Security company says Teslas can be unlocked and driven using a simple, inexpensive hack
- A security company uncovered a security flaw in Bluetooth used by companies across many industries.
- The firm was able to unlock a Tesla and operate it without using a key.
A cybersecurity company uncovered a vulnerability that hackers could exploit to unlock a Tesla and drive away.
UK-based NCC Group says it found security flaws in Bluetooth Low Energy (BLE), the technology that many cars, including Tesla, use to detect when an owner is close by and allow them to operate the vehicle without turning a key. The company said millions of vehicles, residential smart locks, laptops, and other devices that use BLE for proximity authentication are vulnerable to attack.
"Our research shows that systems that people rely on to guard their cars, homes and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," NCC said in a press release Monday.
One convenient part of owning a Tesla is that owners can download the automaker's app to use their phone as a car key. It's a neat benefit that leaves some Teslas exposed to cyberattacks, NCC Group said. The company said it used a series of so-called relaying devices to trick a 2020 Tesla Model 3 into thinking its owner's phone was nearby, when in fact the phone was 25 meters away.
NCC Group was able to unlock and operate the Tesla even when the authorized iPhone was far outside of BLE range. The company said it expects Model Y vehicles are vulnerable to the same attack.
"What makes this powerful is not only that we can convince a Bluetooth device that we are near it — even from hundreds of miles away — but that we can do it even when the vendor has taken defensive mitigations," said NCC Group principal security consultant and researcher, Sultan Qasim Khan, who conducted this research.
NCC Group said it notified Tesla's security team of the vulnerability, and that the automaker said it was aware of the issue.
Tesla did not immediately return a request for comment.
NCC Group said it was also able to use a relay attack to unlock a particular model of Kwikset smart lock. In a statement to Insider, a Kwikset spokesperson said enhanced security features including two-factor authentication protect against relay attacks.
In an emailed statement, Bluetooth Special Interest Group, the association that oversees Bluetooth technology, said it "prioritizes security and the specifications include a collection of features that provide product developers the tools they need to secure communications between Bluetooth devices." The group said it educates developers about security risks and works to address vulnerabilities.