CERT: Aftermarket Add-On Opens Cars To Life Threatening Hacks

Carnegie Mellon CERT warned that BlueDriver, an aftermarket "smart car" product can open vehicles to remote attack.
Carnegie Mellon CERT warned that BlueDriver, an aftermarket “smart car” product can open vehicles to remote attack.

In-brief: Carnegie Mellon CERT warned drivers that a popular aftermarket product for vehicles could leave them open to potentially “life threatening” wireless attacks.

Update: added info on recommended remediation. PFR 4/8/2016

The Carnegie Mellon CERT (Computer Emergency Response Team) warned drivers that a popular aftermarket product for vehicles could leave them open to potentially “life threatening” wireless attacks.

In a vulnerability note published on Thursday, CERT said that BlueDriver, an aftermarket device made by Lemur Vehicle Monitors, does not require a PIN for Bluetooth access, which could allow anyone in range of the device to “send arbitrary commands to the vehicle’s CAN bus,” CERT warned. With no known patch or “practical solution to this problem,” CERT recommended that owners “not operate vehicle with (BlueDriver) attached.”

As demonstrated by researchers Charlie Miller and Chris Valasek, direct access to the CAN – or Controller Area Network – can allow an attacker to manipulate critical vehicle functions including braking, acceleration, steering and environmental controls. According to the CERT alert, cars with BlueDriver allow an attacker to create a serial connection directly to the CAN bus in the vehicle. “Any valid CAN command can be sent to the vehicle. Depending on the vehicle, this may allow attackers to affect safety critical systems such as steering or braking.”

BlueDriver, which sells on Amazon.com and other sites for around $100, is one of a number of aftermarket products that allow owners to access diagnostic and performance data from older model vehicles. The devices work with companion mobile applications for iOS and Android.

Unlike the wireless attacks demonstrated by Valasek and Miller, attacks on the BlueDriver would be limited to Bluetooth range – generally under 30 feet. However, CERT notes that an attack could be launched from a compromised device inside the car like a mobile phone. Depending on the car make and model, the impact could range from “information disclosure to life-threatening,” CERT said.

The security of vehicles is getting more attention. In March, the FBI issued an advisory addressing software based risks to vehicles. Noting the research conducted by Valasek and Miller, the advisory noted that consumers and manufacturers should be “aware of the possible threats and how an attacker may seek to remotely exploit vulnerabilities in the future,” the FBI said.

survey on connected vehicles by Kelly Blue Book found that 62% think “connected cars will be hacked,” and that a minority (42%) said they “want cars to be more connected.”