Researchers have developed a new tool that can execute a novel type of relay attack against devices that perform proximity based authentication using Bluetooth LE, enabling an attacker to trick a victim device such as a laptop or smart lock or even a vehicle into unlocking.
Bluetooth LE proximity authentication is implemented in a number of different environments and products, and is designed to allow a trusted, nearby device to unlock another device. Some vehicles, including Teslas, that use mobile phones as a key use this method, as do some devices such as laptops, smart watches, and phones. Many consumer Bluetooth-enabled devices also use BLE-based proximity authentication. Relay attacks, in which a malicious device relays the authentication signal from a legitimate device, are a known issue with these systems and the typical defenses include encrypting the requests sent over the link layer and/or limiting the response time. The tool that researchers at NCC Group developed adds just 8 milliseconds of latency in the response time, which would not be enough to exceed typical rate limits.
“With further straightforward refinement of the tool, it would be possible to guarantee that the added response latency is one connection event or less for any connection interval permissible under the Bluetooth specification,” the advisory by Sultan Qasim Khan of NCC Group says.
“Real BLE devices commonly require multiple connection events to respond to GATT requests or notifications and have inherent variability in their response timing. Thus, the latency introduced by this relay attack falls within the range of normal response timing variation.”
BLE proximity authentication systems typically measure the distance of a device by the response time, so if the device is too far away from the device to be unlocked, the response time will be too long and the authentication won’t work. Relay attacks defeat this by relaying the signal from the remote device to the target device. Detecting this kind of attack can be difficult, especially under the current Bluetooth specification.
"The most reliable way to detect relay attacks is through secure ranging using time-of-flight combined with cryptographic challenge response. Unfortunately, in the current version of the Bluetooth protocol, there is no way to achieve this without adding custom baseband functionality that cannot be expected on general purpose phones. Industry efforts are underway to develop secure ranging for proximity key functionality using Ultra-Wideband for time-of-flight measurement," Khan said via email.
"For long distance relay attacks, they could also be detected through monitoring of GPS location of the phone/key fob relative to the location of the item being unlocked. However, such approaches face some obstacles due to a combination of battery life impacts, mobile OS permissions and background task policies, user privacy concerns, and the time required to obtain a precise GPS position lock."
"Documentation should make clear that relay attacks are practical and must be included in threat model."
The researchers tested the attack on a 2020 Tesla Model 3, running the attack tool on an iPhone 13 mini. The iPhone was outside of Bluetooth range of the vehicle, about 25 meters away from the car, with two relaying devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely.
“If an attacker can place a relaying device within signal range of a target BLE device (Victim Device A) trusted for proximity authentication by another device (Victim Device B), then they can conduct a relay attack to unlock and operate Victim Device B,” the advisory says.
“Neither normal GATT (Generic Attribute Profile) response latency nor successful communications over an encrypted link layer can be used as indications that a relay attack is not in progress. Consequently, conventional mitigations to prior BLE relay attacks are rendered ineffective against link layer relay attacks.”
The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group, which acknowledged the issue but said that relay attacks were a known problem with Bluetooth. Tesla officials also said that relay attacks were a known limitation of the passive entry system.
“NCC Group recommends that the SIG proactively advise its members developing proximity authentication systems about the risks of BLE relay attacks. Moreover, documentation should make clear that relay attacks are practical and must be included in threat models, and that neither link layer encryption nor expectations of normal response timing are defences against relay attacks,” the advisory says.
NCC Group has not released the tool it developed to perform this attack, but may do so in the future.
"We intend to release the tool only after further research has been conducted and disclosures with those affected vendors are complete," Khan said.