It was about a decade ago or so that I first began looking at the hacking potential for various models. Around 2012 or so, stories began to appear where researchers were showing how easy it was to hack into the computer systems of various vehicles from, at times, reasonably good distances. Though you needed to have some way to gain direct access to a vehicle's computer system once you had it, you could hack into vehicle systems from some pretty impressive ranges.
More And More Hacking Stories Appear
As the decade wore on, more and more stories appeared that showed how researchers could hack into and access vehicles like the Jeep and others. Many began to wonder if there was a real problem with automotive computers and over-the-air systems. Just this week, the NCC Group renewed this debate. This time, though, it pointed to an almost omnipresent technology, Bluetooth. It is an active radio frequency (RF) based tech that most cars built over the last 20 years include in one way or another.
The NCC Group pointed out that Bluetooth was a way that hackers could access various automotive systems. NCC looked specifically at Teslas.
Autoblog, quoting Reuters, which also quoted NCC Group researcher Sultan Qasim Khan, notes that they were "’ able to open and then drive a Tesla using a small relay device attached to a laptop which bridged a large gap between the Tesla and the Tesla owner’s phone.’” The NCC Group demonstrated how it found this vulnerability and how it applies to Teslas worldwide.
Focusing on Tesla Models 3 and Y, the NCC Group looked at Bluetooth Low Energy (BLE) devices. The devices allow owners “to unlock and operate their vehicle via their phones within a short range of the vehicle. They don’t require any user interaction with the device to do so. As for the vulnerability, all the hardware you need to hack/break into and drive these cars is easily found … it only requires ‘cheap off-the-shelf hardware’ to hack a car or device using BLE technology from anywhere in the world. Yes, this hack is doable from anywhere – the hacker doesn’t need to be standing in your driveway to gain access.”
All Tesla Models 3 and Y Are Affected
Though they looked at a 2021 Tesla Model Y, the NCC Group says its “exploit works on all Tesla Model 3s and Ys. And while the focus here has been squarely on Teslas, it’s important to note that all BLE-based proximity authentication systems are vulnerable.”
Bluetooth technology is widely used. You will find it in “residential smart locks, commercial building access control systems, smartphones, smartwatches, laptops, and more,” says the NCC Group.
And while the research focuses on Teslas, you will find that Fords use Bluetooth technology when it comes to using the hands-free feature of smartphones. The automaker’s various SYNC generations will pair with a smartphone or smartphones so that various users have hands-free access. As NCC’s Khan notes, “What makes this powerful is not only that we can convince a Bluetooth device that we are near it — even from hundreds of miles away — but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to protect these communications from attackers at a distance theoretically,” says Khan. “All it takes is 10 seconds — and these exploits can be repeated endlessly.”
Autoblog notes that “other car manufacturers are introducing ‘phone-as-key’ features that use BLE technology to function. For example, Hyundai has already launched such a feature in the U.S. The penetration into the market for those cars is vastly lower than all of the Tesla vehicles currently employing the tech.” The NCC group says there are at least “two million Teslas on the road that are vulnerable to this attack.”
And while it has exposed this potential hacker exploitive technology, the “NCC Group doesn’t have any grand answers to the problem, and it criticizes those who use BLE as a security system because it’s a use of the tech” that is beyond its ‘intended purpose.’” BLE authentication was “never intended for use in locking mechanisms that required security, but companies have adopted it anyway.
Group Has Some Security Suggestions
NCC does have some suggestions that “manufacturers could” use to “reduce the risk of the hack.” For example, it suggests “disabling proximity key functionality when a user’s phone has been stationary for a while based on its accelerometer.” And it suggests a “dual-factor authentication model that would require you to tap a button on your phone to unlock the car, as opposed to passive entry.” And finally, it suggests that you “turn Bluetooth off on your phone when you don’t need it. Of course, that’s inconvenient, but it may save your car from being stolen in the meantime.”
If you want to find out more about the NCC Group’s research and how it “uncovered this vulnerability and the tech behind it,” you can check out these links: NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk | NCC Group Newsroom and Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks – NCC Group Research
Image courtesy Tesla Motors
Marc Stern has been an automotive writer since 1971 when an otherwise normal news editor said, "You're our new car editor," and dumped about 27 pounds of auto stuff on my desk. I was in heaven as I have been a gearhead from my early days. As a teen, I spent the usual number of misspent hours hanging out at gas stations Shell and Texaco (a big thing in my youth) and working on cars. From there on, it was a straight line to my first column for the paper, "You Auto Know," an enterprise that I handled faithfully for 32 years. Not many people know that I also handled computer documentation for a good part of my living while writing YAN. My best writing, though, was always in cars. My work has appeared in Popular Mechanics, Mechanix Illustrated, AutoWeek, SuperStock, Trailer Life, Old Cars Weekly, Special Interest Autos, etc. You can follow me on: Twitter or Facebook.