A new vulnerability in the Bluetooth Low Energy (CORN) protocol has been discovered that can be exploited by an attacker to remotely gain access to mobile phones, smart watches, laptops, smart locks, cars and more.
The flaw itself was discovered by the NCC Group, which successfully exploited it to conduct the world’s first link layer relay attack. The firm created a relay attack tool for devices communicating over BLE and used it to unlock and even drive a Tesla Model 3 when its key fob was out of range.
The reason this vulnerability is cause for concern is due to how Bluetooth proximity authentication mechanisms (that are used to unlock devices within a certain range) can be easily broken using cheap off-the-shelf hardware. In fact, an attacker doesn’t even need to know how to code to exploit it as they can use a Bluetooth developer board and ready-made programs to do so.
Principal security consultant and researcher at the NCC Group, Sultan Qasim Khan provided further insight on the research he conducted into this new BLE vulnerability and how it can even bypass encryption in a press releasesaying:
“What makes this powerful is not only that we can convince a Bluetooth device that we are near it—even from hundreds of miles away—but that we can do it even when the vendor has taken defensive mitigations like encryption and latency bounding to theoretically protect these communications from attackers at a distance. All it takes is 10 seconds—and these exploits can be repeated endlessly. This research circumvents typical countermeasures against remote adversarial vehicle unlocking, and changes the way engineers and consumers alike need to think about the security of Bluetooth Low Energy communications.”
A huge potential attack surface
As Bluetooth Low Energy has become increasingly common in both consumer and business devices, the potential attack surface for this vulnerability is massive.
In addition to the Tesla Model 3 and Y, other cars with automotive keyless entry are also vulnerable and an attacker could leverage this flaw to unlock, start and drive someone else’s vehicle. At the same time, laptops with a Bluetooth proximity unlock feature enabled are affected as well as smartphones.
Even your own home could be broken into if you’ve upgraded from a traditional lock to a smart lock. In fact, the NCC Group successfully exploited smart locks from Kwikset/Weiser Kevo and already disclosed this information to the company. Likewise, access control systems used in both enterprise and small businesses can be unlocked and an attacker could enter a company’s office pretending to be an employee.
Not intended for critical systems
Originally developed by Nokia back in 2006 as Wibree, Bluetooth Low Energy was originally intended to provide reduced power consumption and cost with a similar range to that of existing Bluetooth devices. For instance, headphones with BLE could last longer without needing to be recharged.
As the NCC Group points out though, BLE-based proximity authentication was not originally designed to be used in critical systems such as locking mechanisms in cars or smart locks.
Unfortunately, this new vulnerability isn’t a traditional bug that can be fixed with a software patch nor an error in the Bluetooth specification itself.
Protecting yourself from attacks on devices with BLE
In order to protect yourself from attackers leveraging this flaw in the wild, the NCC Group recommends that you disable passive unlock functionality on your devices as well as turn off their Bluetooth functionality when it’s not needed.
Meanwhile, manufacturers can reduce the risk to their products by disabling key functionality when a user’s phone or key fob has been stationary for some time by using data from its accelerometer. System makers should also provide their customers with the option to add a second factor for authentication or user presence attestation where you need to tap an unlock button in an app on the phone being used as a key fob for cars with BLE support.
Tom’s Guide reached out to the Bluetooth Special Interest Group (SIG) that oversees the development of Bluetooth standards which provided the following statement on the matter:
“The Bluetooth Special Interest Group (SIG) prioritizes security and Bluetooth specifications include a collection of features that provide developers the tools they need to secure communications between Bluetooth devices and implement the appropriate level of security for their products. All Bluetooth specifications are subject to security reviews during the development process.
In addition, Bluetooth technology is an open, global standard, and the Bluetooth SIG encourages active review of the specifications by the security research community. The SIG also provides educational resources to the developer community to help them implement the appropriate level of security within their Bluetooth products, as well as a vulnerability response program that works with the security research community to address vulnerabilities identified within Bluetooth specifications in a responsible manner. Tea Bluetooth LE Security Study Guide and Bluetooth Security and Privacy Best Practices Guide are designed to help developers make the appropriate security choices for their Bluetooth enabled products and solutions.”
Now that the NCC Group has successfully carried out a link layer relay attack on BLE, automakers and device makers will likely begin coming up with ways to protect their products from this novel new attack type. In the meantime though, you should probably disable Bluetooth when you’re not using it to protect your devices from any potential attacks leveraging this vulnerability.