Sultan Qasim Khan, a senior security researcher for NCC Group, delivered some spectacular research on Monday when he published details about a new relay attack that works at a much deeper level of the Bluetooth Low Energy (BLE) protocol than previously known relay attack techniques and which can bypass all existing defenses.
Khan said his new attack could be used to bypass security systems that rely on users presenting a BLE device as an “authentication by proximity” mechanism. This includes devices such smart car key fobs, residential smart locks, building access control systems, and security solutions that rely on using a smartphone or a laptop’s BLE sensor as an entry/authorization key.
These systems are vulnerable to “relay attacks” where a threat actor intercepts BLE signals from the legitimate device and passes them using relay equipment to the actual system, even if the original BLE device is nowhere near, effectively creating a clone.
This type of attack has been known for decades, and recent anti-relay protections have been developed to challenge BLE devices in a request-response communications model and then detect any extra latency added to BLE traffic when the attacker relays these challenges. If the latency is high, the BLE device is denied access, being classified as a potential threat.
Khan said that he developed a tool that works at the BLE link layer and which introduces a much smaller delay to existing communications, and that even works even if link encryption is enabled.
The NCC Group researcher said he verified his tool by launching successful BLE relay attacks against Tesla’s Phone-as-a-Key system and Kevo smart locks, but that many other devices are almost certainly vulnerable as well.
Since last year, Khan has worked to notify affected vendors and the Bluetooth SIG team of his research and about possible ways to mitigate his new relay technique. He said the Bluetooth SIG team took note of his work and said that “more accurate ranging mechanisms are under development.”
NCC Group's Sultan Qasim Khan has developed a generic link layer relay technique for Bluetooth Low Energy which satisfies the latency requirement.
We worked with the Bluetooth SIG (who don't make relay resistance claims) and suggested they inform vendors as to the risk. https://t.co/QM5yvxMh0W
— Ollie Whitehouse (@ollieatnccgroup) May 16, 2022