Teslas and other Bluetooth-enabled locks can be hacked
The cybersecurity firm NCC Group just demonstrated that millions of locks worldwide can be unlocked by hackers using a vulnerability in Bluetooth technology, and a Tesla was the company’s prime example.
Tesla vehicles, like the Model 3 and Model Y, use a technology called Bluetooth Low Energy (BLE) that allows owners to unlock and operate their vehicles via their phones within a short range of the vehicle. They don’t require any user interaction with the device to do so. As for the vulnerability, all the hardware you need to hack and break into/drive these cars away is easily found, for the NCC Group says it only requires “cheap off-the-shelf hardware” to hack a car or device using BLE technology from anywhere in the world. Yes, this hack is doable from anywhere — the hacker doesn’t need to be standing in your driveway to gain access.
Reuters reports that in a video shared with them, “NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device attached to a laptop which bridged a large gap between the Tesla and the Tesla owner’s phone.”
Specifically, it was a 2021 Tesla Model Y, but the NCC Group says its exploit works on all Tesla Model 3s and Ys. And while the focus here has been squarely on Teslas, it’s important to note that all BLE-based proximity authentication systems are vulnerable. In addition to cars, the tech is used for “residential smart locks, commercial building access control systems, smartphones, smart watches, laptops and more,” according to the NCC Group.
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” says Khan. “All it takes is 10 seconds—and these exploits can be repeated endlessly.”
Other car manufacturers are introducing “phone-as-key” features that use BLE technology to function. For one example, Hyundai has already launched such a feature in the U.S. That said, the penetration into the market for those cars is vastly lower than all of the Tesla vehicles currently employing the tech — the NCC Group claims at least 2 million Teslas on the road now are vulnerable to this attack.
Unfortunately, the NCC Group doesn’t have any grand answers to the problem, and it criticizes those who use BLE as a security system, because it’s a use of the tech beyond its “intended purpose.” The use of BLE proximity authentication was never designed for use in locking mechanisms that required security, but companies have adopted it anyway.
It suggests that manufacturers could reduce the risk of the hack by disabling proximity key functionality when a user’s phone has been stationary for a while based on the phone’s accelerometer. It also suggests a dual-factor authentication model that would require you to tap a button on your phone to unlock the car, as opposed to passive entry. Lastly, the firm suggests that you simply turn Bluetooth off on your phone when you don’t need it. Of course, that’s inconvenient, but it may save your car from being stolen in the meantime.
If you want to read more about how the NCC Group uncovered this vulnerability and the tech behind it, detailed research can be found both here, and here.
Related video: