NCC Group has found proof-of-concept that BLE devices can be abused anywhere in the world.
A critical flaw in Bluetooth Low Energy (BLE) receivers could give cybercriminals access to everything from personal devices, such as phones or laptops, to even cars and homes. The new findings from cybersecurity firm NCC Group describe how BLE uses proximity to verify that the user is in close proximity to the device. This could be faked as part of the investigation, which could affect everyone from the average consumer to organizations looking to close their premises.
It is believed that this problem is something that cannot be easily fixed or that it is simply a bug in the Bluetooth specification. This exploit could affect millions of people because BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms in smart locks, according to NCC Group.
“What makes this powerful is not only that we can convince a Bluetooth device that we’re close – even hundreds of miles away – but that we can do it even if the vendor has taken defensive measures such as encryption and latency throttling to theoretically protect this communication from remote attackers,” said Sultan Qasim Khan, Principal Security Consultant and Researcher at NCC Group. “It only takes 10 seconds – and these exploits can be repeated endlessly.”
How Bluetooth Exploitation Can Affect You Already?
For starters, the cybersecurity firm points out that any product that relies on a trusted BLE connection is vulnerable to attacks from anywhere in the world at any time.
To quote NCC Group’s findings, “By relaying data from the baseband to the link layer, the hack bypasses known relay attack protections, including encrypted BLE communications, as it bypasses the top layers of the Bluetooth stack and need to decode.”
These Bluetooth systems are used to lock down items such as vehicles or homes that use Bluetooth proximity authentication mechanisms that the cybersecurity company says can be easily broken with cheap off-the-shelf hardware. As a proof of concept, Khan found that a relay attack on a link layer sufficiently defeats existing applications of BLE-based proximity authentication. This was found to affect the following devices:
- Cars with car keyless access
- Laptops with a Bluetooth proximity unlock feature
- Mobile phones
- Smart locks for homes
- Building access control systems
- Asset and Medical Patient Tracking
Among the specified vehicles known to be affected by this exploit are the Tesla Models 3 and Y.
“This research circumvents typical countermeasures against remote vehicle unlocking and changes the way engineers and consumers need to think about the security of Bluetooth Low Energy communications,” Khan added. “It’s not a good idea to trade security for convenience – we need better defenses against such attacks.”
SEE: Mobile Device Security Policy (Tech Republic Premium)
Ways To Protect Your Assets From This Error
To help users avoid becoming the next victims of the BLE and its shortcomings, NCC Group offers the following three tips:
- Manufacturers can reduce the risk by disabling the proximity key functionality when the user’s phone or key fob has been idle for a while (accelerometer based).
- System creators should offer customers the option to provide a second factor of authentication or user presence attestation (e.g. tap an unlock button in an app on the phone).
- Users of affected products should disable the passive unlock feature that does not require explicit user consent, or disable Bluetooth on mobile devices when not required.
Since the bug can be exploited everywhere, it is critical that users find out which of their devices are using BLE technology and disable or at least limit passive unlocking. It can be critical for manufacturers and system makers to rethink which pieces of technology are being used to unlock devices and potentially stop producing items with BLE technology, as it can be easily misused.