New Bluetooth attack can remotely unlock Tesla vehicles and smart locks

Security researchers have demonstrated a new Bluetooth relay attack that can remotely unlock and operate some Tesla vehicles.

The vulnerability lies in Bluetooth Low Energy (BLE), the technology used by Tesla’s entry system that allows drivers with the app or key fob to unlock and operate their car from nearby. Most devices and vehicles that rely on this kind of proximity-based authentication are designed to protect against a range of relay attacks, which typically work by capturing the radio signal used for unlocking a vehicle, for example, and replaying it again as if it were an authentic request, by using encryption and introducing checks that can make relay attacks more difficult.

But researchers at U.K.-based NCC Group say they have developed a tool for conducting a new type of BLE link-layer relay attack that bypasses existing mitigations, theoretically enabling attackers to remotely unlock and operate vehicles.

Sultan Qasim Khan, a senior security consultant at NCC Group, said in a blog post that it tested the attack against a 2020 Tesla Model 3 using an iPhone 13 mini running a recent but older version of the Tesla app. The iPhone was placed 25 meters away from the vehicle, according to the researchers, with two relaying devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely. The experiment was also replicated successfully on a 2021 Tesla Model Y, which also uses “phone-as-a-key” technology.

While the attack was demonstrated against Tesla vehicles, Khan notes that any vehicle that uses BLE for its keyless entry system could be vulnerable to this attack. In a separate advisory, NCC Group warns that the attack could also be used against the Kwikset and Weiser Kevo line of smart locks, which support BLE passive entry through their “touch-to-open” functionality.

In a video shared with TechCrunch, Khan can be seen walking up to the Tesla Model Y holding a laptop with a relay device attached, allowing him to wirelessly unlock the car and open the door.

“Our research shows that systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware,” said Khan.

The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group (SIG), an industry group that oversees the development of the Bluetooth standard, which acknowledged the issue but said that relay attacks were a known problem with Bluetooth. Tesla officials also said that relay attacks were a known limitation of the passive entry system. Tesla did not respond to TechCrunch’s request for comment. (Tesla scrapped its public relations team in 2020.)

“NCC Group recommends that the SIG proactively advise its members developing proximity authentication systems about the risks of BLE relay attacks,” Khan added. “Moreover, documentation should make clear that relay attacks are practical and must be included in threat models, and that neither link-layer encryption nor expectations of normal response timing are defenses against relay attacks.”

The researchers encourage Tesla owners to use the PIN to Drive feature, which requires a four-digit pin to be entered before the vehicle can be driven, and to disable the passive entry system in the mobile app.

Tesla is no stranger to security flaws. Earlier this year, a 19-year-old security researcher said he was able to remotely access dozens of Teslas around the world because security bugs found in an open source logging tool popular with Tesla owners exposed their cars directly to the internet.