A critical flaw found in Bluetooth Low Energy (BLE) receivers may grant cybercriminals entry to anything from personal devices, such as phones or laptops, to even cars and houses. The new findings from cybersecurity company NCC Group detail how BLE uses proximity to authenticate that the user is near the device. This has been able to be faked as part of the research, which could affect everyone from the average consumer to organizations seeking to lock the doors to their premises.
This issue is believed to be something that can’t be easily patched over or just an error in Bluetooth specification. This exploit could affect millions of people, as BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms in smart locks, according to the NCC Group.
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance,” said Sultan Qasim Khan, Principal Security Consultant and Researcher at NCC Group. “All it takes is 10 seconds—and these exploits can be repeated endlessly.”
How the Bluetooth to exploit could already be affecting you
To start, the cybersecurity company points out that any product relying on a trusted BLE connection is vulnerable to attacks from anywhere in the world at any given time.
To quote NCC Group’s findings, “by forwarding data from the baseband at the link layer, the hack gets past known relay attack protections, including encrypted BLE communications, because it circumvents upper layers of the Bluetooth stack and the need to decrypt.”
These Bluetooth systems are used to lock items such as vehicles or residences that are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware, according to the cybersecurity company. As a proof of concept, it was found by Khan that a link-layer relay attack conclusively defeats existing applications of BLE-based proximity authentication. This was found to affect the following devices:
- Cars with automotive keyless entry
- Laptops with Bluetooth proximity unlock feature
- Mobile phones
- Residential smart locks
- Building access control systems
- Asset and medical patient tracking
One of the specified vehicles known to be affected by this exploit is the Tesla Models 3 and Y.
“This research circumvents typical countermeasures against remote adversarial vehicle unlocking, and changes the way engineers and consumers alike need to think about the security of Bluetooth Low Energy communications,” Khan added. “It’s not a good idea to trade security for convenience—we need better safeguards against such attacks.”
Ways to protect your assets against this flaw
To assist users in avoiding being the next victims of the BLE and its shortcomings, NCC Group offers the following three tips:
- Manufacturers can reduce risk by disabling proximity key functionality when the user’s phone or the key fob has been stationary for a while (based on the accelerometer).
- System makers should give customers the option of providing a second factor for authentication, or user presence attestation (e.g., tap an unlock button in an app on the phone).
- Users of affected products should disable passive unlock functionality that does not require explicit user approval, or disable Bluetooth on mobile devices when it’s not needed.
Since the bug can be exploited from anywhere, it is crucial that users find out which of their devices uses BLE technology and disable it or at least restrict passive unlocking. For manufacturers and system makers, it could be crucial to rethink which pieces of technology are being used to unlock devices and potentially stop producing items with BLE technology since it can be easily exploited.