In this presentation I will show the workings of Sniffle Relay, the world’s first link layer relay attack on Bluetooth Low Energy (BLE), categorically defeating existing applications of BLE-based proximity authentication currently used to unlock millions of vehicles, smart locks, building access control systems, mobile devices, and laptops. This attack can be used to relay unlock commands over long distances, even when link layer encryption or GATT latency bounding have been used to mitigate against existing BLE relay attack tools.
Unlike all pre-existing GATT-based BLE MITM and relay tooling, Sniffle Relay allows relaying connections that employ link layer encryption. Furthermore, Sniffle Relay applies novel relaying techniques that limit the added latency to within the range of normal GATT response timing variation, in many cases hiding the added latency altogether.
To emphasize the impact of these findings, I will demonstrate how this attack can be used to steal a Tesla Model Y, alongside multiple other demos - affecting in some cases up to hundreds of millions of devices each - some of which can be unlocked from halfway around the world.
Sultan Qasim Khan is a Principal Security Consultant at NCC Group, one of the largest security consultancies in the world with over 35 global offices, 2,000 employees and 15,000 clients. Based in Waterloo, Ontario, Canada, he specializes in assessment and development of secure embedded systems and wireless communication protocols. Sultan is experienced working in the land between software and hardware. His expertise focuses on the analysis of firmware, bootloaders, kernel drivers, debug interfaces, PCB designs, and wireless protocols from the physical layer up. Sultan is also the creator of Sniffle, the first open-source Bluetooth 5 sniffer, and nOBEX, a tool for testing and fuzzing several Bluetooth Classic profiles.