Researchers have developed a new tool that can execute a novel type of relay attack against devices that perform proximity based authentication using Bluetooth LE, enabling an attacker to trick a victim device such as a laptop or smart lock or even a vehicle into unlocking.
Bluetooth LE proximity authentication is implemented in a number of different environments and products, and is designed to allow a trusted, nearby device to unlock another device. Some vehicles, including Teslas, that use mobile phones as a key use this method, as do some devices such as laptops, smart watches, and phones. Many consumer Bluetooth-enabled devices also use BLE-based proximity authentication. Relay attacks, in which a malicious device relays the authentication signal from a legitimate device, are a known issue with these systems and the typical defenses include encrypting the requests sent over the link layer and/or limiting the response time. The tool that researchers at NCC Group developed adds just 8 milliseconds of latency in the response time, which would not be enough to exceed typical rate limits.
“With further straightforward refinement of the tool, it would be possible to guarantee that the added response latency is one connection event or less for any connection interval permissible under the Bluetooth specification,” the advisory by Sultan Qasim Khan of NCC Group says.
“Real BLE devices commonly require multiple connection events to respond to GATT requests or notifications and have inherent variability in their response timing. Thus, the latency introduced by this relay attack falls within the range of normal response timing variation.”
BLE proximity authentication systems typically measure the distance of a device by the response time, so if the device is too far away from the device to be unlocked, the response time will be too long and the authentication won’t work. Relay attacks defeat this by relaying the signal from the remote device to the target device.
"Documentation should make clear that relay attacks are practical and must be included in threat model."
The researchers tested the attack on a 2020 Tesla Model 3, running the attack tool on an iPhone 13 mini. The iPhone was outside of Bluetooth range of the vehicle, about 25 meters away from the car, with two relaying devices between the iPhone and the car. Using the tool, the researchers were able to unlock the vehicle remotely.
“If an attacker can place a relaying device within signal range of a target BLE device (Victim Device A) trusted for proximity authentication by another device (Victim Device B), then they can conduct a relay attack to unlock and operate Victim Device B,” the advisory says.
“Neither normal GATT (Generic Attribute Profile) response latency nor successful communications over an encrypted link layer can be used as indications that a relay attack is not in progress. Consequently, conventional mitigations to prior BLE relay attacks are rendered ineffective against link layer relay attacks.”
The researchers disclosed their findings to Tesla and the Bluetooth Special Interest Group, which acknowledged the issue but said that relay attacks were a known problem with Bluetooth. Tesla officials also said that relay attacks were a known limitation of the passive entry system.
“NCC Group recommends that the SIG proactively advise its members developing proximity authentication systems about the risks of BLE relay attacks. Moreover, documentation should make clear that relay attacks are practical and must be included in threat models, and that neither link layer encryption nor expectations of normal response timing are defences against relay attacks,” the advisory says.
"Demo" - Google News
May 17, 2022 at 02:10AM
https://ift.tt/3r9txSB
Researchers Demo Relay Attack Against Bluetooth LE Systems - Duo Security
"Demo" - Google News
https://ift.tt/Toxl5fz
https://ift.tt/niZ3qU9
No comments:
Post a Comment