Security researchers at the NCC Group have managed to hijack the Bluetooth Low Energy (LE) technology that many connected locks, whether installed on your door or in your car, use to unlock them remotely. This attack has been tested on Tesla-designed cars as well as Kevo-branded smart locks, but should work on all devices based on the same technology.
This is not a security breach in the sense that NCC Group failed to jailbreak and did not report any vulnerability in the consortium that manages Bluetooth standards. Their approach is a relay attack, where two “attackers” are required: the first connects to a computer with a smartphone that is configured to unlock or unlock the car and remains within bluetooth range. The second is placed near the lock or the car to be unlocked with another computer connected to the previous computer via the Internet.
Thus, the two computers form the bridge between the authorized smartphone and the device to be unlocked, so the vehicle or the connected lock can be opened without the knowledge of the owner. In the video released by the NCC group, the car is not only unlocked, but also turned on while the smartphone with the key is not nearby, it is a laptop that replaces it. As long as the legitimate smartphone is within range of the other computer and as long as the connection between the two computers is maintained, the car will only see fire.
An attack that requires two actors is necessarily less dangerous than a security breach in the strict sense of the word, as it is probably a targeted attack. Teslas are not all threatened to be opened by anyone, each owner’s smartphone must be targeted and constantly connected to a device that connects to another device carried by the thug. However, one could imagine a scenario where a standalone device connects to smartphones in a supermarket and someone can test cars in the adjacent parking lot, for example.
Security researchers note that Bluetooth LE was not designed for this safe use and that typically applied security measures, particularly regarding connection latency, were all circumvented by a proof-of-concept. However, they offer many solutions to reduce risks. The first is geolocation of the smartphone to ensure that it is physically close to the device that needs to be unlocked. This is what Nuki has chosen for connected locks, for example, the Bluetooth connection is activated only if the smartphone is located near the house.
Nuki Smart Lock tested, a HomeKit-connected lock
This idea does not work well, however, for a car that can be parked in an underground car park, without network access and without GPS coverage. Then the study authors suggest two other methods: asking for confirmation on the smartphone, via the biometric sensor, entering a code on the screen, or checking if the smartphone is in motion mode. The first is, of course, the safest, but it will come at the expense of everyday comfort. Let’s take the example of a Tesla, you can unlock the car while keeping the smartphone in your pocket and it would be impractical to have to take it out every time.
Exploiting the accelerometer found in all smartphones is a good idea, even if one can imagine that it can also be hacked. The lock can only be unlocked if the phone is mobile, which in theory is almost always the case if you approach a car or front door, and it is automatically deactivated after a period of inactivity. This is also what Kevo does, but only on iPhones and not Android terminals at the moment: the connected lock is unlocked as soon as the smartphone remains idle for thirty seconds.
The researchers used Tesla and Kevo as an example, but state that this attack is not limited to these two companies. It is related to the operation of Bluetooth LE and is related to thousands of devices in circulation. Even if measures can be considered to reduce risks, this wireless standard may not be the best choice for this type of use. Perhaps this is why Apple chose NFC and the U1 chip for the functionality of the home key and car key built into iOS.