Marion County, right in the middle of the US state of Indiana, and home to the state’s capital Indianapolis, is also currently home to a tragic court case.
(Thanks to fellow writers at The Register for that link – we couldn’t get to the official court site while we were writing this up.)
The short version of events is alleged to be as follows:
Accused decides her partner’s cheating.
Hides an Apple AirTag in the back of his car.
Tells partner she’s getting ready to boot him out.
Partner makes himself scarce.
Texts him to say she knows where he is.
Drives to the pub she thinks he’s in.
Confronts him and attacks the woman he’s with.
Gets thrown out of pub with the other two because of ruckus.
Drives off a short way but sees partner in parking lot.
Drives back and runs him over.
Traps partner under car.
Partner suffocates to death.
In the sombre and tragic words of the charge sheet, the court alleges that the accused “did knowingly kill another human being, […], all of which is contrary to statute and against the peace and dignity of the State of Indiana.”
The charge sheet makes interesting reading, and is a fascinating reminder of how old-school policing, such as promptly interviewing witnesses at the scene and securing relevant property that might be neeed in evidence…
…is mixed in with the need for today’s investigators to be familiar with modern technology and to how to involve it right from the start in the evidence they collect.
Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices.
BLE technology is used in a wide spectrum of products, from electronics like laptops, mobile phones, smart locks, and building access control systems to cars like Tesla Model 3 and Model Y.
Pushing out fixes for this security problem is complicated, and even if the response is immediate and coordinated, it would still take a long time for the updates to trickle to impacted products.
How the attack works
In this type of relay attacks, an adversary intercepts and can manipulate the communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself.
This places the attacker in the middle of the two ends of the communication, allowing them to relay the signal as if they were standing right next to the car.
Products that rely on BLE for proximity-based authentication protect against known relay attack methods by introducing checks based on precise amounts of latency and also link-layer encryption.
NCC Group has developed a tool that operates at the link layer and with a latency of 8ms that is within the accepted 30ms range of the GATT (Generic ATTribute Profile) response.
“Since this relay attack operates at the link layer, it can forward encrypted link layer PDUs. It is also capable of detecting encrypted changes to connection parameters (such as connection interval, WinOffset, PHY mode, and channel map) and continuing to relay connections through parameter changes. Thus, neither link layer encryption nor encrypted connection parameter changes are defences against this type of relay attack.” – NCC Group
According to Sultan Qasim Khan, a senior security consultant at NCC Group, it takes about ten seconds to run the attack and it can be repeated endlessly.
Both the Tesla Model 3 and Model Y use a BLE-based entry system, so NCC’s attack could be used to unlock and start the cars.
While technical details behind this new BLE relay attack have not been published, the researchers say that they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle” – NCC Group
During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed seven meters away from the phone, the other sitting three meters from the car. The distance between the phone and the car was 25 meters.
The experiment was also replicated successfully on a Tesla Model Y from 2021, since it uses similar technologies. Below is a demonstration of the attack:
These findings were reported to Tesla on April 21st. A week later, the company responded by saying “that relay attacks are a known limitation of the passive entry system.”
The researchers also notified Spectrum Brands, the parent company behind Kwikset (makers of the Kevo line of smart locks).
What can be done
NCC Group’s research on this new proximity attack is available in three separate advisories, for BLE in general, one for Tesla cars, and another for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.
The Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldn’t be used for valuable assets.
This leaves users with few possibilities, one being to disable it, if possible, and switch to an alternative authentication method that requires user interaction.
Another solution would be for makers to adopt a distance bounding solution such as UWB (ultra-wideband) radio technology instead of Bluetooth.
Tesla owners are encouraged to use the ‘PIN to Drive’ feature, so even if their car is unlocked, at least the attacker won’t be able to drive away with it.
Additionally, disabling the passive entry functionality in the mobile app when the phone is stationary would make the relay attack impossible to carry out.
If none of the above is possible on your device, keep in mind the possibility of relay attacks and implement additional protection measures accordingly.
US CISA is urging vendors to address BrakTooth flaws after security researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against potential Bluetooth exploits.
“On November 1, 2021, researchers publicly released a BrakTooth proof-of-concept (PoC) tool to test Bluetooth-enabled devices against potential Bluetooth exploits using the researcher’s software tools. BrakTooth—originally disclosed in August 2021—is a family of security vulnerabilities in commercial Bluetooth stacks. An attacker could exploit BrakTooth vulnerabilities to cause a range of effects from denial-of-service to arbitrary code execution.” reads CISA’s advisory.
“CISA encourages manufacturers, vendors, and developers to review BRAKTOOTH: Causing Havoc on Bluetooth Link Manager and update vulnerable Bluetooth System-on-a-Chip (SoC) applications or apply appropriate workarounds.”
BrakTooth is a set of 16 security flaws in commercial Bluetooth stacks that can be exploited by threat actors to execute arbitrary code and crash the devices via DoS attacks.
Security Threats and Countermeasures in Bluetooth-Enabled Systems
Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle (MitM) attacks.
“Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing,” the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.
The two Bluetooth specifications define the standard that allows for many-to-many communication over the short-range wireless technology to facilitate data transfer between devices in an ad-hoc network.
The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth’s authentication mechanism.
“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the researchers said. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”
“To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.”
In addition, four separate flaws have been uncovered in Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. A summary of the flaws is as follows –
CVE-2020-26555 – Impersonation in Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification 1.0B through 5.2)
CVE-2020-26558 – Impersonation in the Passkey entry protocol during Bluetooth LE and BR/EDR secure pairing (Core Specification 2.1 through 5.2)
N/A – Authentication of the Bluetooth LE legacy pairing protocol (Core Specification 4.0 through 5.2)
CVE-2020-26556 – Malleable commitment in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
CVE-2020-26557 – Predictable AuthValue in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
CVE-2020-26559 – Bluetooth Mesh Profile AuthValue leak (Mesh profile 1.0 and 1.0.1)
CVE-2020-26560 – Impersonation attack in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
“Our attacks work even when the victims are using Bluetooth’s strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device,” the researchers said.
The Android Open Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are among the identified vendors with products impacted by these security flaws. AOSP, Cisco, and Microchip Technology said they are currently working to mitigate the issues.
The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has also issued security notices for each of the six flaws. Bluetooth users are recommended to install the latest recommended updates from device and operating system manufacturers as and when they are available.
