Bluetooth relay attacks unlock and drive Tesla Model 3/Y, says NCC Group

Tesla’s BLE Phone-as-a-Key passive entry system is vulnerable to relay attacks. The announcement was made by NCC Group, a global expert in cybersecurity and risk mitigation, on its website. The Tesla Model 3 and Model Y use a passive entry system based on Bluetooth Low Energy (BLE) technology. This relay attack tool can be used for all BLE communicating devices, and is not specific to Tesla vehicles.

This system allows users with an authorized mobile device or short-range vehicle key fob to unlock and operate the vehicle, with no user interaction required on the mobile device or the key ring. This system infers proximity to the mobile device or fob based on signal strength (RSSI) and latency measurements of cryptographic challenge-response operations performed over BLE.

The NCC Group has developed a tool to conduct a new type of BLE relay attack operating at the link layer, for which the added latency is within the normal range of variation of the GATT response, and which is capable of relaying link layer cipher communications. This approach can circumvent existing relay attack mitigation measures, namely latency throttling or link-layer encryption, and circumvent commonly used location defenses against relay attacks that use signal amplification. .

As the latency added by this relay attack is within the limits accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the mobile device or wearer -cls allowed is out of range.


If an attacker can place a relay device carrying the BLE signal from a mobile phone or key fob authorized to access a Tesla Model 3 or Model Y, they can conduct a relay attack to unlock and drive the vehicle.

Neither normal GATT response latency nor successful communications over an encrypted link layer can be used to indicate that a relay attack is not in progress. Therefore, conventional mitigation measures against prior BLE relay attacks are rendered ineffective against link layer relay attacks.

When testing on a 2020 Tesla Model 3 running software v11.0 (2022.8.2) with an iPhone 13 mini running version 4.6.1-891 of the Tesla app, NCC Group was able to use this test tool. newly developed relay attack to unlock and operate the vehicle while the iPhone was out of vehicle BLE range. In the test setup, the iPhone was placed on the top floor at the back of a house, about 25 meters from the vehicle, which was in the garage at ground level. The phone-side relay device was placed in a separate room from the iPhone, about 7 meters from the phone. The vehicle side relay device was able to unlock the vehicle when placed within approximately 3 meters of the vehicle.

The NCC Group has not tested this relay attack against a Model Y or in conjunction with the optional Tesla Model 3/Y BLE keychain. However, based on the similarity of the technologies used, NCC Group expects the same type of relay attack to be possible against these targets, given the use of similar technologies.

During experimentation to identify latency bounds, the NCC group found that relay attacks against Model 3 remained effective with an artificially added 80ms round-trip latency beyond the base latency level introduced. by the relay tool on a local Wi-Fi network. This latency margin should be sufficient to carry out long distance relay attacks on the Internet. However, the NCC group did not attempt long-range relay attacks against Tesla vehicles.

Users should be made aware of the risks of BLE relay attacks and encouraged to use the PIN to Drive feature. Also consider providing users with an option to disable passive input. To reduce the possibility of relay attacks, consider disabling passive input functionality in the mobile app when the mobile device has been stationary for more than one minute. Also consider having the mobile app report the last known location of the mobile device during the authentication process with the vehicle, so that the vehicle can detect and reject long-range relay attacks.

For this Internet user who calls himself Camilomiller, car manufacturers are dying to become service providers and transform purchase income into recurring income. Also, a car that’s akin to a smartphone in terms of activation and thinking about its functionality is incredibly attractive to automakers. They dream of being able to price cars based on non-locking features, like Apple did with M1 on Macs (except that, in this case, it also makes a lot of sense from the point of view of user), he continues.

Source: NCC Group

And you?

What is your opinion on the subject?

See as well :

Tesla: Is the $1.5 billion investment in bitcoin pure speculation or a tactic by Elon Musk to boost confidence in the cryptocurrency, of which he could be the creator?

Tesla loses a lot of money selling cars, but recoups it entirely through bitcoins and credits, whose sales growth he touted as a positive.

Leave a Comment