Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters overcome early design and implementation issues. Martin holds a master’s degree in telecommunications engineering from the University of Applied Sciences in Salzburg. During the last year, he spent his free time to investigate security issues with Tesla vehicles. As part of his fascination with rapid developments in IT technology, Martin has been a regular participant and speaker at the Chaos Communication Congress (CCC) and other international IT security conferences since 1997.
Tesla Crypto Counter Confusion Attack
Note: This is related to Project TEMPA. Please follow this link for an overview! The Tesla Crypto Counter Confusion attack works by impersonating a vehicle with a tool like temparary. Once the app on the owner’s phone starts communicating to the emulated BLE interface of the impersonated car, the temparary tool will request an authorization from the phone.
Tesla Authorization Extraction/Replay Attack
Note: This is related to Project TEMPA. Please follow this link for an overview! The Tesla Authorization Replay attack is using a tool like temparary in order to extract VCSEC AuthorizationResponses from a whitelisted smartphone app. For AuthorizationRequests - that are mainly used for passive entry functions - the vehicle communicates a challenge token, that the smartphone app has to answer with an AuthorizationResponse which is embedded in a VCSEC SignedMessage object that has a SIGNATURE_TYPE_AES_GCM_TOKEN SignatureType.
Tesla Key Drop Attack
Note: This is related to Project TEMPA. Please follow this link for an overview! The Tesla Key Drop attack works by impersonating a vehicle with a tool like temparary. Once the app on the owner’s phone starts communicating to the emulated BLE interface of the impersonated car, the temparary tool will request an authorization from the phone.
temparary.py is a pybleno-based python script, that acts as a VCSEC peripheral. Currently, the tool is very experimental and implements rudimentary interactions, only! https://github.com/trifinite/temparary This tool has been released in the context of Project TEMPA Disclaimer While it’s very TEMPting to use this tool in order to impersonate random cars, we advise you to only use this tool on vehicles and smartphones you own or have permission to use.
Tesla Authorization Timer Attack
Tesla BLE Relay Attack
tempara.py is a Bleak-based python script, that acts as a VCSEC client. Currently, the tool is very experimental and implements rudimentary commands, only! https://github.com/trifinite/tempara This tool has been released in the context of Project TEMPA Disclaimer While it’s very TEMPting to use this tool to connect to random cars, we advise you to only use this tool on vehicles you own or have permission to use.
Tesla cars with enabled 'Phone Key' feature transmit a unique identifier, that can be detected using Bluetooth® Wireless Technology. By installing this app, your device becomes aware of Tesla vehicles in its proximity. The gathered data is shared in order to generate a global crowd-sourced heatmap of detectable Tesla cars.
Tricking Android Smart Lock With Bluetooth
The Smart Lock Feature allows Android users (Android version 5.0 and later) to automatically unlock their smartphone whenever a trusted device, Wi-Fi network or geo location is in close proximity. Trusted devices could either be NFC tags or Bluetooth devices. Looking at Bluetooth devices, it turned out that the Smart Lock implementation had at least one security issue that got resolved.
The carwhisperer project intends to sensibilise manufacturers of carkits and other Bluetooth appliances without display and keyboard for the possible security threat evolving from the use of standard passkeys. A Bluetooth passkey is used within the pairing process that takes place, when two Bluetooth enabled devices connect for the first time.
BlueDumping is the act of causing a Bluetooth device to ‘dump’ it’s stored link key, thereby creating an opportunity for key-exchange sniffing to take place. The attacks on link keys and PINs were first publicised by Ollie Whitehouse, at CanSecWest, in which he describes a method by which the PIN and link-keys can be obtained if a pairing event can be witnessed with a Bluetooth sniffer.
BlueSnarf++ is an attack that is very similar to the famous BlueSnarf attack. The main difference is that BlueSnarf++ is an attack where the attacker has full read/write access to the device’s filesystem. The manufacturers of the devices that are known to be vulnerable have been informed about this issue.
The BlueBump attack is the Bluetooth equivalent to a very cool physical security thread called key bumping. When used correctly, an appropriate bump key can be used to open any lock in seconds. Since the BlueBump attack is also about keys (link keys in this case) we named this attack after this amazing technique.
BlueSmack is a Bluetooth attack that knocks out some Bluetooth-enabled devices immediately. This Denial of Service attack can be conducted using standard tools that ship with the official Linux Bluez utils package. Introduction The ‘Ping of Death’ is basically a network ping packet that used to knock out early versions of Microsoft Windows 95.
The information on this page is intended to help people that want to modify their bluetooth equipment in order to connect an external (directional) antenna to their Bluetooth dongle. This Bluetooth tuning makes it possible to concentrate the emission of bluetooth signals to one direction instead of any direction.
Blueprinting is a method to remotely find out details about bluetooth-enabled devices. Blueprinting can be used for generating statistics about manufacturers and models and to find out whether there are devices in range that have issues with Bluetooth security. (read more about bluetooth security issues here)
Since Adam Laurie’s BlueSnarf experiment and the subsequent BlueBug experiment it is proven that some Bluetooth-enabled phones have security issues. Until now, attackers need laptops for the snarfing of other people’s information. Unless attackers do a long-distance-snarf, people would see that there is somebody with a laptop trying to do strange things.