Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.
Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.
Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.
In a real-life scenario, a victim could be in a building just out of range of their Tesla while standing near a crook with a relay gadget on them. This gadget relays signals from the victim's phone to the Tesla outside via another miscreant with a gadget, who jumps in and steals the unlocked vehicle.
In its testing, NCC Group said it was able to perform a relay attack that opened a Tesla Model 3 in which the vehicle's paired device was located in a house approximately 25 metres from the vehicle. Using phone-side and vehicle-side relaying devices made from $50 Bluetooth development modules, the team said it managed to gain full access to the Tesla when the vehicle-side relay was brought within 3 metres.
While NCC only tested the attack on a Tesla Model 3, Sultan Khan, senior security researcher at NCC and the author of the advisory, said the technology used in the Tesla app is the same when connecting to a Model 3 or Y. Khan also theorized that Model 3 and Y key fobs were also likely affected, though those weren't tested either.
As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.
Tesla hasn't had a good history when it comes to security researchers finding ways to unlock its cars. In 2014, a group of Chinese university students managed an on a attack Model S that allowed them to open doors, sound the horn and more while the vehicle was in motion, and a second Chinese group did much the same in 2016. That same year, the Tesla app was exploited to allow attackers to track, locate, unlock and start vehicles. Two years later, Belgian researchers managed to clone Tesla keyfobs, giving them full control of the affected vehicle.
At the same time NCC Group released its Tesla BLE relay advisory, it published a second advisory authored by Khan. In that advisory, he explains how NCC's novel method to hijack a Tesla works against anything relying on BLE to confirm the presence of an authorized user.
In the advisory, Khan states that BLE proximity relay attacks have been known about for years. Fortunately for fans of the protocol, existing relay attacks introduce too much latency. "Products commonly attempt to prevent relay attacks by imposing strict Generic Attribute Protocols (GATT) response time limits and/or using link layer encryption," Khan said.
The tool developed by NCC Group for its research operates at the link layer, which Khan said reduces latency down to acceptable GATT ranges. By doing so, it's able to circumvent latency bounding and link layer encryption, Khan said.
It's worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated "the Proximity Profile should not be used as the only protection of valuable assets," and additionally "there is currently no known way to protect against such attacks using Bluetooth technology."
Khan said that the Tesla Product Security team was notified in April of the flaw. Their response was that it was a known limitation of the passive entry system.
Tesla owners concerned about a relay attack should use the PIN to Drive feature in their Tesla, as well as disabling passive entry:
Controls > Settings > Doors & Locks > Passive Entry > OFF
Khan also said adding checks like having the app report the device's last known location and time-of-flight ranging could protect owners, but that's on Tesla to fix, and Khan told Bloomberg the automaker said it has no plans to do so.
Because this attack potentially affects so many devices used to secure so many things, it's a serious issue. Khan said that Bluetooth SIG was notified of the flaw and it told him "more accurate ranging mechanisms are under development."
We've asked the Bluetooth SIG to tell us more about those mechanisms and their availability, but have yet to hear back. ®
Activision Blizzard is starting collective bargaining with quality-assurance workers at its game studio Raven Software, after they voted in favor of unionizing.
The Californian video-game maker is currently trying to close the $68.7bn acquisition offer from Microsoft, and has promised to fix internal issues amid allegations of a toxic workplace culture that led to gender and race discrimination, as well as sexual harassment of employees.
As Activision attempted to clean up its public image, the biz announced it would lay off 12 workers from Raven Software after a group of employees tried to form a union. Sixty staff members protested, staged a strike for five weeks, and sided with the Communication Workers of America (CWA) to obtain formal recognition.
RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.
The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.
This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers.
Late last month, France's BEA-RI, or Bureau of Investigation and Analysis on industrial risks, issued its technical report on the March 10th, 2021 fire at the OVH datacenter in Strasbourg.
The French report [PDF] and summary [PDF] echo the findings of the Bas-Rhin fire service in March, 2022 that the lack of an automatic fire extinguisher system, the delay of electrical cutoff and the building design contributed to the spread of the blaze.
The BEA-RI findings also hint at a possible cause – a water leak on an inverter – while stating that the cause has not been conclusively determined.
Analysis For all the pomp and circumstance surrounding Apple's move to homegrown silicon for Macs, the tech giant has admitted that the new M2 chip isn't quite the slam dunk that its predecessor was when compared to the latest from Apple's former CPU supplier, Intel.
During its WWDC 2022 keynote Monday, Apple focused its high-level sales pitch for the M2 on claims that the chip is much more power efficient than Intel's latest laptop CPUs. But while doing so, the iPhone maker admitted that Intel has it beat, at least for now, when it comes to CPU performance.
Apple laid this out clearly during the presentation when Johny Srouji, Apple's senior vice president of hardware technologies, said the M2's eight-core CPU will provide 87 percent of the peak performance of Intel's 12-core Core i7-1260P while using just a quarter of the rival chip's power.
Microsoft has forgotten to renew the certificate for the web page of its Windows Insider software testing program.
Attempting to visit the Windows Insider portal was returning the familiar "Your connection is not private" warning – as if webpages larded with scripts and trackers can truly be called "private." The problem has now been fixed, and someone's no doubt getting an earful.
Browsers like Chrome, Firefox, and Safari will attempt to deter visitors from accessing the webpage, but will provide a link for those who ignore the warnings and persist on clicking through to advanced options.
RSA Conference For the first time in over two years the streets of San Francisco have been filled by attendees at the RSA Conference and it seems that the days of physical cons are back on.
The security conference trade has been more cautious than most when it comes to getting conferences back up to speed in the COVID years. Almost all cons were virtual with a very limited hybrid-conference season last year, including DEF CON, where masks were taken seriously. People still wanted to mingle and ShmooCon too went ahead, albeit later than usual in March.
The RSA conference has been going for over 30 years and many security folks love going. There are usually some good talks, it's a chance to meet old friends, and certain pubs host meetups where more constructive work gets done on hard security ideas than a month or so of Zoom calls.
As compelling as the leading large-scale language models may be, the fact remains that only the largest companies have the resources to actually deploy and train them at meaningful scale.
For enterprises eager to leverage AI to a competitive advantage, a cheaper, pared-down alternative may be a better fit, especially if it can be tuned to particular industries or domains.
That’s where an emerging set of AI startups hoping to carve out a niche: by building sparse, tailored models that, maybe not as powerful as GPT-3, are good enough for enterprise use cases and run on hardware that ditches expensive high-bandwidth memory (HBM) for commodity DDR.
Review The Reg FOSS desk took the latest update to openSUSE's stable distro for a spin around the block and returned pleasantly impressed.
As we reported earlier this week, SUSE said it was preparing version 15 SP4 of its SUSE Linux Enterprise distribution at the company's annual conference, and a day later, openSUSE Leap version 15.4 followed.
The relationship between SUSE and the openSUSE project is comparable to that of Red Hat and Fedora. SUSE, with its range of enterprise Linux tools, is the commercial backer, among other sponsors.
Oracle is planning to build a national database of individuals' health records for the whole United States following its $28.3 billion acquisition of electronic health records specialist Cerner.
In a presentation, CTO and founder Larry Ellison said electronic health records for individual patients were stored by hospitals and physicians, and not replicated or shared between providers.
"We're going to solve this problem by putting a unified national health records database on top of all of these thousands of separate hospital databases," Ellison said.
Analysis The European Parliament this week voted to support what is effectively a ban on the sale of cars with combustion engines by 2035, and automakers are not happy.
MEPs backed a plenary vote on Wednesday for "zero-emission road mobility by 2035" – essentially meaning no more diesel and gasoline-fueled vehicles on the road.
The ambitious target means the automotive battery industry will have to service a much larger demand over the coming years, and electric carmakers stand to benefit hugely – that is, if they can source the requisite semiconductors and batteries.
Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.
Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.
The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022