Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

New Vehicle Hack Exposes Users’ Private Data Via Bluetooth

People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say. 

People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say. 

A researcher from Privacy4Cars, which offers a mobile app that can erase Personally Identifiable Information (PII) from modern vehicles, have discovered that vehicles from several car makers can expose user data via the Bluetooth protocol. 

Dubbed CarsBlues, the new vehicle hack targets the infotainment systems in modern vehicles and allows an attacker to access user information within minutes, using only inexpensive and readily available hardware and software. No significant technical knowledge is required either, the company claims. 

Tens of millions of vehicles already in circulation worldwide are believed to be impacted, and the number continues to rise into the millions as more vehicles are evaluated. Exposed information includes contacts, call logs, text logs, and even text messages in the full, in some cases. 

Discovered by Privacy4Cars founder Andrea Amico, the hack mainly impacts users who synced their phones to vehicles that are no longer under their direct oversight. These include rented vehicles, as well as cars “shared through a fleet or subscription service, loaned, sold, returned at the end of a lease, repossessed, or deemed a total loss.”

“Additionally, people who have synced their phones and given others temporary access to their personal vehicle, such as at dealerships’ service centers, repair shops, peer-to-peer exchanges, and valets may also be at risk for CarsBlues,” Privacy4Cars says. 

Amico has notified the Automotive Information Sharing and Analysis Center (Auto-ISAC) organization and also worked with it to help its impacted members understand how an attacker might access their personal information. The hack can be performed without the owner/user being aware and without the mobile device being connected to the system. 

“Now that we have completed our ethical disclosure with the Auto-ISAC, we are turning our focus to educating the industry and the public about the risks associated with leaving personal information in vehicle systems,” Amico said. 

Some of the impacted carmakers have already updated their new 2019 models, to ensure that they are no longer impacted by CarsBlues.

With many vehicle models from a broad range of car makers impacted, users are advised to delete any personal data they might have synced to their vehicle’s infotainment system before allowing anyone else access their vehicle. Privacy4Cars also notes that industry policies to protect consumer data should be created, either by helping customers delete the data or by having industry players erase it. 

“The CarsBlues hack, given its ease to replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems,” Amico said.

Related: Researchers See Improvements in Vehicle Cybersecurity

Related: Misconfigured CalAmp Server Enabled Vehicle Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.