Blueborne Vulnerability May Leave Your Bluetooth-Equipped Car Open to Attack
Late last week, a new computer vulnerability was reported. This one spreads through Bluetooth, and can affect many Bluetooth devices. Including your car, if it has Bluetooth handsfree connectivity. But do you need to worry about "BlueBorne", and can you do anything to help make your car more secure?
BlueBorne, so named because it uses Bluetooth signals to attack devices through the air, allows attackers to take control of devices and access networks. The problem affects computers, phones, and a large number of other platforms that use Bluetooth connectivity. Because of how Bluetooth is implemented, the exploit gives "virtually full control over the device," according to Armis Labs, the IT company that first reported it.
Do you need to worry about BlueBorne? If you have a phone of computer with Bluetooth, the answer is "maybe." Armis told the main hardware and operating system companies about the vulnerability back in April. That gave the companies time to fix it before it became known to most people.
But while your computer and phone can be updated quickly and frequently, what about your Bluetooth-equipped car? We reached out to ESET, a leading online security company. Cameron Camp, an ESET security researcher, answered our questions about BlueBorne.
So if your car has Bluetooth, what can hackers do to your car? Camp wrote that "the car is typically just used as a big fancy 'headset' that has some other limited functionality, and that communicates with the far more powerful phone in your pocket, which acts as the base station with most of the compute power that makes it all work." So while your car may be vulnerable, the part that can be controlled is the infotainment system. The radio, not the engine. The bigger risk is to your phone.
It's also more difficult for hackers to gain access to your car than your phone, with less benefit for them if they do hack it. Hackers need a test unit to work with. For a phone, the cost is well under $1,000. A popular model of phone can see tens of millions of units sold. If a hacker can successfully attack that phone, they would have potential access to millions of those phones. In order to hack a car, they would need to acquire that model vehicle to work on. So for a much larger expense (buying a car), they would have a bug that only worked on the few hundred thousand of that model. As Camp wrote, "Once you have a test phone, there are millions of potential targets, so it’s a better target from a scammer’s perspective." Cars are not as connected as your phone. Attackers need to be present. Close enough to detect your Bluetooth data, or about 10 metres. An infotainment system is also limited in terms of functionality compared with a phone, making it a less attractive target.
So what can you do to protect your car? Camp wrote that "though updates may not be released as fast as desired, the manufacturers will certainly be making them available as soon as they can, so keep checking back with your specific manufacturer. If you’re nervous, you may want to limit your Bluetooth activities to cars you trust would have less chance of being tampered with, like the ones normally parked in your garage at night and a secure parking lot by day." So update your car if possible, and if you aren't using your own car, you may want to avoid using Bluetooth.
