Bluetooth Hacking Vulnerability Should Concern Tesla Owners

As we continue to demand connectivity between our vehicles and devices, we open ourselves up to potential security issues. Take phone-as-key functionality, for example. Vehicles such as the Tesla Model Y and evermore others allow you to use your smartphone in place of your key to unlock and open your doors, and even start and drive it through its passive Bluetooth Low Energy signal detection. Convenient, but ...

This opens up a vulnerability for thieves to not only open your car to steal your valuables but also potentially steal your car. Worse yet, the potential thief doesn't even need to hack the wiring or to know how to code, as it turns out a malefactor needs only a find pair of Bluetooth developer boards and the coding to download and program them to create signal relay devices. These bits aren't even inaccessible to the average person, but when has that ever stopped a criminal?

So, what does this vulnerability look like? A researcher at the NCC Group demonstrated in an experiment with their own Model Y and offered a few solutions, with one you might be able to do on your own.

The video byThe Telegraph is simple in its explanation because of how easy it is to do. You don't need an understanding of Bluetooth to make this work, and you don't need to set up the vehicle in a specific way. The thief only needs to be within 30 feet of the smartphone—or any key fob that uses BLE—with one relay, within 10 feet of the vehicle with the other to gain access to your car.

How Does This Work?

See All 37 Photos37

The relay boards work as signal repeaters for the passive signal BLE devices send and receive, similar to the "signal boosters" you might use to extend the range of your home's Wi-Fi. It takes the signal from the host device and then transmits that same signal to the device that is out of normal range. In the experiment by NCC Group, the phone is over 80 feet away from the Tesla Model Y. In this case, the Model Y won't open, as the phone is too far away. To reduce the latency (delay time before transfer of data) of the BLE signal the phone sends out, a phone-side relay is about 23 feet away from the phone, in another room. Just under 10 feet away is a vehicle-side relay to receive signals from the phone-side relay and then broadcast the signal to the Model Y, allowing the thief to open the door and even drive it away.

The Thief Doesn't Have My Phone or Key Fob, Though

None of this requires advanced knowledge of programming, radio transmission, or even building the circuit boards. The development board is already built and easily available for anyone to purchase, when it's in stock. You can even find the coding to make it work as a signal relay board and the burner program as both are open source.

While the researcher does use a laptop, even a simple Chromebook can be used to operate the signal relay boards. While the research doesn't state it, it may also be possible to capture and store this signal utilizing a Bluetooth "sniffer" (which operates in a similar manner to RFID sniffers) for use later using this method.

The Kinda-Sorta Solution

See All 37 Photos37

What the NCC Group recommends as a preventative measure by owners is to enable the "PIN to Drive" feature. This will, at the very least, prevent a thief from driving away with your vehicle. They have other recommendations, but these must happen at the software level of the phone or vehicle and aren't able to be implemented by the average user.

One solution is disabling passive entry functionality in the mobile app when the mobile device has been stationary for more than a minute. Another solution that NCC Group recommends is having the mobile application report the mobile device's last known location during the authentication process with the vehicle. This helps the vehicle detect and reject long distance relay attacks. The more reliable solution, again according to NCC Group, is using "time-of-flight" measurement over latency, where the vehicle monitors the total time it took a signal to travel from the device to the vehicle, rather than simply measuring the delay time before the transfer of BLE passive data.

See All 37 Photos37

Again, while a Tesla Model Y was used in this experiment, this attack can be used against any vehicle that uses Bluetooth Low Energy devices, from phones to key fobs, to gain access to and even drive your vehicle away without your knowledge. If you want to prevent your vehicle from being stolen, enable the "PIN to Drive" feature of your vehicle, if it has one. If you're able to, disable the passive abilities of your vehicle. Otherwise, hope that a thief doesn't have eyes on your car and has made a BLE signal relay wherever you shop or stop.