May 18, 2022 13:00:00

A demonstration movie that reports the problem that even others can open the door of the Tesla car without permission with one touch is also released

By hacking the

function to unlock the door with Bluetooth, which is installed in Tesla's EV cars 'Model 3' and 'Model Y', it is possible for anyone other than the original owner to unlock it. Announced by NCC Group, a security company. It has been pointed out that it takes time for manufacturers to take measures because it is a complicated problem.

Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks – NCC Group Research
https://research.nccgroup.com/2022/05/15/technical-advisory-tesla-ble-phone-as-a-key-passive-entry-vulnerable-to-relay-attacks/

Hackers can steal your Tesla Model 3, Y using new Bluetooth attack
https://www.bleepingcomputer.com/news/security/hackers-can-steal-your-tesla-model-3-y-using-new-bluetooth-attack/

If you play the following movie, you can see how the door of the Tesla car is actually unlocked by hacking.

Hacking Tesla Model Y using new BLE relay attack on Vimeo


Tesla's Model Y has the ability to use Bluetooth to detect when the owner is approaching and unlock it by simply pressing the door handle.

Therefore, first place the smartphone in a room away from the car. Bluetooth has a short communication distance, so no one else should be able to open the door without permission.

However, when security researchers operate laptops instead of smartphones ...

The door opened easily.

This attack is a relay attack that impersonates the original owner by intercepting communication by Bluetooth Low Energy (BLE) . In this demonstration, the distance between the iPhone and the car was 25 meters, but we were able to unlock the car with a signal from the iPhone using two repeaters 7 meters from the iPhone and 3 meters from the car.

To prevent such attacks, products that use BLE have a mechanism to check for delays and detect fraud. However, this time the NCC Group has succeeded in keeping the delay to 8 milliseconds, which is significantly shorter than the allowable range of 30 milliseconds, by developing a method that operates in a layer called the 'link layer' that controls Bluetooth. Did.

The NCC Group reported the technology to Tesla, but the company replied that 'relay attacks are a known limitation of passive entry systems.' Bleeping Computer, an IT news site, said, 'The method of providing a fix for this security issue is complicated, and even if immediate action is taken, it will take a long time for the affected product to be updated. It is expected that this will happen, 'he said, saying that this problem will not be fundamentally resolved for the foreseeable future.

Bleeping Computer also told users of Tesla cars and devices that unlock via Bluetooth, 'If possible, we should disable this method of authentication and switch to another authentication method that requires user action.' I made a suggestion. For example, for Tesla vehicles, it is recommended to use a ' drive PIN ' to set a PIN for added security.