CarsBlues Bluetooth attack Affects tens of millions of vehicles

The CarsBlues attack leverages security flaws in the infotainment systems installed in several types of vehicles via Bluetooth to access user PII.

A new Bluetooth hack, dubbed CarsBlues, potentially affects millions of vehicles, Privacy4Cars warns. The CarsBlues attack leverages security flaws in the infotainment systems installed in several types of vehicles via Bluetooth, it affects users who have synced their smartphone to their cars.

Privacy4Cars develops a mobile app for erasing PII from vehicles, according to the firm tens of millions of vehicles could be affected worldwide, and it is an optimistic estimate because the number could be much greater.

The riskiest scenario sees drivers who sync their phones to vehicles that have been rented, borrowed, or leased and returned. Their data might be exposed to attackers that can use them for various malicious purposes.

“The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge.” reads the post published by the company.

“As a result of these findings, it is believed that users across the globe who have synced a phone to a modern vehicle may have had their privacy threatened. It is estimated that tens of millions of vehicles in circulation are affected worldwide, with that number continuing to rise into the millions as more vehicles are evaluated.”

The attack technique was discovered by Privacy4Cars founder Andrea Amico in February 2018, he immediately notified the Automotive Information Sharing and Analysis Center (Auto-ISAC).

Amico worked with Auto-ISAC to figure out how attackers could steal PII from vehicles manufactured by affected members. Attackers can access stored contacts, call logs, text logs, and in some cases text messages without the user’s mobile device being connected to the system.

The good news for drivers is that at least manufacturers have already provided updates to make their latest models immune to the CarsBlues attack.

“Now that we have completed our ethical disclosure with the Auto-ISAC, we are turning our focus to educating the industry and the public about the risks associated with leaving personal information in vehiclesystems,” explained Amico.

“The CarsBlues hack, given its easeto replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems.”

Privacy4Cars suggests vehicle users delete personal data from infotainment systems before allowing other access to their vehicle.

The firm also urges regulators to propose best practice to protect consumer data and to force vendors in implementing systems to helping customers delete their personal information.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase