Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

New Vehicle Hack Exposes Users’ Private Data Via Bluetooth

People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say. 

People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say. 

A researcher from Privacy4Cars, which offers a mobile app that can erase Personally Identifiable Information (PII) from modern vehicles, have discovered that vehicles from several car makers can expose user data via the Bluetooth protocol. 

Dubbed CarsBlues, the new vehicle hack targets the infotainment systems in modern vehicles and allows an attacker to access user information within minutes, using only inexpensive and readily available hardware and software. No significant technical knowledge is required either, the company claims. 

Tens of millions of vehicles already in circulation worldwide are believed to be impacted, and the number continues to rise into the millions as more vehicles are evaluated. Exposed information includes contacts, call logs, text logs, and even text messages in the full, in some cases. 

Discovered by Privacy4Cars founder Andrea Amico, the hack mainly impacts users who synced their phones to vehicles that are no longer under their direct oversight. These include rented vehicles, as well as cars “shared through a fleet or subscription service, loaned, sold, returned at the end of a lease, repossessed, or deemed a total loss.”

“Additionally, people who have synced their phones and given others temporary access to their personal vehicle, such as at dealerships’ service centers, repair shops, peer-to-peer exchanges, and valets may also be at risk for CarsBlues,” Privacy4Cars says. 

Amico has notified the Automotive Information Sharing and Analysis Center (Auto-ISAC) organization and also worked with it to help its impacted members understand how an attacker might access their personal information. The hack can be performed without the owner/user being aware and without the mobile device being connected to the system. 

“Now that we have completed our ethical disclosure with the Auto-ISAC, we are turning our focus to educating the industry and the public about the risks associated with leaving personal information in vehicle systems,” Amico said. 

Advertisement. Scroll to continue reading.

Some of the impacted carmakers have already updated their new 2019 models, to ensure that they are no longer impacted by CarsBlues.

With many vehicle models from a broad range of car makers impacted, users are advised to delete any personal data they might have synced to their vehicle’s infotainment system before allowing anyone else access their vehicle. Privacy4Cars also notes that industry policies to protect consumer data should be created, either by helping customers delete the data or by having industry players erase it. 

“The CarsBlues hack, given its ease to replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems,” Amico said.

Related: Researchers See Improvements in Vehicle Cybersecurity

Related: Misconfigured CalAmp Server Enabled Vehicle Takeover

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.