Lemurs are small, spry primates native to the island-nation of Madagascar, and are fairly harmless. Don't confuse them with the Lemur Vehicle Monitors BlueDriver, which, according to a U.S. government advisory issued yesterday (April 7) could cause you to crash your car.
This unassuming Bluetooth dongle is supposed to provide drivers with useful information about their automobiles, but apparently lax authentication might make it a potential security disaster. At best, you could be handing over your vehicle statistics to any interested party. At worst (although it's highly unlikely), you could die.
The Computer Emergency Response Team at Carnegie Mellon University, sponsored by the Department of Homeland Security, described both the vulnerability present in the BlueDriver and its potential effects. At the crux of the issue is a simple security oversight: the BlueDriver requires no PIN to pair with a mobile device.
The BlueDriver is a dongle that plugs into a car's OBD-II diagnostic port. This electronic data port, present in almost every car manufactured after 1996, rests under the dashboard (or sometimes in the glove compartment or in the center console) and can help mechanics gather information about gas mileage, component maintenance and overall car efficiency.
Drivers can also access this port, and self-reporting devices like the BlueDriver have been common for 20 years. The only difference is that this one uses Bluetooth to beam data to a mobile device, and that mobile device doesn't necessarily have to be yours.
Bluetooth pairing is incredibly simple — sometimes too simple for its own good. Without a four-digit PIN to offer a bare minimum of protection, anyone within a 30-foot range could connect to BlueDriver dongle. If the dongle is not currently connected to a phone, the process will be trivial, and even if the dongle is connected, it's sometimes possible to prioritize a new connection over an existing one. If you use a BlueDriver dongle, there is at the moment nothing you can do to prevent someone else from connecting to it.
For most people, this won't be a big issue, since the absolute worst a malefactor could do with OBD-II access would be to gain access to statistics about how far your car has traveled, and how much fuel it's consumed. But unless you know exactly what your vehicle's internal networks look like, you won't know for sure.
That's because some vehicles may provide two-way networking between the OBD-II port and systems like steering and braking. In an absolute worst-case scenario, someone could hijack your OBD-II dongle and crash your car. And right now, we don't know which cars those might be.
While this is an unlikely outcome — due to the proximity required and the difficulty of controlling commands through an OBD-II port — it's not impossible. A smartphone planted in a target's car would be sufficient, since an attacker could then control the hidden phone remotely, and it would always be within 30 feet of the BlueDriver.
For the time being, CERT recommends that BlueDriver owners disconnect the device and stop using it. It's possible that the company could issue a firmware update and solve the problem.
We've reached out to Lemur for comment and will update this story when the company responds. The CERT advisory implies that Lemur was notified of this flaw two months ago.
If you decide to get an OBD-II dongle for your car, remember that it can be attacked, just like anything else. Before you buy any device that connects to your car's internal networks, make sure that the device meets basic security protocols such as requiring a PIN for Bluetooth pairing.