When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range.
Now, a researcher has devised a hack that allows him to unlock millions of Teslas—and countless other devices—even when the authenticating phone or key fob is hundreds of yards or miles away. The hack, which exploits weaknesses in the Bluetooth Low Energy standard adhered to by thousands of device makers, can be used to unlock doors, open and operate vehicles, and gain unauthorized access to a host of laptops and other security-sensitive devices.
[...]
This class of hack is known as a relay attack, a close cousin of the person-in-the-middle attack. In its simplest form, a relay attack requires two attackers.
[...]
Here's a simplified attack diagram, taken from the above-linked Wikipedia article, followed by a video demonstration of Khan unlocking a Tesla and driving away with it, even though the authorized phone isn't anywhere nearby.
(Score: 2, Insightful) by Ironrose on Sunday May 22 2022, @09:46AM
If only they could hack, and connect to, my Bluetooth mouse. Regular Bluetooth is kind of hit or miss. Would be nice to have some shady types that could make it work to specs.
(Score: 4, Interesting) by Anonymous Coward on Sunday May 22 2022, @10:03AM (2 children)
This is not a new attack, relay attacks on key fobs are old technology. Here is a paper from 2010: https://eprint.iacr.org/2010/332.pdf [iacr.org]
(Score: 4, Informative) by Fnord666 on Sunday May 22 2022, @08:27PM
They mention the previous work in the article. What this attack adds is that it's a MITM at the link layer.
(Score: 0) by Anonymous Coward on Sunday May 22 2022, @10:11PM
The door unlock signal should be much weaker than the lock signal. You should have to be close to your car to unlock it but you should be able to lock it from much further.
(Score: 4, Insightful) by Mojibake Tengu on Sunday May 22 2022, @10:30AM (7 children)
This approach can be performed on any kind of active RFID mechanism, not just Bluetooth.
The fundamental design error of all such kind of identification mechanism is the funny assumption that 1-dimensional space metric defined by signal range (intensity) is somehow magically guaranteed by physical means of transmitter properties, and then re-interpreting such magical guarantee logically as spacetime proximity, then interpreting this proximity as goal satisfaction.
Perceived proximity is a hint, not a guarantee. Taking it as guarantee produces logical flaw in perception/deduction chain. A conscious confirmation needs to be added to the chain at least, a veto on the goal.
In abstract model of hacking, it is generally a domain structure mismatch: an assumption of constraint is unjustifiably transferred from one category of objects to another category.
Weak transfer of constraint.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 5, Insightful) by VanessaE on Sunday May 22 2022, @01:08PM (6 children)
Don't devices that need such checks (at least the more "important" ones) do something a little more logical, such as measuring the ping time between the "base" and the remote/fob?
That would give you proximity regardless of signal strength (provided there's enough signal to read).
(Score: 0) by Anonymous Coward on Sunday May 22 2022, @02:17PM (3 children)
i don't understand it.
the car and FOB have a shared secret. so challenge-response.
you can relay thru a 3rd party (relay station) that has no clue what these two are on about ...
however one would assume that the car wouldn't wait a few hours for the reply from the key FOB on mars to arrive... so yeah, baring "faster then light" tech, giving only a limited time windows for the reply would kindda guarantee proximity?
i assume it's not done 'cause of the "slowness" of the processing of the "brainz" inside the car and FOB. one car/FOB "reality tick", say 1 Mhz(?) is lazy-number-lightspeed 300'000km/s / 1'000'000 = 300m? but that's just one "bit" or even just half a bit?
for one ascii symbol you would need like 8, and then you prolly want a key with muchos symboles, like a big prime or something?
ofc one could parallel it, like use multiple frequenzies (1.01 Mhz, 1.02 Mhz, 1.03 Mhz...1.08 Mhz), maybe 8 of them, so one ascii symbole in one second arrives at distance of 300m.
cool shit, now give me back my car-keys.
(Score: 3, Interesting) by VanessaE on Sunday May 22 2022, @07:53PM (2 children)
Maybe I'm way wrong, but here's one way I think it could work (for all I know I'm not the first to think of this):
Suppose you did the "ping" in the analog domain....
Initially the fob would reach-out to the base via normal digital/data means, and the two would agree to conduct a proximity test.
In that process, the base would tell the fob what frequencies the fob must listen on and respond on.
Once they agree to proceed, the fob then stops transmitting on its digital channel and starts a simple oscillator transmitting dead air on the frequency the base told it to respond on.
The base stops transmitting on its digital channel, makes note of the signal strength from the fob, then starts an oscillator transmitting dead air on the frequency it told the fob to listen on.
After say, a tenth of a second, the base shuts off that oscillator and switches a floating gate or something else that can store an arbitrary but small charge, into the receiver circuit. That gate starts out totally flat, charging-up via the fob's transmitted carrier.
The fob shuts off its oscillator when it detects the loss of the base's carrier. This bit happens via some purely analog circuit. Maybe some comparitor's output changes enough in response to that loss of signal to cut-off the fob's oscillator, whatever it takes to make it happen without appreciable delay.
The base waits a bit, measures the charge it stored earlier, then does some maths to account for the signal strength it noted earlier.
If I'm guessing right, the fob will need around 3 carrier cycles to respond, and the base's gate or whatever will end up with, let's say, 5 cycles' worth of charge on it after that, allowing for some ringdown, if the fob is right next to it.
So if we're doing all of this at say 10 GHz, that's a wavelength of about 3 cm, so we get a minimum distance of 24 cm for an 8-cycle minimum delay time.
Surely that's more than enough "resolution".
(Score: 0) by Anonymous Coward on Sunday May 22 2022, @11:30PM (1 child)
ohhh-kay.
i guess you know more about electronics then me. what's a floating gate?
anyways, if i understand correctly, your solution depends on signal strength?
like a signal decays over distance?
i dont think this will work, since a relay can be made arbitrarly strong, mimicing a fob?
(also, i think one could chain relays)
however, "speed of light" or propagation time cannot be cheated?
sry if i didn't understand u correctly ...
(Score: 2) by VanessaE on Tuesday May 24 2022, @04:32PM
Floating gates are used in flash memory -- they're what store the tiny charge the memory controller interprets as one or more bits. The're treated as digital entities of course, but they actually just store an arbitrary analog charge (which is why multi-level flash is a thing), and can be cajoled to behave somewhat like a mashup of a memristor and a conventional transistor when used that way. I seem to recall reading that AI/neural-net researchers are exploring that idea now.
My idea doesn't depend on signal strength; "somewhat the opposite, actually."
If you charge-up a component from a radio signal, and you need a fixed 1:1 relationship between charge level and whatever it's meant to measure (in this case, distance), then you have to factor-out the actual signal strength. Otherwise you'd get unreliable distance measurements just because of mundane things like a low battery or weak transmitter in the fob, or say when someone does that thing where they place the fob against their chin to concentrate the signal.
As for a relay attack, that's a security problem, not a measurement problem, per se. One assumes the fob and the base will already do the important stuff over a secure channel, as someone else mentioned. Only the "ping" would occur in the analog domain, and since it's just an exchange of dead air and occurs on frequencies that would have been randomly-chosen and agreed upon during the secure chatter, I don't see how it would be much of a vulnerability. Plus, any such relay would have to listen to and echo back the entire chunk of spectrum in question all at once in realtime, just to spoof that ping event, and I'm pretty sure that's impossible.
Plus, the base should assume the fob will be incapable of exceeding a certain signal level (even if it were right next to the receiving antenna), so anything that reads stronger than the fob's maximum theoretical output can be rejected outright.
Unless you want to somehow mimic the fob being farther away, the only way a relay could "cheat" the speed of light or propagation time is if it could somehow react faster than the fob could (to the base dropping carrier), but it would have to know that a ping is coming and on what frequencies, which means the relay would first have to compromise the base-fob secure channel.
And after all of this, if wireless comms fail, there's still the fallback option of having the fob make physical contact with something at the base, such as inserting a connector on it into a (weather-proof) receptacle on the door, as if it were a thumbdrive. Of course at that point, you may as well be using a plain old key.
(Score: 1, Troll) by Mojibake Tengu on Sunday May 22 2022, @05:55PM (1 child)
Wrong.
Since those devices actually do encryption, that communication takes lot of time. With enough of cheap bandwidth on attacker, the time domain does not do a guarantee the same way the space domain does not.
And a simple ping without encryption is easy to spoof either.
Please note I actually mentioned 'spacetime', not 'just space'.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 0) by Anonymous Coward on Monday May 23 2022, @10:18PM
Why is this marked 'Troll'? MT is correct, the encryption takes enough time that the latency due to light speed is negligible, especially with the low power specification that key-fobs use, and without encryption a replay attack would be sufficient. The core defect is the automatic unlock misfeature. If the owner had to press a button to unlock, like with traditional key-fobs, there would be no problem.
(Score: -1, Offtopic) by requerdanos on Sunday May 22 2022, @04:11PM (13 children)
(emphasis added.)
Wokefully renaming the "Man in the middle" attack ("Man" here referring loosely to mankind) is protecting what group? Intelligent fungi? Aliens?
Where's the benefit?
(Score: 0, Disagree) by Anonymous Coward on Sunday May 22 2022, @04:31PM (6 children)
It's "peoplekind" not "mankind".
(Score: -1, Troll) by Anonymous Coward on Sunday May 22 2022, @04:39PM (5 children)
No, it's mankind and people saying otherwise are sexist, racist and ignorant. Mankind does not have the derivation that some people would have you believe. German has two similar sounding words Mann and man. It's not Mannkind, it's Mankind. As in the children of people, not masculine exclusive.
(Score: -1, Troll) by Anonymous Coward on Sunday May 22 2022, @05:27PM (4 children)
You're right, but what you're missing is that the ignorance is the point. Wokesters can't be constrained by the truth, they need to be able to declare racism/sexism/whatever on a whim. That's the source of their power.
(Score: 1, Insightful) by Anonymous Coward on Sunday May 22 2022, @06:11PM (3 children)
Translation: the world is changing, as it always does, and I'm angry about it!
(Score: -1, Troll) by Anonymous Coward on Sunday May 22 2022, @06:13PM (1 child)
A change similar to this one started and fueled WW2.
(Score: 3, Touché) by Anonymous Coward on Sunday May 22 2022, @08:28PM
The rise of fascism socially constructing gender as part of a dominance hierarchy by which men seek to control women's reproductive organs?
(Score: -1, Troll) by Anonymous Coward on Sunday May 22 2022, @08:37PM
Eh. For 99% of the time covering the existence of the Human species, Authority defined everything. And each Tribe's King owned all the Women that he hadn't gifted to other males to ensure his stable rule. Human DNA and genetic behavours defines this. These societies were perpetual.
For that other 1% of Humanity's existence, 99% of that had this unstable idea of 'nuclear monogamy'. These societies had perpetual conflict due to it being discordant with their genes.
For that 1% of 1% of Humanity existence, a group in limited distribution of the planet had the thinking about Wallace-like evolution of a artificial system could magical happen. They bred out within a century, and weren't known to even 20% of the human population of their time.
(Score: -1, Troll) by Anonymous Coward on Sunday May 22 2022, @05:06PM
It's working against the 24378 gender phenomenon buy reducing to 20 gender.
Fewer genders is better, right?
Right wingers want 21 genders with one calling the shots and the other subservient. Patriarchy and so-called radical feminism argue about which should be which.
Only the glorious socialist revolution can struggle against bathroom construction contractors pushing an increasingly increasing number of genders on us.
(Score: -1, Troll) by Anonymous Coward on Sunday May 22 2022, @06:09PM
I've started a new biz for peeps like u, Cloud Meme, we will generate sky writing that makes you look less crazy as you yell at it.
(Score: 2) by mcgrew on Sunday May 22 2022, @06:32PM (1 child)
That's stupid. The word "woman" is a contraction of womb man; a man with a womb. It's a workman no matter what sex is doing the work.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1, Touché) by Anonymous Coward on Sunday May 22 2022, @08:21PM
https://www.etymonline.com/word/woman [etymonline.com]
https://www.etymonline.com/word/womb [etymonline.com]
The term you're looking for might be "wombyn" from "womyn" from ibid.
(Score: 2) by Fnord666 on Sunday May 22 2022, @08:35PM
The funny thing is that traditionally the "character" depicted in diagrams is usually Eve.
(Score: 2) by maxwell demon on Monday May 23 2022, @02:46PM
“Person-in-the-middle attack” is still discriminating against impersonal attackers. I hereby request that it gets renamed to “entity-in-the-middle attack”!
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by mcgrew on Sunday May 22 2022, @06:29PM (2 children)
No it can't. I don't have one.
And as a child magician I could get out of a pair of genuine police handcuffs with a paper clip, tried it with a cop friend's handcuffs years later when I was a teenager. Any lock can be picked, any security professionals and a lot of us who aren't professionals will tell you that.
Locks are for two kinds of people: The honest or the unlearned. It's a moot point, a crook can simply tow it. Tow trucks are impervious to locks, physical or electronic.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 0) by Anonymous Coward on Sunday May 22 2022, @11:38PM
please unlock fusion for us ... post youtube vid and i'll buy a tow truck!
(Score: 0) by Anonymous Coward on Monday May 23 2022, @11:11PM
Tow trucks also expensive and have the name of the owner printed on the side for easy identification. This is a cheap and simple attack that two people working together can execute without attracting attention or raising suspicion.
(Score: 1) by Fuzzums on Monday May 23 2022, @09:02AM (2 children)
Boomer here: It used to be called a man-in-the-middle attack. When did this change?
(Score: 2) by Freeman on Monday May 23 2022, @03:38PM (1 child)
PITM for the woke, because "Man" is negative.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Monday May 23 2022, @03:48PM
Wrong oh fictitiously maligned Karen, not because "man" is negative but because "man" is an incomplete description of possible reality. See, take your irritation at people using non-gendered words then imagine what it must be like for every non-cis-male to always see "he". Yours is the irritation of privilege not wanting your familiar reality altered. The other is the irritation from (minor) oppression. Are minor changes to language etiquette really too much for you to bear?