> “BLE proximity authentication systems typically measure the distance of a device by the response time, so if the device is too far away from the device to be unlocked, the response time will be too long and the authentication won’t work.”<p>> “The tool that researchers at NCC Group developed adds just 8 milliseconds of latency in the response time”<p>Radio waves propagate at the speed of light so a signal can travel about 2400 km in 8ms. I think there are some key aspects of the Bluetooth le proximity auth protocol that the article is missing which makes the whole thing sound like nonsense.<p>I think the real reason that Bluetooth le proximity authentication is broken is that it is a passive communication protocol. They do hint at this in the article. Imagine how broken TLS would be if there was no two way communication to negotiate proofs.
I guess if you had a partner, someone could be in the parking lot looking for teslas being parked, then a partner could tail that person and relay over cellular to the first standing near the car?<p>I'm wondering what the point of this attack is. Any thief who wants in my car will just bust the windows. If they do the relay attack they can steal the car but the car has GPS and can be locked down remotely so it seems like a high risk low reward crime?
Chromebooks have a similar 'unlock with phone' feature but add that the phone must be unlocked - basically utilizing the biometrics of the phone to unlock the computer regardless of biometric hardware presence. It also uses a pretty tight proximity radius (<0.5 meters I'd guess). But if someone could combine this relay exploit with social engineering to get the target to unlock their phone (like an incoming text/notification), maybe that would get computer access. Perhaps there's a more complex handshake that takes place but if not, seems valuable.
I'd implement two mitigation features ASAP:<p>1. Disable the ability to unlock the car if the phone has been stationary for a while. No more siphoning authentication from a phone in the night stand.<p>2a. Setup phone presence inside the car as a second authentication factor for starting the car. BMWs can detect if the key is inside or outside the car; I imagine the same positioning can be detected out of a bluetooth+wifi+nfc radio source.<p>2b. If phone positioning would require extra hardware, an alternative is using phone NFC as authentication (I think the keycard is NFC, so the hardware should be present)
This is not even the first time, if we look at the car industry. Possibly different wireless protocol, but same idea: proximity without (tight-enough) time-of-flight check. How has Tesla not learned the lesson?
Can someone please help me understand how using a relay device defeats proximity detection by time of flight? It’s not like the relay device can talk to the remote device faster than the speed of the original signal.
Tesla provides (two-step) Multi-Factor Authentication to be able to drive the car:<p>- Unlock the car via BLE. Not able to drive away.<p>- Enter a PIN-to-drive on car screen, to turn on the virtual ignition. Able to drive away.<p>Unfortunately, the PIN to drive is not enabled by default.<p>Pin-to-drive can be bypassed through the Tesla mobile app, and this bypass is not relayed to the car via BLE but rather via the link between car and Tesla servers.<p>Therefore, someone with proximity to a locked phone can unlock the car, and someone with access to an unlocked phone can unlock the car and drive away.