Locking devices using BLE (Bluetooth Low Energy) are multiplying in everyday objects, whether house locks, cars or other systems, the presence in the close environment of a certified device allows quick (and comfortable) opening for the user.
The problem is that it is possible for a hacker to use a small device that acts as a bridge between the user’s phone and the target device in order to then unlock it remotely. For the demonstration, the NCC Group researcher opened up a 2021 Tesla Model Y.
Although the car served as a demonstration, NCC Group said any locks using similar technology could be targeted. Tesla has been contacted by Reuters, but has not yet issued any comment.
A fundamental problem
Usually, when this kind of flaw is discovered, companies make software updates to fix the problem. Except that in this case, things may be more complicated.
Indeed, NCC Group explains that BLE technology was not initially created to be used in locking mechanisms. As a result, BLE-based authentication is not robust enough for this kind of application.
In the end, users use (with confidence) “systems to protect their cars, homes and private data with Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware”the firm said.
Until a solution is offered by the various manufacturers, it is therefore advisable to be cautious and not blindly rely on connected locks.