Using a BLE relay attack, hackers could bypass smart locks like those on the Tesla Model 3 or Model Y.
The Tesla Model Y can be stolen via a BLE relay attack.
Security researchers from the NCC Group have developed a tool with which a so-called Bluetooth Low Energy (BLE) relay attack can be carried out. With this attack, the security researchers can bypass all existing protection measures for authentication on target devices such as laptops, smartphones, access control systems or smart locks – such as those in the Tesla Model 3 or Tesla Model Y.
Keyless Go makes car theft easy – how to protect yourself
Hackers can unlock and start vehicle
Using the Tesla example, a hacker could use the relay attack to intercept and manipulate communications between the key fob and the vehicle. The hacker can forward the intercepted signal as if he were standing right next to the vehicle and in possession of the key. In this way, the vehicle lock could be unlocked and the car started. To protect against such attacks, the industry relies on checks based on precise latency times and connection encryption. But even these can be avoided.
Attack works on Tesla Model 3 and Model Y
However, at 8 ms, the tool from the NCC Group is still below the tolerated latency of 30 ms. The researchers tested the method using an iPhone 13 Mini on a 2020 Tesla Model 3. With the attack, they were able to unlock and start the vehicle. The process could be repeated as often as desired and also worked with the Tesla Model Y from 2021. Tesla was informed of the vulnerability on April 21, 2022. The company only responded by saying “relay attacks are a known limitation of the passive access system.”
Tesla owners should enable “PIN to Drive”.
The research results of the NCC Group not only apply to Tesla vehicles, but also to other smart locks. Relay attacks are a known problem, and device manufacturers warn not to use proximity-based authentication for valuable assets. Users only have the option of deactivating the method and relying on an alternative authentication method. Tesla owners are advised to enable “PIN to Drive”. Attackers can still unlock the vehicle, but cannot drive away with it. Another solution for manufacturers would be to use another distance-dependent solution instead of Bluetooth, such as UWB radio technology, see: Apple Carkey in the test – open a BMW with an iPhone and drive off.