Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Bluetooth Impersonation AttackS (BIAS)

This site may earn commission on affiliate links.
V

vanzandtj

Member
May 10, 2019
62
31
Nashua NH
#1
My Tesla recognizes my phone using Bluetooth and unlocks. But recently researchers identified a Bluetooth vulnerability (which they call BIAS) that allows someone to impersonate a trusted device. From the abstract:

The Bluetooth standard includes a legacy authentication procedure and a secure authentication procedure, allowing devices to authenticate to each other using a long term key. Those procedures are used during pairing and secure connection establishment to prevent impersonation attacks. In this paper, we show that the Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment. Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade. We describe each vulnerability in detail, and we exploit them to design, implement, and evaluate master and slave impersonation attacks on both the legacy authentication procedure and the secure authentication procedure. We refer to our attacks as Bluetooth Impersonation AttackS (BIAS).​

Our attacks are standard compliant, and are therefore effective against any standard compliant Bluetooth device regardless the Bluetooth version, the security mode (e.g., Secure Connections), the device manufacturer, and the implementation details. Our attacks are stealthy because the Bluetooth standard does not require to notify end users about the outcome of an authentication procedure, or the lack of mutual authentication. To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.​

Would this allow someone to essentially clone my phone and drive away with my Tesla?

https://francozappa.github.io/about-bias/publication/antonioli-20-bias/antonioli-20-bias.pdf
Bluetooth Vulnerability: BIAS - Schneier on Security
 
#2
From the description above, it seems that the vulnerability only exists during pairing. Pairing happens only when you first establish a bluetooth connection, I think, and not everytime you use the bluetooth connection. If my interpretation is correct, then the vulnerability does not exist during normal usage, just when you first pair the car with your BT device.
 
#4
It's not just an attack during pairing. From the paper:
Two Bluetooth devices are expected to pair once and securely connect multiple times.
...
we demonstrate that the Bluetooth standard contains vulnerabilities enabling an attacker to impersonate a device and to establish a secure connection with a victim, without possessing the long term key shared by the impersonated device and the victim.​
Yes, "PIN to Drive" would appear to help.
 
#6
Looking into this further, this vulnerability may allow someone to connect to your car, but that does not make it authenticated. The connected device must be logged in to your Tesla account and remain logged in. Additionally during authentication you must tap your key card to complete authentication.
 
  • Helpful
  • Like
Reactions: strykeroz and Runt8
#7
Ken's M3 said:
Looking into this further, this vulnerability may allow someone to connect to your car, but that does not make it authenticated. The connected device must be logged in to your Tesla account and remain logged in. Additionally during authentication you must tap your key card to complete authentication.
Click to expand...

Correct. So for this to work one would need:
1) to be near enough to your phone to get it's bluetooth MAC address (pretty easy).
2) use that MAC address to pretend to be you to make a bluetooth connection to the car (this is the attack above).
3) ALSO have your Tesla account/password, install the tesla App and log in as you.

If they have # 3, they don't need to use the first 2, as they can simply unlock the door and enable keyless driving.

Finally, #2 will be fixed with a firmware update. by not allowing downgrading the connection for an already paired device.

In cases where bluetooth is used as a key or such, bluetooth is simply used as the communication transport for the ACTUAL key. So the attacker can "establish a connection" but they won't know what to transmit over that connection to allow it to work.
 
Last edited:
  • Like
Reactions: Runt8, DDotJ and NorfolkMustard
You must log in or register to reply here.

Similar threads

S
Has UWB hardware made it into HW4 vehicles?
Replies
33
Views
4K
Software: Firmware Updates, Features, Tesla App
Hickster
H
upkerry14
Bluetooth Vulnerability: BIAS
Replies
1
Views
813
Model 3
jjrandorin
J
Bixby MS
  • Article
First Impressions 2023 Model X LR
Replies
32
Views
5K
Model X: Ordering, Production, Delivery
aerodyne
aerodyne
CXCRaffle
Vendor 7th Annual Climate XChange Raffle - with a new twist!
Replies
5
Views
3K
EVents
PeterK
PeterK
CMc1
[UK] 2020.48.x
Replies
194
Views
25K
The UK and Ireland
CMc1
CMc1
Top
Back
Blog
New
Forum list
Marketplace
Menu