Tesla cars can be unlocked with cheap Bluetooth devices, researchers warn

Security researchers at the UK-based NCC Group have demonstrated a new Bluetooth relay attack that can be used to remotely unlock and control selected Tesla cars after circumventing all existing vehicle certification measures.

The downside lies in Bluetooth Low Energy (BLE) technology, which is now used in a wide range of products, including smartphones, laptops, smart locks, building access control systems, and cars such as the Tesla Model 3 and Model Y.

Tesla uses technology to allow users to unlock and control their car remotely using an app or keychain.

“We conducted the world’s first link layer relay attack on Bluetooth Low Energy (BLE), the standard protocol used to share data between devices, which has been adopted by proximity companies to unlock millions of vehicles, smart home locks, commercial buildings access control systems, smartphones, smart watches, laptops and more, “the researchers wrote in an online publication.

While researchers have yet to publish the technical details of their new BLE relay attack tool, they say they tested the Tesla Model 3 method from 2020 using the iPhone 13 mini, running version 4.6.1-891 of the Tesla app.

During the experiment, researchers were able to send communication from the iPhone to the car via two relay devices, one seven meters from the iPhone and the other three meters from the car.

Researchers have used “transmitters” to make the car believe that the owner’s device (iPhone) is close, when in fact it is 25 meters away.

The experiment was successfully replicated on the Tesla Model Y from 2021.

Tesla was notified of these results on April 21. About a week later, the company responded by saying that “relay attacks are a certain limitation of the passive entry system.”

Spectrum Brands, the parent company of Kwikset (manufacturers of the Kevo line of smart locks), was also warned by researchers.

NCC Group publishes its findings in three different boards: one for BLE generally one for Tesla vehicles and one for Kwikset / Weiser smart locks.

Each tip describes in detail the problem of devices and how it affects a wider range of products from other manufacturers.

According to the NCC Group, the vulnerability is not a traditional problem that can be fixed with software fixes.

He added that BLE-based authentication is not intended for use in locking mechanisms.

“This study illustrates the dangers of using technology for reasons other than its intended purpose, especially when security issues are involved,” the researchers said.

They recommend that Tesla owners disable the passive entry mechanism for the mobile app and use the “Driving PIN” feature, which requires a four-digit pin to be inserted before the car can be driven.

Tesla has a history of security vulnerabilities.

Earlier this year, a 19-year-old security researcher claimed to have discovered a security flaw in third-party software provided for Tesla vehicles that could allow hackers to take control of some of the vehicle’s functionality from the outside.

The researcher said he was able to remotely access some features of more than 25 Tesla cars in 13 countries, using the flaw without the owners’ knowledge.

In 2020, other researchers claimed to have identified a number of security vulnerabilities in the Tesla firmware update mechanism after reverse engineering the display and tool cluster of the Tesla Model 3.

Join us at the CyberSecurity 2022 Festival, which runs for 3 days in June, where we will gather to learn, collaborate and tackle the biggest challenges for technology security. Learn more and register for free