search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access

Vulnerability Note VU#615456

Original Release Date: 2016-04-07 | Last Revised: 2016-04-20

Overview

The Lemur Vehicle Monitors BlueDriver is an aftermarket automotive device that connects to a vehicle's OBD-II port and provides information about the vehicle's performance. The BlueDriver does not require a PIN for Bluetooth access, which allows anyone in range to send arbitrary commands to the vehicle's CAN bus.

Description

CWE-306: Missing Authentication for Critical Function - CVE-2016-2354

The CERT Coordination Center has determined that the Lemur BlueDriver does not require a PIN to connect to it via Bluetooth. This allows anyone within Bluetooth range to access standard OBD-II diagnostic information about the car, including gas mileage, Diagnostic Trouble codes, speed, emissions, etc. It also allows an attacker to create a serial connection directly to the CAN (Controller Area Network) bus in the vehicle. Any valid CAN command can be sent to the vehicle. Depending on the vehicle, this may allow attackers to affect safety critical systems such as steering or braking.

Impact

The attack is limited to short (Bluetooth) range, but it could be launched from a compromised device inside the car (e.g., cell phone). Depending on the car make and model, impact could range from information disclosure to life-threatening.

Solution

Apply an Update
Lemur Vehicle Monitors has released a firmware update to address this vulnerability:

BlueDriver scan tool users can update their sensor Firmware (F/W) by opening
their BlueDriver App and tapping ‘More’ > ‘Update Sensor F/W’ > 'Check for
Updates' and following the instructions.

The latest F/W for BlueDriver limits Bluetooth discoverability to 1 minute
after plug in. This added feature limits discovering (and then pairing) to
your BlueDriver to those who first plug in the sensor
.

For clarification, the vendor has stated that discoverability is now limited to only when the device is plugged in, not every time the vehicle is turned on.

Vendor Information

615456
 
Affected   Unknown   Unaffected

Lemur Vehicle Monitors

Notified:  February 03, 2016 Updated:  April 07, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 8.0 AV:A/AC:L/Au:N/C:P/I:C/A:C
Temporal 7.6 E:F/RL:U/RC:C
Environmental 6.7 CDP:H/TD:M/CR:L/IR:H/AR:L

References

Credit

Thanks to Dan Klinedinst of the CERT/CC for reporting this vulnerability.

This document was written by Dan Klinedinst.

Other Information

CVE IDs: CVE-2016-2354
Date Public: 2016-04-07
Date First Published: 2016-04-07
Date Last Updated: 2016-04-20 15:57 UTC
Document Revision: 25

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.