Critical vulnerability in Bluetooth Low Energy (BLE) allows easily hacking Tesla cars, smart locks and millions of devices that use this Bluetooth technology

Specialists from the security firm NCC Group developed a tool capable of deploying relay attacks against Bluetooth Low Energy (BLE), which would allow bypassing any existing protection in the target system, authenticating without any problem. This technology is used in all kinds of products, including smartphones, laptops, access control systems, and even in Tesla Model 3 and Model Y cars.

In relay attacks, threat actors begin by intercepting and manipulating communications between two parties, such as a keyless car and the device that opens its doors. Attackers must place themselves in the middle of both ends of communication, transmitting a malicious signal to impersonate the legitimate user.

Technology devices that use BLE for authentication have security measures against relay attacks by default, most based on latency and link-layer encryption. The tool developed by the researchers operates at the link layer and has a latency of 8ms, within the Generic Attribute Profile (GATT) response range.

Thanks to its features, the tool can forward encrypted link layer PDUs, in addition to detecting encrypted changes in connection parameters to continue relaying connections through parameter changes. That is why BLE protections do not work against this attack.

Experts at NCC Group mention that it takes around 10 seconds to complete an attack on any of the affected systems, including Tesla Model 3 and Model Y cars, as they use a BLE-based input system.

While the technical details behind this new attack have not been released, researchers reported testing this tool on a 2020 Tesla Model 3, via an iPhone 13 mini with version 4.6.1-891 of the Tesla app. The attack was also successfully replicated in a Tesla Model Y 2021 model, as they employ similar technologies.

The researchers mention that it is complicated to implement solutions for this security problem due to the features of BLE. In addition, even if industry members responded immediately and in a coordinated manner, updates could take months to arrive for all affected users.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.