Tesla cars, smart locks prone to Bluetooth vulnerability hack, report says

Unlocking a BMW 3 series vehicle using a smartphone.

Unlocking a BMW 3 series vehicle using a smartphone. | Photo Credit: Special Arrangement

Hackers can exploit a new Bluetooth low energy (BLE) vulnerability to unlock digital locks in cars and other smart devices. Vehicles like Tesla, that use Bluetooth-based proximity authentication systems are vulnerable to such hacks, according to cybersecurity firm NCC Group.

(Sign up to our Technology newsletter, Today’s Cache, for insights on emerging themes at the intersection of technology, business and policy. Click here to subscribe for free.)

The U.K.-based company performed a relay attack on a 2020 Tesla Model 3, which uses a BLE-based entry system, to unlock and drive the vehicle. The attack tool can be used for any devices communicating over BLE, and is not specific to Tesla vehicles, it noted.

“Systems that people rely on to guard their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware — in effect, a car can be hacked from the other side of the world,” NCC Group said in a statement.

Several vehicle manufacturers, including Tesla, use the Bluetooth-based system that automatically unlocks a vehicle when people with an authorised mobile device or key fob come close to them.

In its testing, the cybersecurity firm placed two relay devices, one at seven metres distance from an iPhone 13 mini with the Tesla app and the other located three metres away from the Tesla vehicle, it explained, adding that the attack tool was deployed while the iPhone was outside the Bluetooth range of the vehicle.

In addition to the Tesla car, the firm conducted an attack on Kevo smart locks, which are used in residential locking systems.

“This is not a traditional bug that can be fixed with a simple software patch, nor an error in the Bluetooth specification,” the U.K.-based company said. “This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved,” it added referring to BLE-based authentication, which “was not originally designed for use in critical systems such as locking mechanisms.”

Our code of editorial values

  1. Comments will be moderated by The Hindu editorial team.
  2. Comments that are abusive, personal, incendiary or irrelevant cannot be published.
  3. Please write complete sentences. Do not type comments in all capital letters, or in all lower case letters, or using abbreviated text. (example: u cannot substitute for you, d is not 'the', n is not 'and').
  4. We may remove hyperlinks within comments.
  5. Please use a genuine email ID and provide your name, to avoid rejection.

Printable version | May 23, 2022 5:16:49 pm |