Research conducted by cybersecurity firm NCC Group has highlighted a vulnerability in Bluetooth software, enabling a researcher to unlock a Tesla and drive away without access to the vehicle’s keys, as seen in the video below. The vulnerability could affect millions of cars that use phone-as-a-key services, and even household devices that use Bluetooth for device detection, such as smart locks.
Thefts of keyless entry vehicles have become increasingly common, but this attack is unique, as it takes advantage of a smartphone’s Bluetooth Low Energy (BLE) rather than the vehicle’s onboard system. In the video below, cybersecurity researcher Sultan Qasim Khan from NCC Group is able to unlock a 2021 Tesla Model Y using a relay device, which tricks the Tesla into believing the owner’s mobile phone, which grants access to the vehicle using Bluetooth, is close enough to unlock the car.
If a car’s owner uses the phone-as-a-key feature, the phone’s Bluetooth signal can be detected and replicated using an internet-connected relay device. The Bluetooth signal is then forwarded to the device of an awaiting thief within range of the vehicle, which then emits the signal and unlocks the vehicle. The crook is then free to access the car, though Teslas feature a “PIN-to-drive” system which could prevent potential thieves from driving away.
The NCC Group told Reuters that “systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware”. The nature of the attack means that any device that uses Bluetooth to detect device proximity could be vulnerable, including smart locks used to protect homes, and any other vehicles that feature phone-as-a-key capabilities. Manufacturers such as BMW, Mercedes-Benz, Ford and Hyundai offer this system, so an astonishing number of cars could be at risk.