Skip to Content

New Bluetooth relay attack bypasses current defenses

Sultan Qasim Khan, a senior security researcher for NCC Group, delivered some spectacular research on Monday when he published details about a new relay attack that works at a much deeper level of the Bluetooth Low Energy (BLE) protocol than previously known relay attack techniques and which can bypass all existing defenses.

New Bluetooth relay attack bypasses current defenses
Khan said his new attack could be used to bypass security systems that rely on users presenting a BLE device as an “authentication by proximity” mechanism. This includes devices such smart car key fobs, residential smart locks, building access control systems, and security solutions that rely on using a smartphone or a laptop’s BLE sensor as an entry/authorization key.

These systems are vulnerable to “relay attacks” where a threat actor intercepts BLE signals from the legitimate device and passes them using relay equipment to the actual system, even if the original BLE device is nowhere near, effectively creating a clone.

This type of attack has been known for decades, and recent anti-relay protections have been developed to challenge BLE devices in a request-response communications model and then detect any extra latency added to BLE traffic when the attacker relays these challenges. If the latency is high, the BLE device is denied access, being classified as a potential threat.

Khan said that he developed a tool that works at the BLE link layer and which introduces a much smaller delay to existing communications, and that even works even if link encryption is enabled.

The NCC Group researcher said he verified his tool by launching successful BLE relay attacks against Tesla’s Phone-as-a-Key system and Kevo smart locks, but that many other devices are almost certainly vulnerable as well.

Since last year, Khan has worked to notify affected vendors and the Bluetooth SIG team of his research and about possible ways to mitigate his new relay technique. He said the Bluetooth SIG team took note of his work and said that “more accurate ranging mechanisms are under development.”

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that\'s committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we haven\'t implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you\'re currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.