Long story short, I got an e-mail from someone "up the chain" in the Air Force, saying we can't bring Tesla or BMW i8 keys into work anymore because of the Bluetooth in them. I have a May 2017 75D. I didn't know my keyfob had BLE but I guess Tesla started working with this back in 2016.
Does anyone know a good argument explaining how our fobs are like any other fob, or do I have to leave my key in the car from now on? (Which would be mildly inconvenient)
Thanks!
Update, it looks like Tesla filed two BLE enabled FCC applications. You need to pull the battery cover - it has either of these two FCC codes it is BLE enabled.
I'll ask our guys at work to provide me the BLE policy on Tuesday and provide an update. It looks like this BLE chip is the issue, but not sure how it would be an issue in a fob....
Bleedingbit: Critical vulnerabilities in BLE chips expose millions of access points to attack - Help Net Security
FCC ID 2AEIM-1133148 Car Key Fob with BLE by Tesla Motors, Inc (filed 9 July 2018)
FCC ID 2AEIM-1048598 Keyfob with BLE functionality by Tesla Motors, Inc (filed 5 Nov 2015)
General Wireless Policy Security Technical Implementation Guide
Bluetooth/Zigbee Security Technical Implementation Guide (STIG)
General Wireless Policy Security Technical Implementation Guide
Overview
Version Date Finding Count (10) Downloads
1 2012-09-21 CAT I (High): 3 CAT II (Med): 3 CAT III (Low): 4
Excel JSON XML
STIG Description
This STIG provides policy, training, and operating procedure security controls for the use of wireless devices and systems in the DoD environment. This STIG applies to any wireless device (such as WLAN Access Points and clients, Bluetooth devices, smartphones and cell phones, wireless keyboards and mice, and wireless remote access devices) used to store, process, transmit or receive DoD information.
Available Profiles
Findings (MAC III - Administrative Sensitive)
Finding ID Severity Title Description
V-12072 High Wireless devices must not be allowed in a permanent, temporary, or mobile Sensitive Compartmented Information Facilities (SCIFs), unless approved by the SCIF Cognizant Security Authority (CSA) in accordance with Intelligence Community Directive 503 and Director Central Intelligence Directive (DCID) 6/9, the DAA, and the site Special Security Officer (SSO). Emanations from computing devices in the secured area may be transmitted or picked up inadvertently by wireless devices.
V-8283 High All wireless systems (including associated peripheral devices, operating system, applications, network/PC connection methods, and services) must be approved by the approval authority prior to installation and use for processing DoD information. Unauthorized wireless systems expose DoD networks to attack. The DAA and appropriate commanders must be aware of all wireless systems used at the site. DAAs should ensure a risk assessment for ...
V-19813 High Computers with an embedded wireless system must have the radio removed before the computer is used to transfer, receive, store, or process classified information. With the increasing popularity of wireless networking, most laptops have wireless NICs installed on the laptop motherboard. Although the system administrator may disable these embedded NICs, the ...
V-14894 Medium All wireless network devices, such as wireless Intrusion Detection System (IDS) and wireless routers, access points, gateways, and controllers must be located in a secure room with limited access or otherwise secured to prevent tampering or theft. DoD data and the network could be exposed to attack if wireless network devices are not physically protected. The Network Security Officer (NSO) will ensure all wireless network devices (i.e., ...
V-15782 Medium DAA must approve the use of personally-owned or contractor-owned PEDs used to transmit, receive, store, or process DoD information. The use of unauthorized personally-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of personally-owned PEDs ...
V-12106 Medium Wireless devices must not be operated in areas where classified information is electronically stored, processed, or transmitted unless required conditions are followed. The operation of electronic equipment and emanations must be controlled in and around areas where sensitive information is kept or processed. Sites should post signs and train users to this ...
V-13982 Low All users of mobile devices or wireless devices must sign a user agreement before the mobile or wireless device is issued to the user and the user agreement used at the site must include required content. Lack of user training and understanding of responsibilities to safeguard wireless technology is a significant vulnerability to the enclave. Once policies are established, users must be trained to ...
V-8297 Low Wireless devices connecting directly or indirectly (i.e., ActiveSync, wireless, etc.) to the network must be included in the site System Security Plan (SSP). The DAA and site commander must be aware of all approved wireless devices used at the site or DoD data could be exposed to unauthorized people. Documentation of the enclave configuration must ...
V-8284 Low The site IAO must maintain a list of all DAA-approved wireless and non-wireless PED devices that store, process, or transmit DoD information. The site must maintain a list of all DAA-approved wireless and non-wireless PEDs. Close tracking of authorized wireless devices will facilitate the search for rogue devices. Sites must keep good ...
V-28314 Low If DAA has approved the use of personally-owned or contractor-owned PEDs, the owner must sign a forfeiture agreement in case of a security incident. The use of unauthorized personally-owned or contractor-owned wireless devices to receive, store, process, or transmit DoD data could expose sensitive DoD data to unauthorized people. The use of ...