A new Bluetooth hack, dubbed CarsBlues, potentially affects millions of vehicles, Privacy4Cars warns. The CarsBlues attack leverages security flaws in the infotainment systems installed in several types of vehicles via Bluetooth, it affects users who have synced their smartphone to their cars.
Privacy4Cars develops a mobile app for erasing PII from vehicles, according to the firm tens of millions of vehicles could be affected worldwide, and it is an optimistic estimate because the number could be much greater.
The riskiest scenario sees drivers who sync their phones to vehicles that have been rented, borrowed, or leased and returned. Their data might be exposed to attackers that can use them for various malicious purposes.
“The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge.” reads the post published by the company.
“As a result of these findings, it is believed that users across the globe who have synced a phone to a modern vehicle may have had their privacy threatened. It is estimated that tens of millions of vehicles in circulation are affected worldwide, with that number continuing to rise into the millions as more vehicles are evaluated.”
The attack technique was discovered by Privacy4Cars founder Andrea Amico in February 2018, he immediately notified the Automotive Information Sharing and Analysis Center (Auto-ISAC).
Amico worked with Auto-ISAC to figure out how attackers could steal PII from vehicles manufactured by affected members. Attackers can access stored contacts, call logs, text logs, and in some cases text messages without the user’s mobile device being connected to the system.
The good news for drivers is that at least manufacturers have already provided updates to make their latest models immune to the CarsBlues attack.
“Now that we have completed our ethical disclosure with the Auto-ISAC, we are turning our focus to educating the industry and the public about the risks associated with leaving personal information in vehicle systems,” explained Amico.
“The CarsBlues hack, given its ease to replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems.”
Privacy4Cars suggests vehicle users delete personal data from infotainment systems before allowing other access to their vehicle.
The firm also urges regulators to propose best practice to protect consumer data and to force vendors in implementing systems to helping customers delete their personal information.
(Security Affairs – CarsBlues, privacy)