NCC Group Conducts World’s First Link-layer Relay Attack on Bluetooth Low Energy, Exposes Vulnerabilities in Proximity-Based Mechanisms Millions of Cars, Mobile Devices, Locking Systems at Risk

Global cyber security expert, NCC Group announced it has conducted the world’s first link layer relay attack on Bluetooth Low Energy (BLE), the standard protocol used for sharing data between devices that has been adopted by companies for proximity authentication to unlock millions of vehicles, residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more. This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world. By forwarding data from the baseband at the link layer, the hack gets past known relay attack protections, including encrypted BLE communications, because it circumvents upper layers of the Bluetooth stack and the need to decrypt. In effect, systems that people rely on to guard their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware.

NCC Group Principal Security Consultant and Researcher, Sultan Qasim Khan, who conducted this research, can demonstrate, as proof of concept, that a link layer relay attack conclusively defeats existing applications of BLE-based proximity authentication.

This means that products relying on the proximity of a trusted BLE device to authenticate can now be unlocked by an attacker relaying commands from anywhere— in effect, a car can be hacked from the other side of the world, a vivid demonstration of the benefits and threats of a connected universe.

Recommended AI News: How Startups are Leveraging the Cloud to Scale

Since the technology is so common, the potential attack surface is vast. It includes:

• Cars with automotive keyless entry – an attacker can unlock, start and drive a vehicle. NCC Group has confirmed and disclosed a successful exploit of this for Tesla Models 3 and Y (over 2 million of which have been sold)
• Laptops with a Bluetooth proximity unlock feature enabled – this attack allows someone to unlock the device
• Mobile phones – a criminal could prevent the phone from locking
• Residential smart locks – an attacker could unlock and open the door without mechanically picking or cutting the lock. NCC Group has conducted a successful exploit on Kwikset/Weiser Kevo smart locks, which has been disclosed to the vendor
• Building access control systems – allowing an attacker to unlock and open doors while also impersonating someone else (whose phone or fob is being relayed)
• And asset and medical patient tracking – someone could spoof the location of an asset or patient

The discovery proves that very popular products are currently using insecure BLE proximity authentication in critical applications. Meanwhile, current versions of the BLE specification don’t provide suitable means for secure ranging, and BLE link layer encryption and GATT response time limits also don’t prevent relay attacks.

NCC Group warns that this is not a traditional bug that can be fixed with a simple software patch, nor an error in Bluetooth specification. In fact, this research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved— BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms.

Recommended AI News: AnChain.AI Deploys Next-Gen Web3 Analytics On Elrond To Boost Compliance And Fraud Prevention

“What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” said Sultan Qasim Khan. “All it takes is 10 seconds—and these exploits can be repeated endlessly.

“This research circumvents typical countermeasures against remote adversarial vehicle unlocking, and changes the way engineers and consumers alike need to think about the security of Bluetooth Low Energy communications,” he added. “It’s not a good idea to trade security for convenience—we need better safeguards against such attacks.

“This research offers more evidence that risks in the digital world are increasingly becoming risks in the physical world as well. As more and more of the environment becomes connected, the potential keeps growing for more attackers to penetrate cars, homes, businesses, schools, utility grids, hospitals, and more,” Khan said.

There are steps that can and should be taken to guard against these attacks:

• Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or key fob has been stationary for a while (based on the accelerometer)
• System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone)
• Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed

Recommended AI News: IR Collaborate Extends Microsoft Teams User Experience Management to Carrier Networks

[To share your insights with us, please write to sghosh@martechseries.com]