Relay Attacks Unlock Cars - Threatwire
Added 2022-05-25 13:33:07 +0000 UTCAgain, relay attacks aren’t new, and manus have set up mitigation techniques to protect against these attacks, but NCC Group built upon this by attacking on a different layer of the protocol. Instead of focusing on the Generic Attribute Profile layer, they went to the link layer, which is the lowest level of the Bluetooth stack and is used for storage of the encrypted credentials.
I love car hacks. They are so fun and play off of one of my favorite hacking techniques - RF or radio frequency hacking. In this case, we have a new Bluetooth hack, which targets vehicles that use Bluetooth proximity to unlock. As an example, to unlock a Tesla, your phone and the car speak to each other via Bluetooth to determine their proximity to each other and as you move closer, it’s supposed to unlock. Your phone isn’t supposed to transmit your key over Bluetooth unless it’s within range of the car.
Researchers at the security firm NCC Group found a way to unlock a Tesla and many other vehicles and devices without the need for local proximity using a relay attack, which in itself isn’t new but this implementation is. The relay attack requires two attackers, with one being close to the car, and one being close to the phone while the phone and car are far away from each other. The two attackers communicate with each other via an internet connection, with the first attacker impersonating the phone, sending signals to the car, which prompts the car to send back an authentication request. The request is captured, sent to the second attacker, and they forward that request to the phone, which in turn responds with the key. This is sent back to attacker 1 and they can unlock the car with that key. This could also be done by using a device drop, hidden near the phone and listening for authentication info.
Again, relay attacks aren’t new, and manus have set up mitigation techniques to protect against these attacks, but NCC Group built upon this by attacking on a different layer of the protocol. Instead of focusing on the Generic Attribute Profile layer, they went to the link layer, which is the lowest level of the bluetooth stack and is used for storage of the encrypted credentials.
The attack uses BLE or Bluetooth Low Energy to unlock the vehicle doors, operate the vehicle, and also gain access to laptops and other BLE enabled devices. It’s confirmed to work against Model 3s and Model Ys along with Kevo Kwikset and Weiser smart locks.
There’s no CVE for this flaw since it has to do with Bluetooth low energy implementation, but brands and manufacturers could mitigate this by adding an authentication technique on top of just supposed proximity. They could require user input or the accelerometer could be used to ascertain movement.
While the Bluetooth Special Interest Group did acknowledge the relay attacks they believe it’s a small risk though more accurate ranging mechanisms are being worked on. Users could disable the feature altogether or switch to alternative methods for authentication.
LINKS:
https://thehackernews.com/2022/05/new-bluetooth-hack-could-let-attackers.html
