Vulnerability Note VU#615456
Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access
The Lemur Vehicle Monitors BlueDriver is an aftermarket automotive device that connects to a vehicle's OBD-II port and provides information about the vehicle's performance. The BlueDriver does not require a PIN for Bluetooth access, which allows anyone in range to send arbitrary commands to the vehicle's CAN bus.
CWE-306: Missing Authentication for Critical Function - CVE-2016-2354
The CERT Coordination Center has determined that the Lemur BlueDriver does not require a PIN to connect to it via Bluetooth. This allows anyone within Bluetooth range to access standard OBD-II diagnostic information about the car, including gas mileage, Diagnostic Trouble codes, speed, emissions, etc. It also allows an attacker to create a serial connection directly to the CAN (Controller Area Network) bus in the vehicle. Any valid CAN command can be sent to the vehicle. Depending on the vehicle, this may allow attackers to affect safety critical systems such as steering or braking.
The attack is limited to short (Bluetooth) range, but it could be launched from a compromised device inside the car (e.g., cell phone). Depending on the car make and model, impact could range from information disclosure to life-threatening.
Apply an Update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Lemur Vehicle Monitors||Affected||03 Feb 2016||07 Apr 2016|
CVSS Metrics (Learn More)
Thanks to Dan Klinedinst of the CERT/CC for reporting this vulnerability.
This document was written by Dan Klinedinst.
- CVE IDs: CVE-2016-2354
- Date Public: 07 Apr 2016
- Date First Published: 07 Apr 2016
- Date Last Updated: 20 Apr 2016
- Document Revision: 25
If you have feedback, comments, or additional information about this vulnerability, please send us email.