A group of security researchers have found a way to circumvent digital locks and other security systems that rely on the proximity of a mobile device for verification.

There are contents.

  • How it works
  • How to protect yourself

A security consulting firm was able to open smart locks without a key in the vicinity using a link layer relay attack.

Tesla Model 3 keycard.

Sultan Qasim Khan, the principal security consultant and researcher with the NCC Group, demonstrated an attack on a Model 3. Any vehicle that uses BLE would be vulnerable to this attack.

Many smart locks are vulnerable. His firm called out the Kevo models since they use a touch-to-open feature that relies on passive detection of a phone nearby. Since the lock's owner doesn't need to interact with the device to confirm they want to open the door, a hacker can send the key from a remote location and open the door.

How it works

This exploit requires the attacker to have access to the owner's actual device. What makes it potentially dangerous is that the real key doesn't need to be close to the vehicle, lock, or other secured device.

Instead, the lock and key are sent through a pair of intermediate devices that are connected to the internet. The lock treats the hacker's nearby device as if it is the valid key.

Even when the vendor has taken defensive measures to protect their communications from attackers, we can convince a device that we are near it.

The exploit works at a very low level of the Bluetooth stack, so it doesn't matter if the data is secure or not. The lock doesn't know that it isn't communicating with a legitimate device.

A thief would only need to place one device within a few feet of the owner and the other near the lock if they used a passive security key. A pair of thieves could follow aTesla owner away from their vehicle and steal their car once the owner was far enough away.

These attacks can be carried out even across vast distances. A person on vacation in London could have their keys sent to their door locks in Los Angeles, allowing a thief to gain access quickly.

Cars and smart locks aren't the only things this goes beyond. It could be used to spoof the location of an asset or a medical patient, as well as prevent mobile phones from locking, circumvent building access control systems, and even unlock laptops that rely on proximity detection.

This isn't a traditional bug that can be fixed with a software patch. It is not a flaw in the specification. It is a matter of using the wrong tool for the job. At least not for use in critical systems such as locking mechanisms, the firm notes.

How to protect yourself

It's important to keep in mind that this vulnerability is specific to systems that rely solely on passive detection.

For example, this exploit can be used to circumvent security systems that require you to open a specific app, or push a button on a key fob, for example. When you're not near the car, door, or laptop, you're not going to try and open it unless you take that action.

August Wi-Fi Smart Lock installed on door.
August smart lock August

This won't be a problem for apps that take steps to confirm your location. The August smart lock has an auto-unlock feature that relies on proximity detection, but the app also checks your location to make sure you are actually returning home. It can't be used to open your door when you're not at home.

If your security system allows for it, you should enable an extra step that requires you to take action before the credentials are sent to your lock. For example, Kwikset has said that it will add two-factor authentication to its lock app for the iPad, and that customers who use an Apple device can do so. When the user's phone has been stationary for an extended period, proximity unlocking is disabled.

The solutions that use a mix of protocols are not vulnerable to this attack. Apple has a feature that lets peopleunlock their Mac with their Apple Watch. The Apple Watch is able to detect it nearby initially, but it measures the actual proximity over the internet to make sure it doesn't get attacked.

There are two bulletins published by the NCC Group, one about how the vulnerability affects cars and the other about how it affects locks.

Recommended video