CarsBlues attack may expose the private information of millions of drivers

Privacy4Cars warns that a new Bluetooth technology called CarsBlues could affect millions of cars. This attack technology exploits the security vulnerabilities of infotainment systems installed on several cars via Bluetooth, which affects users who connect their smartphones to cars.

Privacy4Cars has discovered a mobile app that removes PII from vehicles. Researchers say there may be tens of millions of cars affected worldwide, and this is only an optimistic estimate of the number of cars that may be affected. Maybe more. The riskiest situation is that drivers connect their smartphones to a large number of rented vehicles (these vehicles are returned and leased repeatedly) for data synchronisation, so their data is extremely likely to be exposed to malicious attackers.

“The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge.

As a result of these findings, it is believed that users across the globe who have synced a phone to a modern vehicle may have had their privacy threatened. It is estimated that tens of millions of vehicles in circulation are affected worldwide, with that number continuing to rise into the millions as more vehicles are evaluated.”

The attack was discovered in February 2018 by Andrea Amico, founder of Privacy4Cars, who immediately notified the Auto Information Sharing and Analysis Center (Auto-ISAC).

Amico and Auto-ISAC collaborate to study how an attacker steals PII from vehicles manufactured by affected members. An attacker can access contacts stored in the message, call logs, text logs, and in some cases access to text messages without the car being connected to the mobile device.

The current manufacturer has systematically updated the vulnerability, and the new model no longer has to be threatened by CarsBlues. Privacy4Cars and Auto-ISAC have completed vulnerabilities (moral) disclosures and notifications, and are currently committed to the risk of placing personal information in the vehicle system to the public sciences. Enterprises and consumers need to actively and timely delete individuals in the vehicle entertainment information system. Identity Information.

Privacy4Cars recommends that users remove personal data from the infotainment system before allowing other users to use their vehicle. The company also urges regulators to propose demonstration methods to protect consumer data, and to order suppliers to design/practice systems that help customers remove personal information.