Car infotainment computer can leak personal details via Bluetooth

Infotainment computers on various modern vehicles are vulnerable to a bug that can be leveraged to leak private information from the car owner’s mobile phone. The information at risk comprises call logs, contact lists, and text messages, and could be extracted without the owner knowing about it or the phone being connected to the car’s entertainment system.

The problem, dubbed CarsBlues because it is exploitable via Bluetooth, occurs when the owner connects the phone to the car to sync personal information with the infotainment computer. Obtaining the personal data is possible in minutes using “inexpensive and readily available hardware and software,” though it does require advanced technical knowledge.

Andrea Amico, developer of the Privacy4Cars mobile app, discovered the hack and reported it to the Automotive Information Sharing and Analysis Center (Auto-ISAC), an outfit focused on distributing details about security issues among its members. At least two manufacturers have introduced a patch to their 2019 models, but it is estimated that millions of vehicles are affected.

Security problems with infotainment systems in cars are not new, since these computers are designed for convenience and safeguards, if any, don’t typically make it onto the list of priorities. Last year, two security researchers presented their findings on one vehicle’s infotainment system that collected data from the phone during the synchronization process and never let go of it.

Gabriel Cirlig and Stefan Tanase from Ixia were able to extract the phone’s call history, contacts, texts, emails and files associated with apps on the phone, like photos and audio, along with details about the car. They wrote a script that disabled the device’s firewall and dumped all the data onto a USB drive.

During their presentation, the duo said exfiltration could be possible via WiFi to an attacker nearby. Amico’s method relies on wireless transfer, too, via Bluetooth. In both cases, the delivery is silent, with the car owner oblivious to the leak. All it takes for the personal data to reach the car’s storage area is a one-time connection between the two systems.

“Those most at risk of having their personal information exposed include people who have synced their phones in vehicles that are no longer under their direct oversight, including but not limited to vehicles that have been rented, shared through a fleet or subscription service, loaned, sold, returned at the end of a lease, repossessed, or deemed a total loss,” warns Privacy4Cars.

Contrary to what some may think, some infotainment systems installed on cars from different manufacturers come from the same place and share at least some code. Weaknesses propagate this way to various makes and models.