Even if the authorized mobile device is out of range, an attacker within Bluetooth signal range of a mobile device configured for Phone-as-a-Key use can undertake a relay attack to unlock and drive a car.
A passive entry system based on Bluetooth Low Energy (BLE) is used in the Tesla Model 3 and Model Y. Users with an authorized mobile device or key fob within a short range of the car can unlock and operate the vehicle without having to interact with the mobile device or key fob. Based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations done over BLE, this system infers proximity of the mobile device or key fob.
The NCC Group developed a tool to unlock a Tesla using a attack tool when the iPhone was outside the vehicle's BLE range. The flaw appears to affect practically any device that uses Bluetooth Low Energy (BLE), but NCC Group demonstrated the flaw in Tesla automobiles.
During the experiment, they were able to send communication from the iPhone to the car using two relay devices, one located 7 meters away from the phone and the other 3 meters away from the car.
Testing on a 2020 Tesla Model 3 with software version 11.0 (2022.8.2) and an iPhone 13 mini with Tesla app version 4.6.1-891. NCC Group was able to use this new tool to operate the Tesla with the iPhone being outside the BLE range of the vehicle.
NCC Group has not tested this relay attack against a Model Y or in conjunction with the optional Tesla Model 3/Y BLE key fob. Given the closeness of the technology utilized, NCC Group believes the same type of relay attack to be possible against these targets.
During experimentation to identify latency bounds, NCC Group discovered that relay attacks against the Model 3 remained effective with up to 80 ms of round-trip latency artificially added beyond the base level of latency introduced by the relaying tool over a local Wi-Fi network. Long-distance relay assaults via the internet should be possible with this latency margin. NCC Group, on the other hand, has not launched any long-distance relay assaults on Tesla automobiles.
Recommendations
Every vehicle owner, computer owner, and smart device owner should be educated about the risks of BLE relay attacks. But Tesla owners are encouraged to use the PIN to Drive feature. Consider using options to disable passive entry. Consider deactivating passive entry capabilities in the mobile app when the device has been immobile for more than a minute to decrease the possibility of relay attacks. Consider having the mobile application communicate the mobile device's last known position to the car during the authentication process so that it can detect and deny long-distance relay attacks.
Tesla's Pin To Drive feature
Secure range using a time-of-flight based measurement technology (such as Ultra-Wide Band) must be utilized in future vehicles to reliably prevent relay attacks.
PIN to Drive allows owners to program a personal identification number that must be entered before the vehicle can be driven. Tesla owners will be able to toggle this new capability on and off by going to Controls > Safety & Security on their vehicle's touch screen.
With the Tesla Mobile App and Valet Mode, the option will work easily and safely. Return to the touchscreen's settings if you forget your PIN or want to disable PIN to Drive. Following the on-screen prompts, tap the link to input your Tesla login credentials.
Fun Bluetooth fact
The Danish Viking commander Harald Denmark, often known as Harald Bltand (which translates to "Bluetooth"), was crowned King of Denmark in the tenth century. Later, he merged his realm with that of Norway. The method for wirelessly connecting cell phone headsets was named after the Viking commander in commemoration of the crucial role Nordic countries played in the development of cell phone technology.
