UK based NCC Group says it found security flaws in Bluetooth Low Energy (BLE). The vulnerability involves using a link layer relay attack on a BLE system. This attack is effective to gain access and start a Tesla model 3 and a Tesla model Y. BLE is broadly used as a communication protocol in several industries, including automotive. One of the use cases involves using BLE as communication protocol between the key (either smart key or digital key) and the vehicle to allow entry and start.
In this insight we explore the potential impact of such vulnerability and how it might affect the selection of future communication technologies for OEMs .
What is happening?
If what NCC states is accurate this is an important vulnerability, affecting anything that relies on BLE as a communication protocol for proximity base use cases (including access control, such as door locks).
Based on the available data, it seems there are no directly deployable mitigations on the Bluetooth layer.
For an automotive access control case this means the only direct solution would be disabling the passive entry function that uses BLE.
There are indirect mitigations like 2 2-factor authentication that could mitigate the issue ( e.g. Tesla’s Pin to Drive) however, this does not solve the inherent vulnerability, it just adds another layer of security.
This is the first time that this type of attack is publicly known, based on SBD’s Cybersecurity Intelligence (link here).
Why does it matter?
The vulnerability presented by NCC affects vehicles with smart or digital key systems that use only BLE. This presents an opportunity for thieves to gain entry to such vehicles.
Using BLE in combination with other communication technology, like Ultra Wide Band (UWB), will further enhance the overall security of the system.
Future Smart key systems are likely to adopt BLE+UWB communication technologies used by the digital key systems, eliminating the need for 2 separate communication platforms.
A vulnerability for car access will not only affect brand perception. If thefts on certain models increase due to thieves exploiting the vulnerability, insurance premiums will increase, making total cost of ownership higher for consumers.
Where next?
There is a race between making secure systems and creating tools to exploit underlying vulnerabilities. Depending on the severity and feasibility of this vulnerability, a BLE only system might be discarded for sensitive use cases, such as vehicle access.
There is currently not enough public information to assess the impact of the attack. The NCC security group will not release the full details of the attack until the affected parties can address or patch the vulnerability (which is common practice that follows the path of responsible disclosure).
However, if this vulnerability is not easy to solve, other actors will try to replicate the vulnerability for their own means ( e.g. illegally accessing a vehicle).
Cyber security experts need to assess the impact, severity and replicability of this attack.
An inherent vulnerability on BLE will accelerate the consideration and adoption of UWB or UWB+BLE for vehicle access systems.
Theft tools that use this vulnerability will start being used by OCGs to access vehicles.
As mainstream media reports the new theft method, there will be pressure on OEMs to address the vulnerability.
Who to watch out for?
Different bodies are pushing certain technologies to become mainstream in automotive. Given the industry industry-wide support CCC is getting, it is likely that future communication protocols will be based on their specification.
The CCC issued its digital key specification release 3 early. The specification covers passive entry and passive start use cases. By doing so, the CCC have considered the secure ranging aspect of those use cases which made them select a combination of BLE+UWB technology.
It is expected that most OEMs will follow CCC specifications in the future when adopting digital key systems.
On the other hand, Bluetooth SIG thinks that BLE alongside channel sounding will enhance the accuracy of positioning applications, e.g. vehicle access systems.
How should you react?
Select
Select the appropriate technology for each use case. In its current state, Bluetooth cannot ensure a secure distance bounding. Hence, it should not be used to ensure a precise distance measurement (e.g. for passive entry systems).
Balance
Evaluate use cases and provide the best balance between security and user functionality. Put in place best practices for both security and functionality.
Secure
Including security by design on systems is paramount. Critical use cases should have further failsafe in place.
Interested in finding out more?
Most of our work is helping clients go deeper into new challenges and opportunities through custom projects. If you would like to discuss recent projects we've completed relating to Cybersecurity, contact us today!
Also, be sure to view our related content: