Cybersecurity researchers say they have developed a tool to unlock a Tesla electric car using Bluetooth Low Energy (BLE) technology.
If an attacker can place a relaying device within BLE signal range of a mobile phone or key fob authorised to access a Tesla Model 3 or Model Y, they can conduct a relay attack to unlock and operate the vehicle, NCC Group said in a technical advisory.
They said they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
“NCC Group has developed a tool for conducting a new type of Bluetooth Low Energy (BLE) relay attack,” the Dallas-based company said.
Attack Tool to Unlock and Operate
“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle.”
The vulnerability appears to affect virtually every device that uses BLE technology, but NCC Group demonstrated the vulnerability in Tesla vehicles.
During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed 7m from the phone, the other sitting 3m from the car.
The iPhone was placed on the top floor at the far end of a home, about 25m from the vehicle, which was in the garage at ground level.
The phone-side relaying device was positioned in a separate room from the iPhone, and the vehicle-side relaying device was able to unlock the vehicle when within placed within 3m.
NCC made a series of recommendations based on its discovery. It said that “users should be educated about the risks of BLE relay attacks, and encouraged to use the PIN to Drive feature”.
They also suggested the carmaker should “consider also providing users with an option to disable passive entry.”
NCC said it alerted Tesla Product Security about its discovery on April 21 and that Tesla responded a week later, “stating that relay attacks are a known limitation of the passive entry system”.
- George Russell