On the Insecurity of Vehicles Against Protocol-Level Bluetooth Threats

Cars are some of the most security-critical consumer devices. On the one hand, owners expect rich infotainment features, including audio, hands-free calls, contact management, or navigation through their connected mobile phone. On the other hand, the infotainment unit exposes exploitable wireless attack surfaces. This work evaluates protocol-level Bluetooth threats on vehicles, a critical but unexplored wireless attack surface. These threats are crucial because they are portable across vehicles, and they can achieve impactful goals, such as accessing sensitive data or even taking remote control of the vehicle. Their evaluation is novel as prior work focused on other wireless attack surfaces, notably Bluetooth implementation bugs. Among relevant protocol-level threats, we pick the KNOB and BIAS attacks because they provide the most effective strategy to impersonate arbitrary Bluetooth devices and are not yet evaluated against vehicles. Testing vehicles is challenging for several reasons, and we had to design a cost-effective methodology based on hybrid lab/on the road experiments. We evaluated 5 popular infotainment units (e.g., KIA and Toyota units) in the lab and 3 recent cars (e.g., Suzuki and Skoda cars) in a controlled on-the-road environment. We describe our methodology in detail to allow other researchers to reproduce and extend our results. Our Bluetooth protocol-level security evaluation uncovers worrisome facts about the state of vehicular security. For example, all tested devices are vulnerable to BIAS and KNOB, despite the patches in the Bluetooth standard. For example, the standard mandates keys with 7 bytes of entropy, but the tested devices accept keys with 1 byte of entropy. Moreover, all tested devices employ weak and outdated Bluetooth security parameters (e.g., weak authentication protocols and ciphers).