Analog Physical-Layer Relay Attacks with Application to Bluetooth and Phase-Based Ranging

TL;DR

This paper presents an analog physical-layer relay attack using low-cost hardware that can extend Bluetooth communication range and manipulate distance measurements, compromising proximity-based security systems like car access and smart locks.

Contribution

The authors design and demonstrate a novel analog relay attack capable of bypassing Bluetooth proximity verification and manipulating phase-based ranging over long distances.

Findings

Successfully relayed Bluetooth signals over 90 meters

Manipulated MCPR distance measurements arbitrarily

Compromised Bluetooth-based access control systems

Abstract

Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.