MADISON, Wis. — Carmakers are planning to exploit Bluetooth Low Energy (BLE) technology (which has been rebranded; the more politically correct name today is Bluetooth Smart), so that vehicle owners can open and close doors and windows or adjust seats, mirrors, and lighting, by touching a smartphone/key fob or punching a wirelessly controlled in-vehicle button.
Setting aside the perceived convenience to car users, there's an overwhelming upside for car OEMs to embrace the Bluetooth Smart technology. By going wireless, carmakers can replace the rat's nest of wires strung all over the inside of a car. They can worry less about wiring complexity and wire inventory while reducing overall auto weight. What's not to like?
But here's the thing. How secure is Bluetooth Smart for controlling body electronics inside cars?
By its nature, the use of any wireless technology "raises a flag" on security, Luca De Ambroggi, principal analyst for automotive semiconductors at IHS Technology, recently told EE Times. Though he stressed that BLE is probably much more secure than wireless technologies such as WiFi or LTE, De Ambroggi conveyed a suspicion that the industry is working behind the scenes to plug some security holes in Bluetooth Smart -- and it's not quite finished.
It turns out he's correct.
The Bluetooth Special Interest Group (SIG) is working to beef up device-level security for Bluetooth Smart. Joel Linsky, senior director of technology at Qualcomm, chairs the Bluetooth SIG Core Specification Working Group. He told us the group's idea is to develop "new functions that allow [some] systems to use the industry-standard security techniques."
Suke Jawanda, chief marketing officer of the Bluetooth SIG, said there's no timeline yet for making the new spec available.
Jimmy Pai, CSR's technical marketing manager, confirmed that car companies (including OEMs and Tier 1 suppliers) have expressed security concerns. CSR announced its own automotive-qualified BLE chips for controlling body electronics almost a year ago. "We've been working with carmakers on this for more than two years. We won't be able to wait for the Bluetooth Special Interest Group to come up with new solutions." Thus, CSR has developed a "few workarounds" to satisfy their customers. "These modifications are CSR's proprietary solutions, which are implemented within the BLE spec."
The security question, often raised by carmakers and Tier 1 suppliers, comes down to this: Can someone highjack the wireless connection and do something to the car?
Mike Ryan, security engineer at iSEC Partners, singled out BLE's "key exchange" as the weak link of BLE's security. In a whitepaper, Ryan presented techniques for eavesdropping on Bluetooth Low Energy conversations, and he showed how packets can be intercepted and reassembled into connection streams. He also demonstrated an attack against the key exchange protocol, which "renders the encryption useless against passive eavesdroppers."
In a recent email exchange with EE Times, Ryan sketched out the following scenario.
Given that the key exchange is compromised, an attacker can effectively impersonate either the BLE master (car) or slave (keyfob/phone) *if* they rely on BLE's built-in security and *if* the attacker is able to observe the user pairing with the phone.
Such an attacker would be able to perform any action exposed via BLE.
For instance, if the car allows the doors to be unlocked via BLE, the attacker could unlock them.
Next page: Vulnerability in its key exchange