A new vulnerability in Bluetooth Low Energy (CORN) has been discovered and can be exploited by an attacker to remotely access mobile phones, smart watches, laptops, smart locks, cars, etc.
The flaw itself was discovered by the NCC group, which successfully exploited it to carry out the world’s first link-layer relay attack. The company created a relay attack tool for devices communicating via BLE and used it to unlock and even drive a Tesla Model 3 when his key fob was out of reach.
The reason this vulnerability is of concern is because of how Bluetooth proximity authentication mechanisms (which are used to unlock devices within a certain range) can be easily broken using off-the-shelf cheap hardware. In fact, an attacker doesn’t even need to know how to code to exploit it because they can use a Bluetooth development board and off-the-shelf programs to do so.
Senior Security Consultant and Researcher at NCC Group, Sultan Qasim Khan provided additional information on the research he has done on this new BLE vulnerability and how it can even bypass encryption in a Press releasesaying:
“What makes this powerful is not only that we can convince a Bluetooth device that we are close to it, even hundreds of miles away, but we can do so even when the provider has taken defensive measures like the encryption and latency throttling to theoretically protect these communications from remote attackers. It only takes 10 seconds and these exploits can be repeated indefinitely. This research bypasses typical countermeasures against remotely unlocking enemy vehicles and changes the way engineers and consumers need to think about Bluetooth Low Energy communications security.
Huge potential attack surface
As Bluetooth Low Energy has become increasingly common in consumer and business devices, the potential attack surface for this vulnerability is massive.
In addition to the Tesla Model 3 and Y, other cars with automotive keyless entry are also vulnerable and an attacker could exploit this flaw to unlock, start and drive someone else’s vehicle. At the same time, laptops with an activated Bluetooth proximity unlock function are affected as well as smartphones.
Even your own home could be broken into if you switched from a traditional lock to a smart lock. In fact, the NCC Group has successfully operated Kwikset/Weiser Kevo smart locks and has already disclosed this information to the company. Similarly, access control systems used in corporations and small businesses can be unlocked and an attacker could enter a company’s office posing as an employee.
Not intended for critical systems
Originally developed by Nokia in 2006 as Wibree, Bluetooth Low Energy was originally intended to reduce power consumption and costs with a range similar to that of existing Bluetooth devices. For example, headphones with BLE could last longer without needing to be recharged.
As the NCC Group points out, BLE-based proximity authentication was not originally designed for use in critical systems such as locking mechanisms in cars or smart locks.
Unfortunately, this new vulnerability is not a traditional bug that can be fixed with a hotfix or an error in the Bluetooth specification itself.
Protect against attacks on devices with BLE
In order to protect against attackers exploiting this flaw in the wild, the NCC Group recommends that you disable passive unlock functionality on your devices as well as disable their Bluetooth functionality when not needed.
Meanwhile, manufacturers can reduce the risk to their products by disabling key features when a user’s phone or key fob has been sitting still for a period of time using data from their accelerometer. System manufacturers should also offer their customers the ability to add a second factor for user authentication or attestation when pressing an unlock button in an app on the phone being used as a door. -keys for cars with BLE support.
Tom’s Guide contacted the Bluetooth Special Interest Group (SIG) which oversees the development of Bluetooth standards, which provided the following statement about it:
“The Bluetooth Special Interest Group (SIG) prioritizes security and the Bluetooth specifications include a set of features that provide developers with the tools they need to secure communications between Bluetooth devices and implement the level of security appropriate for their products. All Bluetooth specifications are subject to security reviews during the development process.
Additionally, Bluetooth technology is an open global standard, and the Bluetooth SIG encourages active review of specifications by the security research community. SIG also provides educational resources to the developer community to help them implement the appropriate level of security in their Bluetooth products, as well as a vulnerability response program that works with the security research community to address responsibly identified vulnerabilities in Bluetooth specifications. the Bluetooth LE Security Study Guide and Bluetooth Security and Privacy Best Practices Guide are designed to help developers make the appropriate security choices for their Bluetooth-enabled products and solutions.
Now that the NCC group has successfully carried out a link layer relay attack on BLE, automakers and device makers are likely to start finding ways to protect their products against this new type of attack. In the meantime, you should probably turn off Bluetooth when you’re not using it to protect your devices from any potential attacks exploiting this vulnerability.