Bluetooth-equipped cars vulnerable to eavesdropping

It seems like it’s possible to eavesdrop on bluetooth equipped cars. It seems like some car manufacturers made it especially easy to hook into the built-in bluetooth audio system and listen in or inject audio to these system.

The car manufacturers have done two things wrong:

  1. Allow unattended pairing

    Is it really too difficult to turn on pairing on demand? Every single phone headset I’ve seen only pairs when you press a specific key for some time or some other uncommon combination. Why can’t they do it in the car? This is clearly a case where security trumps ease of use, especially when the difference in the user’s experience is clicking one additional button every time they buy a new phone

  2. Use a default PIN

    Okay, so the bluetooth authentication process is not very secure, but why make life even easier for crackers? It’s not a process you perform every day, it’s a one-time-per-device process, adding a digit or two to the pin and randomizing it won’t reduce the number of potential users.

I can understand that developers have their time-to-market and other constraints and security is the easiest thing to give away, but sometimes you just need to put in the extra effort, or your customers will be eavesdropped on. I don’t really think the car developers really understood what the stakes are.