CERTVU:615456Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access
8 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:P/I:C/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
67.8%
Overview
The Lemur Vehicle Monitors BlueDriver is an aftermarket automotive device that connects to a vehicleβs OBD-II port and provides information about the vehicleβs performance. The BlueDriver does not require a PIN for Bluetooth access, which allows anyone in range to send arbitrary commands to the vehicleβs CAN bus.
Description
CWE-306: Missing Authentication for Critical Function - CVE-2016-2354
The CERT Coordination Center has determined that the Lemur BlueDriver does not require a PIN to connect to it via Bluetooth. This allows anyone within Bluetooth range to access standard OBD-II diagnostic information about the car, including gas mileage, Diagnostic Trouble codes, speed, emissions, etc. It also allows an attacker to create a serial connection directly to the CAN (Controller Area Network) bus in the vehicle. Any valid CAN command can be sent to the vehicle. Depending on the vehicle, this may allow attackers to affect safety critical systems such as steering or braking.
Impact
The attack is limited to short (Bluetooth) range, but it could be launched from a compromised device inside the car (e.g., cell phone). Depending on the car make and model, impact could range from information disclosure to life-threatening.
Solution
Apply an Update
Lemur Vehicle Monitors has released a firmware update to address this vulnerability:
_BlueDriver scan tool users can update their sensor Firmware (F/W) by opening
their BlueDriver App and tapping βMoreβ > βUpdate Sensor F/Wβ > βCheck for
Updatesβ and following the instructions.
The latest F/W for BlueDriver limits Bluetooth discoverability to 1 minute
after plug in. This added feature limits discovering (and then pairing) to
your BlueDriver to those who first plug in the sensor_.
For clarification, the vendor has stated that discoverability is now limited to only when the device is plugged in, not every time the vehicle is turned on.
Vendor Information
615456
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Lemur Vehicle Monitors Affected
Notified: February 03, 2016 Updated: April 07, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 8 | AV:A/AC:L/Au:N/C:P/I:C/A:C |
| Temporal | 7.6 | E:F/RL:U/RC:C |
| Environmental | 6.7 | CDP:H/TD:M/CR:L/IR:H/AR:L |
References
Acknowledgements
Thanks to Dan Klinedinst of the CERT/CC for reporting this vulnerability.
This document was written by Dan Klinedinst.
Other Information
| CVE IDs: | CVE-2016-2354 |
|---|---|
| Date Public: | 2016-04-07 Date First Published: |
Related
8 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:P/I:C/A:C
8.8 High
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
67.8%