Blueborne Bluetooth Vulnerability and Nissan

[texasrogue]

A recent vulnerability was discovered that potentially affects billions of devices, including vehicles. It's called Blueborne and this vulnerability allows the attacker to perform a variety of malicious attacks without having the Bluetooth devices paired. What's worse is this attack turns the victim into a virtual "Typhoid Mary" in that the victim device spreads the vulnerability to other Bluetooth devices.

I have a 20+ year career in IT having done everything from Desktop Support, System Administration, Web Development and Network Engineering, so I figured I'd call Nissan, hopefully speak to an expert and ask them if this vulnerability impacts my vehicle and if so, what do they plan to do about it.

After getting accidentally hung up on several times while my call was transferred to the Bluetooth group, I finally reach a call center rep who was unable to tell me what OS (operating system) powered my Nissan head unit. He attempted to provide boilerplate explanations to placate my concern, but I had to apologize to him and say that I am an IT professional and have an understanding of Bluetooth and the vulnerability in question. I hate to pull that card in any conversation but sometimes if people know you have a certain amount of expertise in a subject, they'll level with you. Sometimes it intimidates them because they know you can sense BS when it's given.

After attempting to placate me once more with boilerplate no need to worry-type answers and that if an issue is uncovered that Nissan will issue a fix, I decided to dig around on the Internet.

One of the affected Operating Systems in the Blueborne vulnerability is Linux. And I uncovered that the Nissan Connect is made by Bosch and is built upon Open Source software which is basically Linux. So now the question becomes are they going to issue a fix for this?

Fact is, the attacker would have to be within 30 or 40 feet of the vehicle to implement the attack or using a high-gain directional antenna. Chances of actually having a would-be hacker exploit your vehicle are admittedly low, but the potential is there nonetheless.

I am not about to shut off my Bluetooth as I use it daily. My phone is not affected as Apple patched this vulnerability a while back. However, I am not going to hold my breath waiting for Nissan to issue a fix. From what I read in this forum, they haven't even issued a working map update for my vehicle. As integrated vehicle software grows in functionality, manufacturers will soon find buyers making purchasing decisions based upon the reliability, and frequency with which the vehicle software is updated.

Nissan seems to have forgotten this concept.

[Rogue One]

...However, I am not going to hold my breath waiting for Nissan to issue a fix...

Well, unless something serious happens AND that develops into a class-action lawsuit, Nissan will probably never issue a patch. As you've noted, Apple has already patched this vulnerability, and no doubt Android, Blackberry and Microsoft have one in the works as well. That pretty much leaves potentially a bunch of cars still vulnerable, but once the bulk of the smartphones, tablets and pads are patched then the threat level goes down.

I found this section of an article on Malwarebytes Labs interesting (bold emphasis by me):

Spreading malware via Bluetooth

One of the more intriguing attacks is the potential to propagate malware using BlueBorne vulnerabilities. More specifically, through mobile devices.

The only way I could hypothesize this happening is through an attack using a list of collected BD_ADDRs and then creating a malicious app which scans for those addresses. Any device within range on the list becomes a target. Using the BlueBorne vulnerabilities to propagate itself, the malicious app transfers to the target device. Keep in mind the user of the target device would need to accept installing the malicious app as well.

All this isn’t impossible, but unlikely with the limitation of requiring a list of BD_ADDRs. Now if a mobile device could steal BD_ADDRs for itself — which it can’t at this point — then we should start worrying.

[datechboss101]

...However, I am not going to hold my breath waiting for Nissan to issue a fix...

Well, unless something serious happens AND that develops into a class-action lawsuit, Nissan will probably never issue a patch. As you've noted, Apple has already patched this vulnerability, and no doubt Android, Blackberry and Microsoft have one in the works as well. That pretty much leaves potentially a bunch of cars still vulnerable, but once the bulk of the smartphones, tablets and pads are patched then the threat level goes down.

I found this section of an article on Malwarebytes Labs interesting (bold emphasis by me):

Spreading malware via Bluetooth

One of the more intriguing attacks is the potential to propagate malware using BlueBorne vulnerabilities. More specifically, through mobile devices.

The only way I could hypothesize this happening is through an attack using a list of collected BD_ADDRs and then creating a malicious app which scans for those addresses. Any device within range on the list becomes a target. Using the BlueBorne vulnerabilities to propagate itself, the malicious app transfers to the target device. Keep in mind the user of the target device would need to accept installing the malicious app as well.

All this isn’t impossible, but unlikely with the limitation of requiring a list of BD_ADDRs. Now if a mobile device could steal BD_ADDRs for itself — which it can’t at this point — then we should start worrying.

Verizon just pushed out the patch for the android devices today, and I just updated my GS8+ this morning. Not sure if my Rogue was infected from the date that this was discovered up to today.

[NMD]

This may be off topic, but still Blue Tooth related. For the past two days I've been noticing my head unit display show my phone charge as full, no matter what the actual charge is. I have an iPhone 7, iOS is up to date at 11.2.1