- Researchers exploit a Bluetooth weakness to unlock smart locks.
- The attack bypasses the typical Bluetooth security measures.
- Experts say the complexity of the attack makes it highly unlikely to be used by common criminals.
A master key that can unlock any Bluetooth smart lock sounds pretty scary. Good thing, then, that devising something like this, although possible, is nontrivial.
Cybersecurity research firm, NCC Group, has demonstrated a weakness in the Bluetooth Low Energy (BLE) specification that could be exploited by attackers to break open smart locks, such as the one used in a Tesla, and other phone-as-a-key systems that rely on Bluetooth-based proximity authentication. Fortunately, experts say such an attack is unlikely to occur on a mass scale, as it would take a tremendous amount of technical work to achieve.
“The convenience of being able to walk up to one’s home or car and have the door automatically unlock is clear and desirable to most people,” Evan Krueger, Head of Engineering at Token, told Lifewire over email. “But building a system that only opens for the right person or people is a difficult task.”
Bluetooth Relay Attacks
While the researchers refer to the exploit as a Bluetooth vulnerability, they acknowledged that it isn't a traditional bug that can be fixed with a software patch, nor an error in the Bluetooth specification. Instead, they argued, it arises from using BLE for purposes for which it has not been originally designed.
Krueger explained that most Bluetooth locks rely on proximity, estimating that some key or authorized device is within a certain physical distance of the lock in order to grant access.
In many cases, the key is an object with a low-power radio, and the lock uses the strength of its signal as a primary factor in approximating how close or far away it is. Krueger added that many such key devices, such as a car fob, are broadcasting all the time, but they can only be "heard" by the lock when they're within listening range.
Harman Singh, Director at cybersecurity service provider Cyphere, said the attack demonstrated by the researchers is what’s known as a Bluetooth relay attack, in which an attacker uses a device to intercept and relay communications between the lock and the key.
"Bluetooth relay attacks are possible because many Bluetooth devices don't properly verify the identity of the source of a message," Singh told Lifewire in an email exchange.
Krueger argues that a relay attack is analogous to the attackers using an amplifier to dramatically increase how "loudly" the key is broadcasting. They use it to trick the locked device into thinking the key is in close proximity when it isn't.
"The level of technical sophistication in an attack like this is much higher than the provided analogy, but the concept is the same," said Krueger.
Been There, Done That
Will Dormann, Vulnerability Analyst at CERT/CC, acknowledged that while the NCC Group’s exploit is interesting, relay attacks to get into cars aren’t unheard of.
Singh agreed, noting there’s been a lot of research and demonstrations in the past on relay attacks against Bluetooth authentication. These have helped secure the communication between the Bluetooth devices by improving detection mechanisms and using encryption, to successfully block relay attacks.
Bluetooth relay attacks are possible because many bluetooth devices don’t properly verify the identity of the source of a message.
However, the significance of the NCC Group's exploit is that it manages to bypass the usual mitigations, including encryption, explained Singh. He added that there's little users can do besides being aware of the possibility of such attacks, as it's the responsibility of the manufacturer and vendor behind the software to ensure Bluetooth communication is tamper-proof.
"Advice to users remains the same as it was before; if your car has proximity-based automatic unlocking capabilities, try to keep that key material out of range of where an attacker might be," advised Dormann. "Whether it be a key fob or a smartphone, it probably shouldn't be hanging near your front door while you sleep."
However, not letting the makers of these kinds of security solutions off the hook, Krueger added that manufacturers should be moving towards stronger forms of authentication. Citing the example of his company’s Token Ring, Krueger said that a simple solution is to design some kind of user intent into the unlocking process. For instance, their ring, which communicates over Bluetooth, only starts broadcasting its signal when the device’s wearer initiates it with a gesture.
That said, to help put our minds at ease, Krueger added people shouldn't be concerned about these Bluetooth or other radio-frequency key fobs exploits.
"Pulling off an attack like the one described in the Tesla demonstration requires both a nontrivial level of technical sophistication and an attacker would have to specifically target an individual," explained Krueger. "[This means] that an average owner of a Bluetooth door or car lock is unlikely to encounter such an attack."