‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth

The Tesla Model 3 can be unlocked and stolen via a simple relay attack. The Model Y is probably vulnerable, too.

Using Bluetooth Low Energy (BLE) for proximity checks is known to be a dumb move. And the Bluetooth SIG warns not to do it. Yet that’s exactly what Tesla engineers did. When researchers reported the vulnerability, Tesla just shrugged and said it’s “a known limitation.”

Elon Musk (pictured) needs to abuse some more engineers. In today’s SB Blogwatch, we enable the PIN feature.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Jackson 5 vs. ABBA.

Elon Needs Another Dead Cat

What’s the craic? Bill Toulas reports—“Hackers can steal your Tesla … using new Bluetooth attack”:

Specification warns device makers
Security researchers … developed a tool to carry out a … BLE relay attack that bypasses all existing protections. … BLE technology is used in a wide spectrum of products, [including the] Tesla Model 3 and Model Y.

It takes about ten seconds to run the attack and it can be repeated endlessly. [It] could be used to unlock and start the cars. … Tesla owners are encouraged to use the ‘PIN to Drive’ feature.

Tesla … responded by saying “that relay attacks are a known limitation of the passive entry system.” [But] the Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldn’t be used for valuable assets.

And Tim Levin adds—“Security company says Teslas can be unlocked and driven using a simple, inexpensive hack”:

Far outside of BLE range
One convenient part of owning a Tesla is that owners can download the automaker’s app to use their phone as a car key. It’s a neat benefit that leaves some Teslas exposed to cyberattacks. … UK-based NCC Group says it found security flaws in … the technology.

NCC Group was able to unlock and operate the Tesla even when the authorized iPhone was far outside of BLE range. [It] said millions of vehicles, residential smart locks, laptops, and other devices that use BLE for proximity authentication are vulnerable to attack.

Who is responsible for finding this vuln? NCC’s Sultan Qasim Khan—“Technical Advisory”:

Disable passive entry
[Tesla’s] passive entry system … infers proximity of the mobile device or key fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations conducted over BLE. … As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles. … This latency margin should be sufficient for conducting long-distance relay attacks over the internet.

Users should be … encouraged to use the PIN to Drive feature. Consider also providing users with an option to disable passive entry. … Consider also having the mobile application report the mobile device’s last known location during the authentication process with the vehicle, so that the vehicle can detect and reject long distance relay attacks.

Will that be enough? Phil O’Sophical suggests another option:

My new car came with keyless entry. … I never use it.

Its one saving grace is that the key is only active for a few seconds after it’s been moved. If left sitting on a table it becomes quiescent. That way it works when you’re carrying it to the car, but can’t be used for an unattended relay, which is quite a neat solution.

How does something like this happen? bradley13 knows:

Incompetent or under-supervised engineers not thinking about security. Relay … attacks are old hat. … The only thing special about this one is that they have two parties communicating over a large distance.

The first question any EE should ask themselves, when designing an access system, is how to avoid these very well known vulnerabilities. … This is the same level of idiocy as creating a fancy new website that is vulnerable to SQL injection. Anyone who does that is either incompetent, or a graduate of some code-camp that never taught the basics.

Oh, so wireless keys are a bad idea in general? A slightly sarcastic Riddler876 is a part of this, too:

In other news, water is wet.

The security issues are well documented. … Putting a key in the door or pushing a button is hardly an inconvenience. What are the proposed mitigations? Push a button! In fact make it a PIN and press several!

Oh look, we’re back to exactly where we started.

Not good enough, says sreynolds:

You’re asking a bit much from your average Tesla user. … They expect to walk into a car while watching videos and to continue to be driven while watching video … whilst either mowing down cyclists or being driven to their death.

Pressing a button is beyond most Tesla users capabilities.

Isn’t this just another proof that Bluetooth sucks? Coppercloud rains on your parade: [You’re fired—Ed.]

While Bluetooth does suck, this isn’t the problem here. The problem is wireless proximity checking with no user interaction. This is and will always be vulnerable to attacks at layer 1 that you cannot protect against.

Bluetooth is doing it’s job fine here. It’s just … being used for something it wasn’t designed for. [And] if some knucklehead says, “Oh yeah, that didn’t work, let’s use something better than Bluetooth,” they’re missing the point.

Meanwhile, Paul McNamara—@M_PaulMcNamara—rolls his eyes:

I just never hear anything good about these cars.

And Finally:

Ask your parents

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: DonkeyHotey (cc:by; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi