Cars have long been computers on wheels – and just like all other computers, they can be hacked. An American security researcher is now showing how a third-party Tesla can be opened, started and thus stolen in a very short time. And not only that: In theory, hackers could also use the same method to crack vehicles from other manufacturers and so-called smart locks on front doors.
The focus of the attack is the Bluetooth connection, or more precisely: Bluetooth Low Energy, BLE for short. Wireless technology allows devices to connect to each other over distances of up to around 100 meters. Compared to classic Bluetooth connections, which are used when connecting a speaker to a smartphone, for example, BLE consumes significantly less power. This is why the technology is mainly used for connections in the background: The Corona-Warn-App, for example, uses BLE to determine presumed risk encounters by having smartphones measure when they were near other smartphones and thus (probably) their owners.
 |
| Apple Releases Latest macOS |
Some automakers, including Tesla, use Bluetooth Low Energy to unlock vehicles. Distance is also important here: the car measures whether the owner's smartphone or a transponder, also known as a key fob, is in the immediate vicinity. The owner only has to approach the vehicle and it will be unlocked automatically as soon as you touch the door handle. Or it will be locked as soon as you move a few meters away. A further confirmation, such as a button press, is no longer necessary.
Do You Know What We Have Posted on
twitter facebook instagram tumblr
That may be practical, after all you don't have to dig out the car key from your pocket before you can get in. Under certain circumstances, however, it poses a security risk. Namely when third parties tap the Bluetooth signal between the smartphone (transmitter) and the door lock (receiver) - with a so-called relay attack.
Security risk radio key
This attack can proceed as follows: A car owner parks her car, for example in the parking lot in front of the office. Inside, she puts down her smartphone configured as a car key. An attacker A within range of the smartphone scans all Bluetooth connections, copies the information about the desired connection and transmits it to a second attacker B, who is standing right next to the car. He can thus identify himself as the legitimate owner and open the vehicle and possibly steal it. Sultan Khan also demonstrates this attack in a video. If the appropriate hardware and software is in place, the entire attack can be carried out in a few seconds.
Because attacker A and attacker B communicate via the Internet, they can theoretically be many kilometers apart. In addition, it does not necessarily require two attackers: If a hacker knows where his victim usually leaves his smartphone - for example in the changing room of a gym - he could also deposit a small intercepting device nearby, which would then automatically send him the connections via mobile phone.
 |
| Huawei Folding And Watches |
It has been known for years that wireless keys are insecure, regardless of whether they use Bluetooth or another wireless technology. The automotive industry should therefore be aware of the problem. As early as 2010, researchers at ETH Zurich were working on keyless car systems and pointed out the potential security risks. In the years that followed, there were repeated reports of how easily the system could be overturned, using Tesla alone as an example. Nevertheless, almost all vehicles offer the option of unlocking the doors in some form by radio and sometimes even starting them.
 |
| Finds A Mysterious "Door" |
The Bluetooth protocol used in Tesla's current case contains certain security measures, such as encryption, which are intended to prevent data theft by third parties. However, the experts at the NCC Group have now found a new way to circumvent these measures.
To put it simply, a Bluetooth connection consists of several layers that fulfill different functions. One layer manages the physical radio transmission, another the connected devices, another the security measures. The security researchers have managed to access the information required for unlocking at a very rudimentary level, the so-called link layer, i.e. before the security measures take effect. "Conventional defenses against previous relay attacks are ineffective in this case," writes security researcher Khan.
 |
| Is It The End Of Cryptocurrencies? |
The attack has been successfully tested on a Tesla Model 3, but could also work on a Model Y as both models use a similar unlocking system. In principle, this type of attack can be used on all devices that use BLE connections, according to the study. In fact, the experts show that the attack also works with certain networked door locks from the US company Kwikset. "The problem is that BLE-based authentication is being used for applications where it's never been secure," Khan told Ars Technica. BLE is actually a standard that devices can use to exchange data (such as with the Corona-Warn-App). However, it is not intended to act as a key.
Ultra-wideband could replace Bluetooth
The problem is therefore not so much in the Bluetooth protocol as in its insecure application. There are ways to make authentication via Bluetooth or other radio technologies more secure, namely by adding an additional factor. For example, you could add location data: The GPS coordinates of the vehicle would then be stored on the smartphone when it was locked - and unlocking would only be possible when the smartphone is nearby again. The movement of the device could also be measured: If the connected smartphone is still for more than 30 seconds, the car cannot be unlocked.
 |
| Twitter Lawyers Accuse Elon Musk |
Another possibility: In order to unlock the vehicle or the front door, the owner must also confirm this on their smartphone, either by clicking or by scanning their fingerprint. A technology called ultra wideband (UWB), which is already included in the Samsung Galaxy 21+ and iPhone 11/12 and is used there to find Apple's AirTags, is better. UWB not only enables data exchange between two devices.
This also allows the distance between the devices to be determined with centimeter accuracy, whereby the distance, unlike Bluetooth, is not determined based on the signal strength but on the basis of the reaction time, the so-called time-of-flight technology. Therefore, UWB is considered to be more robust against relay attacks, since this method cannot be so easily circumvented or imitated.
The car manufacturer BMW has been supporting UWB in individual models since last year. On the other hand, if you own a Tesla or any other car with keyless doors, you cannot fully protect yourself from relay attacks. But at least theft of the car can be prevented by setting that a PIN is also required to start the car. And in the best-case scenario, this is only stored in the driver's head.
 |
| Russia Conquers Azov Steelworks |
 |
| "Lewandowski? There Are Negotiations |
0 Comments