Security researchers from the NCC Group demonstrated a new type of Bluetooth attack that hackers could use to remotely unlock and even operate some Tesla cars.
NCC Group developed a tool with a new type of BLE link-layer relay attack capable of bypassing existing safeguards against Bluetooth attacks.
Bluetooth Low Energy (BLE) is the technology that Tesla uses to let you unlock your car with a key fob or an app. Since it works only when you’re close by to your car, a wannabe hacker would have to be close by to intercept that radio signal you sent from the fob and send back a corrupted signal. Tesla does have mitigations in place for such an attack but the security researchers found a vulnerability still.
Using an iPhone 13 mini with an older version of the Tesla app, they placed the phone 25 meters away from a Tesla Model 3. Using two relaying devices between the iPhone and the car, they were able to unlock the Tesla remotely.
The security researchers also replicated their findings using a Tesla Model Y from 2021 and warn that more devices could be hijacked like this.
Among them are the Kwikset and Weiser Kevo smart locks, which use BLE passive entry with their “touch-to-open” features.
“Our research shows that systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware,” said Sultan Qasim Khan, a senior security consultant at NCC Group.
When they went to Tesla with their findings, Tesla responded that this type of attacks (relay attacks) were a known limitation of the passive entry system.
You can read the full NCC advisory here. According to them, to avoid this type of attack, a user should rely on Tesla’s PIN to Drive feature.