Subaru Outback Forums banner
  • Hey everyone! Enter your ride HERE to be a part of this month's Outback of the Month Challenge!
1 - 8 of 8 Posts

·
Registered
2018 OB Limited 3.6R
Joined
·
201 Posts
Discussion Starter · #1 ·
Just an FYI. There is a new Bluetooth attack vector dubbed BlueBorne. The scope and impact is rather significant because it impacts most all bluetooth based devices and attacks can also move laterally from device to device.

The entity that exposed the issue is Armis and I list their link below. A web search on BlueBorne will net you more info with individual opinions and commentary of the writer.
https://www.armis.com/blueborne/

Microsoft, Apple and Google have all released patching but Google usually only issues updates for phones released within the last 2 years. I have not seen yet if Google intends to patch older OS versions. Carriers have yet to release their own patching for phones versions that they manage updates for and are usually slow to respond.

What will be interesting to see is what the impact and risk is for the auto industry and how they address it. This issue is going to be around for a little while. Just make yourself aware of how it impacts you.
 

·
Registered
2018 Dark Blue Outback 3.6R Touring arrived 8/31/2017
Joined
·
343 Posts
Thank you for posting this, I'll need to read that later.

The head unit software in my car is already buggy enough without outside influence, and I'm in a prime tech area ripe for anyone wanting to target others if desired.
 
  • Like
Reactions: Lucky-JJ

·
Registered
2021 MGM Outback 2.5i Premium with Tungsten Grey seats
Joined
·
2,462 Posts
Microsoft, Apple and Google have all released patching but Google usually only issues updates for phones released within the last 2 years. I have not seen yet if Google intends to patch older OS versions. Carriers have yet to release their own patching for phones versions that they manage updates for and are usually slow to respond.
Google releases OS updates for Google-branded devices for 2 years. Monthly security patches continue for a year beyond that. Any device developed and shipped by another manufacturer is subject to that manufacturer releasing the update for their device. Bottom line? If you want to be sure your Android device is secure, get a Google-branded device. I don't know what patch level different manufacturers have released for their devices but Samsung is historically slow, I know of some folks reporting that they're still on a MARCH patch level. Add in carrier branding and there's an entire additional level of approvals and red tape before a carrier-branded device gets the monthly patch.
 

·
Registered
Joined
·
1 Posts
Hi,
We have Apple and Samsung phones and devices in our home. I'm hoping that as long as we all have updated software, we should be OK. However, what about our cars? We have 2 Subarus and one Toyota that all use Bluetooth. Are the cars themselves at risk? Is there something we should do?

Thanks,
Kathy
 

·
Registered
2018 OB Limited 3.6R
Joined
·
201 Posts
Discussion Starter · #5 ·
I am going to reach out to Subaru on Monday to find out if our vehicles are impacted. More than likely they haven't even assessed it yet but might as well get the inquiry started.
 

·
Registered
2018 OB Limited 3.6R
Joined
·
201 Posts
Discussion Starter · #6 ·
I escalated to Subaru in writing over the weekend. The initial response provided was polite but indirect and insufficient. I've followed up with another more detailed response and have requested escalation.

So far there doesn't appear to be a way to disable Bluetooth on the 2018 Outback Limited telematics head unit. Hopefully Subaru will reveal some way to do so while they've investigated the issue.

For your viewing pleasure:

BlueBorne Explained
Smartwatch Takeover Demonstration
Android Takeover Demonstration
Windows Man-In-The-Middle (MITM) Demonstration
 

·
Registered
2018 OB Limited 3.6R
Joined
·
201 Posts
Discussion Starter · #7 ·
After some back and forth with Subaru they have acknowledged with the following response today:

"We are aware of the situation and we are actively looking into this. If an update becomes available we will reach out to our owners with the necessary information by email."

Subaru has provided no other information.


Users of 2015-2017 Outbacks can disable Bluetooth as an interim measure until Subaru provides additional details on exposure and remedy. 2018 Outback users do not have this option as Bluetooth is permanently forced on. Other models with the new Apple CarPlay/Android Auto head units may also be in the same boat. If you own any other model than listed, check your manual.
 

·
Registered
2014 Outback 2.5i Limited CVT
Joined
·
19 Posts
Thanks for the heads up! I am going to definitely check up on this later since I have a ton of Bluetooth devices connected all of the time.
 
1 - 8 of 8 Posts
Top