Cracking the Code: Hijacking Phone-as-Key Systems in Vehicles via BLE DoS Exploits
The ubiquitous nature of Bluetooth Low Energy (BLE) in automotive and consumer devices makes it a prime target for security analysis. In this study, I demonstrate a reliable Denial of Service (DoS) attack against devices using the CC26x2R1 LaunchPad. The CC26x2R1, part of Texas Instruments' SimpleLink™ microcontroller platform, is a wireless microcontroller (MCU) primarily designed for Bluetooth Low Energy (BLE) applications. Its use in developing applications for vehicles revolves around its capabilities in wireless communication and low-power operation. It is typically used in automotive applications like Keyless Entry Systems (Phone-as-Key): The CC26x2R1 is ideal for developing keyless entry systems where a smartphone replaces traditional keys. This system uses BLE for communication between the vehicle and the phone, allowing for unlocking, locking, and even starting the vehicle remotely
Through a series of pairing requests and confirmations, I elucidate a method to disrupt the normal operation of the BLE functionality, rendering the device unresponsive until a power cycle is executed. The attack causes the DUT to cease advertising and fail interoperability tests. My results show that the CC26x2R1 cannot be reconnected post-attack, and does not return to a normal operating state without manual intervention. This presentation will dissect the attack vector, demonstrate the vulnerability in real-time, and discuss potential mitigations. Our findings raise significant concerns about the resilience of BLE devices against DoS attacks and underscore the need for robust security measures in BLE implementations.
Key Takeaways:
- Understanding BLE Vulnerabilities
- Attack Recognition and Response
- Mitigation and Security Best Practices
Technical Rating
🔴🔴🔴🔴🔴🔴