A novel Bluetooth relay attack can let cybercriminals more easily than ever remotely unlock and operate cars, break open residential smart locks, and breach secure areas.
The vulnerability has to do with weaknesses in the current implementation of Bluetooth Low Energy (BLE), a wireless technology used for authenticating Bluetooth devices that are physically located within a close range.
Note: Take up an Ethical hacking Course in Delhi India from Cryptus Cyber Security.
“An attacker can falsely indicate the proximity of Bluetooth LE (BLE) devices to one another through the use of a relay attack,” U.K.-based cybersecurity company NCC Group said. “This may enable unauthorized access to devices in BLE-based proximity authentication systems.”
Relay attacks, also called two-thief attacks, are a variation of person-in-the-middle attacks in which an adversary intercepts communication between two parties, one of whom is also an attacker, and then relays it to the target device without any manipulation.
While various mitigations have been implemented to prevent relay attacks, including imposing response time limits during data exchange between any two devices communicating over BLE and triangulation-based localization techniques, the new relay attack can bypass these measures.
“This approach can circumvent the existing relay attack mitigations of latency bounding or link layer encryption, and bypass localization defenses commonly used against relay attacks that use signal amplification,” the company said.
To mitigate such link layer relay attacks, the researchers recommend requiring additional checks beyond just inferred proximity to authenticate key fobs and other items.
This could range from modifying apps to force user interaction on a mobile device to authorize unlocks and disabling the feature when a user’s device has been stationary for over a minute based on accelerometer readings.
After being alerted to the findings on April 4, 2022, the Bluetooth Special Interest Group (SIG) acknowledged that relay attacks are a known risk and that the standards body is currently working on “more accurate ranging mechanisms.”
Bluetooth hack compromises Teslas, digital locks, and more
A group of security researchers has found a way to circumvent digital locks and other security systems that rely on the proximity of a Bluetooth fob or smartphone for authentication.
Using what’s known as a “link layer relay attack,” security consulting firm NCC Group was able to unlock, start, and drive vehicles and unlock and open certain residential smart locks without the Bluetooth-based key anywhere in the vicinity.
Sultan Qasim Khan, the principal security consultant and researcher with NCC Group, demonstrated the attack on a Tesla Model 3, although he notes that the problem isn’t specific to Tesla. Any vehicle that uses Bluetooth Low Energy (BLE) for its keyless entry system would be vulnerable to this attack.
Many smart locks are also vulnerable, Khan adds. His firm specifically called out the Kwikset/Weiser Kevo models since these use a touch-to-open feature that relies on passive detection of a Bluetooth fob or smartphone nearby. Since the lock’s owner doesn’t need to interact with the Bluetooth device to confirm they want to unlock the door, a hacker can relay the key’s Bluetooth credentials from a remote location and open someone’s door even if the homeowner is thousands of miles away.