Hackers can steal your Tesla via Bluetooth

The lines between virtual and physical damage from cyberattacks are blurring even further after a new method of stealing a Tesla car using Bluetooth technology was uncovered.

A team of researchers from NCC Group built a tool that is capable of mounting a Bluetooth Low Energy (BLE) relay attack, successfully bypassing all existing protections and authenticating on target endpoints.

While this type of attack works pretty much the same on all kinds of devices, from smartphones to smart locks, researchers opted for a Tesla car. 

Successful experiment

In layman’s terms, the attack works by squeezing the attacker in between the legitimate Bluetooth sender and receiver devices. That way, the attacker gets to manipulate the data going into the receiving device (in this particular case, the Tesla car). 

The only challenge with this method is that the attacker needs to be in relative proximity to both the victim, and the target device.

As an experiment, the researchers used a 2020 Tesla Model 3, and an iPhone 13 mini, running version 4.6.1-891 of the Tesla app. They used two relay devices, one located seven meters away from the phone, and the other one located three meters from the car. The overall distance between the phone and the car was 25 meters. The experiment was a success.

“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle,” the researchers concluded.

Later, the team successfully conducted the same experiment on a 2021 Tesla Model Y.

After sharing the findings with Tesla, the company said relay attacks were “a known limitation of the passive entry system”. 

To defend from relay attacks, users can disable the passive entry system and switch to an alternative method of authenticating, preferably one that requires user interaction. They should also use the “PIN to Drive” feature, to make sure no one can drive away with the vehicle, even if they successfully manage to open it. 

Via: BleepingComputer

Go to Source