest layer in the internet protocol suite). It’s powerful not only because it convinces a Bluetooth device the rightful owner is near it - even from hundreds of miles away - but because the hack is possible even when a product vendor has taken defensive measures, like encryption and latency bounding to theoretically protect Bluetooth communications from attackers at a distance.
An attack can happen in as little as 10 seconds, once criminals have put in the work on the back end. And the potential attack surface is vast. It encompasses:
Cars with keyless entry – someone can unlock, start and drive a vehicle, including Tesla Models 3 and Y (over 2 million of which have been sold)
Laptops with a Bluetooth proximity unlock feature enabled – attackers could unlock the device
Mobile phones – someone could prevent the phone from locking
Residential smart locks, including Kwikset/Weiser smart locks – an attacker could unlock and open the door
Building access control systems – criminals can unlock and open doors while also impersonating someone else (whose phone or fob is being relayed)
Asset tracking and medical patient tracking – someone could spoof the location of the asset or patient
And it’s not a traditional bug or error that can be fixed with a simple software patch.
NCC Group has published technical advisories about the issues here:
Bluetooth Low Energy: https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-authentication-vulnerable-to-relay-attacks/
Kwikset/Weiser smart locks: https://research.nccgroup.com/2022/05/15/technical-advisory-kwikset-weiser-ble-proximity-authentication-in-kevo-smart-locks-vulnerable-to-relay-attacks/