Relay Attacks on Bluetooth LE

Question

Is it possible to perform a relay station attack on Bluetooth LE? For example if I installed an August smart lock or similar on my front door (which uses BLE to communicate with my phone to decide whether or not to unlock the door based on RSSI), would someone be able to perform this attack and get into my house even if I was hundreds of meters away from my house? Or even inside my house?

If it is possible, are there any techniques I could use in a similar application that would make it more difficult/impossible?

Hi @atdre, I'm not entirely sure what I'm looking at here, could you explain ? — Hester, Nov 02 '16 at 10:20

score 1 · Answer 1 · answered Jul 05 '16 at 03:20

There is an interesting paper which talks about securing IoT devices such as smart locks - http://www.eecs.berkeley.edu/Pubs/TechRpts/2016/EECS-2016-11.pdf

It has a section on relay attacks, which can be summarised more or less as:

Systems can under some circumstances use the GPS location of the mobile as a countermeasure for relay attacks, but:

this depends on the system knowing about GPS locations, etc and
apparently GPS location can be spoofed anyway

Otherwise they say there's nothing you can do to mitigate bluetooth LE relay attacks without requiring hardware changes or similar kinds of low level things.

score 1 · Answer 2 · answered Aug 04 '16 at 23:04

1

In any case this requires a special transceiver. I would guess that the hackrf is fast enough. Bluetooth does a lot of hopping across channels (~80) very quickly. It's a very annoying system to sniff. Perhaps someone can enlighten us all how to predict the hopping sequence, or am I just mistaken entirely?

answered Aug 04 '16 at 23:04

user400344

863
5
9

User400344 - this doesn't answer the question. If you have a new question please use the Ask a Question link, don't post it in an answer post. – Rory Alsop Aug 05 '16 at 07:21

Relay Attacks on Bluetooth LE

2 Answers2