​CarsBlues vehicle flaw found affecting millions of vehicles worldwide

• The flaw could allow attackers to steal Personally Identifiable Information (PII) of users who have synced their phones to cars via Bluetooth.
• The vulnerability can also expose data if a user has synced his phone with a vehicle that has been rented, shared through a subscription service or loaned.

A new mass cyber vulnerability dubbed as ‘CarsBlues’ has been identified in the infotainment system of several vehicle brands. The flaw could allow attackers to steal Personally Identifiable Information (PII) of users who have synced their phones to cars via Bluetooth.

About the hack

Researchers at Privacy4Cars found that the hack can be performed by leveraging Bluetooth protocol and does not need any expensive hardware or software tool.

“Privacy4Cars, the first and only mobile app designed to help erase Personally Identifiable Information (PII) from modern vehicles, publicly disclosed today the existence of a concerning vehicle hack, titled CarsBlues, that exploits infotainment systems of several makes via the Bluetooth protocol. The attack can be performed in a few minutes using inexpensive and readily available hardware and software and does not require significant technical knowledge” said Privacy4Cars in its analysis report.

The hack came into limelight in February 2018 during the development of the Privacy4Cars app. It was discovered by Andrea Amico, founder of the firm.

Soon after the revelation of the flaw, Amico was quick at taking action and informed the Automotive Information Sharing and Analysis Center (Auto-ISAC).

“Upon discovery, Amico, a vehicle privacy and cybersecurity advocate, immediately notified the Automotive Information Sharing and Analysis Center (Auto-ISAC), the organization established by the automotive industry to share and analyze intelligence about emerging cybersecurity risks among its members,” the firm explained.

In addition, the firm worked closely with Auto-ISAC to understand how a hacker could gain access to stored contact numbers, call logs, text logs and even full-text messages without the knowledge of users. The hack is estimated to affect tens of millions of vehicles across the globe.

Risk associated with the CarsBlues hack

The firm along with Auto-ISAC has completed its analysis on the CarsBlues hack and is currently working towards educating both organizations and public about the risk of the hack.

“The CarsBlues hack, given its ease to replicate, the breadth of situations in which it can be performed against unsuspecting targets, and the difficulty in detecting the exploitation, is a clear indication that industry and consumers alike need to be proactive when it comes to deleting personally identifiable information from vehicle infotainment systems," said Amico.

He highlights that the hack can be riskier if a user has synced his phone with a vehicle that has been rented, shared through a subscription service, loaned, sold or returned at the end of a lease.

Commenting on other risks, Amico said, “Additionally, people who have synced their phones and given others temporary access to their personal vehicles, such as at dealerships' service centers, repair shops, peer-to-peer exchanges, and valets may also be at risk for CarsBlues.”

As a precautionary measure, vehicle users are suggested to delete their personal data from the vehicle infotainment systems before handing over their vehicle to anyone. Car manufacturers should consider establishing a robust cyber security policy in order to protect consumer data.

“Vehicle users should consider deleting personal data from any and all vehicle infotainment systems before allowing anyone to access their vehicle. Industry players should consider instituting a policy to protect consumer data, either by helping customers delete their personal information or by performing the operation themselves – similarly to how telecom carriers handle returned smartphones,” said Privacy4Cars.

Privacy4Cars also confirmed that at least two car manufacturers have added systematic updates to their 2019 models in order to stay safe from CarsBlues vulnerability.