Bluetooth Attacks on Vehicles
Table of Contents
Bluetooth in Modern Vehicles
Modern vehicles are rolling Bluetooth endpoints. A typical 2024 model year car has multiple Bluetooth interfaces: BLE for phone-as-key functionality, Bluetooth Classic for hands-free calling and audio streaming, and in some cases additional BLE beacons for tire pressure monitoring, interior sensors, or passenger detection.
The automotive industry has embraced Bluetooth for convenience features. Phone-as-key allows drivers to unlock and start their vehicle using a smartphone app instead of a physical key fob. Hands-free calling and audio streaming are expected features in every price segment. Over-the-air (OTA) updates communicate through Bluetooth and WiFi interfaces.
This extensive Bluetooth integration creates a broad attack surface. Each Bluetooth interface is a potential entry point for attackers, and the consequences of a successful attack on a vehicle are more severe than compromising a typical consumer device - vehicle access, location tracking, and in some cases control of vehicle functions.
Infotainment System Vulnerabilities
Vehicle infotainment systems run complex software stacks - often based on Linux, Android Automotive, or QNX - with Bluetooth connectivity for phone pairing, media playback, and contact synchronization. These systems have a history of exploitable vulnerabilities.
graph TD
subgraph "Infotainment Attack Surface"
A[Bluetooth Pairing Interface] --> B[Infotainment Head Unit]
C[USB Port] --> B
D[WiFi Interface] --> B
B --> E[CAN Bus Gateway]
E --> F[Vehicle Control Systems]
B --> G[Contact/Call Data]
B --> H[Navigation History]
B --> I[Connected Phone Data]
end
subgraph "BlueBorne Impact on Vehicles"
J[BlueBorne Vulnerability 2017] --> K[Affected Android-Based Head Units]
K --> L[Remote Code Execution via Bluetooth]
L --> M[No Pairing Required]
end
Vehicle infotainment attack surface - Bluetooth provides wireless access to complex software systems
The BlueBorne vulnerabilities (disclosed in September 2017 by Armis) affected the Bluetooth stacks of Android, iOS, Windows, and Linux. Since many vehicle infotainment systems run Android or Linux, they were potentially vulnerable. BlueBorne allowed remote code execution over Bluetooth without requiring the attacker to pair with the target device. An attacker within Bluetooth range could exploit the vulnerability to execute arbitrary code on the infotainment system.
The infotainment system's position in the vehicle architecture is critical. In many vehicles, the head unit has some level of connectivity to the CAN (Controller Area Network) bus - the internal communication system that connects vehicle components including engine control, braking, and steering. While automotive engineers implement gateways between the infotainment system and safety-critical CAN bus segments, the boundaries are not always robust.
The Tesla BLE Relay Attack
In May 2022, Sultan Qasim Khan of NCC Group demonstrated a relay attack against Tesla's BLE phone key system. The attack allowed an attacker to unlock and start a Tesla Model 3 or Model Y without the owner's phone being nearby.
Tesla's phone key works over BLE. When the owner's phone is within BLE range of the vehicle (typically a few meters), the car authenticates the phone and allows entry and ignition. The system is designed so that the car only unlocks when the phone is physically close.
graph LR
subgraph "Normal BLE Phone Key"
A[Owner Phone] -->|BLE ~3m| B[Tesla]
end
subgraph "BLE Relay Attack"
C[Owner Phone] -->|BLE| D[Relay Device 1 - Near Owner]
D -->|Internet/WiFi| E[Relay Device 2 - Near Car]
E -->|BLE| F[Tesla]
end
subgraph "Result"
F --> G[Car Unlocks]
G --> H[Car Starts]
H --> I[Attacker Drives Away]
end
Tesla BLE relay attack - extending the BLE connection from meters to kilometers using relay hardware
Khan's attack used two relay devices. One device was positioned near the owner's phone (for example, outside their house or office). The other was positioned near the car. The relay devices forwarded BLE communication between the phone and the car over the internet, extending the effective BLE range from a few meters to an unlimited distance.
The car could not distinguish between a direct BLE connection to the nearby phone and a relayed connection through the attacker's hardware. The cryptographic authentication between the phone and the car was intact - the relay transparently forwarded every packet. The attack defeated the distance assumption (that a BLE connection implies physical proximity) without breaking any cryptography.
The relay attack added approximately 8 seconds of latency to the BLE connection. Tesla's BLE implementation did not enforce strict latency bounds, so this additional delay did not cause the authentication to fail.
Keyless Entry Amplification Attacks
Before BLE phone keys, the primary vehicle wireless key technology was the traditional key fob using radio frequencies (typically 315 MHz or 433 MHz) with rolling codes. These systems are vulnerable to a similar class of relay attacks, sometimes called amplification attacks.
In a key fob relay attack, two attackers work together. One stands near the target vehicle with a relay transmitter. The other stands near the vehicle owner (who has the key fob in their pocket, at home, or in a restaurant). The relay amplifies the signal between the car and the key fob, making the car believe the fob is nearby.
This attack has been documented in numerous vehicle thefts across Europe and North America. Security camera footage has captured teams of thieves using relay equipment to steal cars from driveways in under 60 seconds. The attack works on most vehicles with passive keyless entry (the feature where you can unlock the car by approaching with the fob in your pocket).
BMW ConnectedDrive Vulnerabilities
BMW's ConnectedDrive system has been the subject of multiple security research findings. In 2015, the ADAC (German automobile club) discovered that BMW's ConnectedDrive used unencrypted HTTP connections for some vehicle communications, allowing attackers to intercept and replay commands to unlock vehicles.
The vulnerability affected approximately 2.2 million BMW, Mini, and Rolls-Royce vehicles equipped with ConnectedDrive. An attacker could set up a fake cellular base station near the target vehicle, intercept the unencrypted communication, and send commands to unlock the doors. BMW issued an over-the-air update to switch to HTTPS, but the incident demonstrated that even premium automakers could make fundamental security mistakes in their connected vehicle platforms.
Phone-as-Key Risks
The automotive industry is moving rapidly toward phone-as-key systems, with BLE as the primary wireless technology. Apple CarKey, Google's Digital Car Key, and manufacturer-specific implementations all use BLE for proximity-based vehicle access.
The relay attack demonstrated against Tesla applies broadly to any BLE-based key system that relies on signal proximity as a security assumption. The Car Connectivity Consortium's Digital Key specification (version 3.0) addresses relay attacks through Ultra-Wideband (UWB) ranging, which provides accurate distance measurement that is resistant to relay attacks. However, UWB adoption in vehicles is still in early stages.
Until UWB-based distance verification is standard, BLE phone key systems remain theoretically vulnerable to relay attacks. The practical risk depends on the attacker's ability to position relay hardware near both the owner's phone and the target vehicle - a requirement that limits the attack to targeted operations rather than opportunistic theft.
Defense Strategies
For vehicle owners concerned about wireless key attacks, several mitigation options exist.
Faraday pouches block radio signals from reaching the key fob or phone. Storing a key fob in a Faraday pouch at home prevents relay attacks that try to reach the fob through walls. Some vehicle owners use metal containers (cookie tins work in a pinch) as improvised Faraday cages.
Disabling passive entry when parked forces the use of a physical button press on the fob to unlock the car. This defeats relay attacks because the fob must be actively triggered, not just passively present. Many vehicles allow this setting to be configured through the infotainment menu.
Motion-based fob timeout is a feature in newer key fobs that puts the fob to sleep when it detects no motion for a period (typically 30-60 seconds). A sleeping fob does not respond to proximity queries, defeating relay attacks against stationary fobs. Ford, Jaguar Land Rover, and BMW have implemented this feature in recent fob designs.
PIN-to-drive adds a secondary authentication step. Tesla and some other manufacturers allow owners to set a PIN that must be entered on the touchscreen before the car will move, even after it has been unlocked and started via the phone key. This prevents a relay attack from resulting in vehicle theft.
Assessing Vehicle BLE Exposure
The BLEShark Nano can scan for BLE advertisements from vehicles in parking areas, demonstrating the wireless exposure of modern cars. During authorized security assessments, this scanning reveals which vehicles are broadcasting BLE signals, the nature of those broadcasts, and the density of BLE-enabled vehicles in a given area.
For automotive fleet managers and corporate security teams, understanding the BLE profile of company vehicles helps inform policy decisions about phone key adoption, relay attack mitigations, and vehicle security configurations. The Nano's portable form factor makes it practical to survey parking facilities, executive parking areas, and fleet lots.
As vehicles become increasingly connected through BLE, WiFi, and cellular interfaces, the wireless attack surface grows proportionally. Assessing that surface is the first step toward managing the risk.
Get the BLEShark Nano - $36.99+