Executive Summary

Title Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access
Name VU#615456 First vendor Publication 2016-04-07
Vendor VU-CERT Last vendor Modification 2016-04-20
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:P/I:C/A:C)
Cvss Base Score 8 Attack Range Adjacent network
Cvss Impact Score 9.5 Attack Complexity Low
Cvss Expoit Score 6.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#615456

Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access

Original Release date: 07 Apr 2016 | Last revised: 20 Apr 2016


The Lemur Vehicle Monitors BlueDriver is an aftermarket automotive device that connects to a vehicle's OBD-II port and provides information about the vehicle's performance. The BlueDriver does not require a PIN for Bluetooth access, which allows anyone in range to send arbitrary commands to the vehicle's CAN bus.


CWE-306: Missing Authentication for Critical Function - CVE-2016-2354

The CERT Coordination Center has determined that the Lemur BlueDriver does not require a PIN to connect to it via Bluetooth. This allows anyone within Bluetooth range to access standard OBD-II diagnostic information about the car, including gas mileage, Diagnostic Trouble codes, speed, emissions, etc. It also allows an attacker to create a serial connection directly to the CAN (Controller Area Network) bus in the vehicle. Any valid CAN command can be sent to the vehicle. Depending on the vehicle, this may allow attackers to affect safety critical systems such as steering or braking.


The attack is limited to short (Bluetooth) range, but it could be launched from a compromised device inside the car (e.g., cell phone). Depending on the car make and model, impact could range from information disclosure to life-threatening.


Apply an Update
Lemur Vehicle Monitors has released a firmware update to address this vulnerability:

BlueDriver scan tool users can update their sensor Firmware (F/W) by opening
their BlueDriver App and tapping ‘More’ > ‘Update Sensor F/W’ > 'Check for
Updates' and following the instructions.

The latest F/W for BlueDriver limits Bluetooth discoverability to 1 minute
after plug in. This added feature limits discovering (and then pairing) to
your BlueDriver to those who first plug in the sensor

For clarification, the vendor has stated that discoverability is now limited to only when the device is plugged in, not every time the vehicle is turned on.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Lemur Vehicle MonitorsAffected03 Feb 201607 Apr 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.lemurmonitors.com/
  • https://cwe.mitre.org/data/definitions/306.html


Thanks to Dan Klinedinst of the CERT/CC for reporting this vulnerability.

This document was written by Dan Klinedinst.

Other Information

  • CVE IDs:CVE-2016-2354
  • Date Public:07 Apr 2016
  • Date First Published:07 Apr 2016
  • Date Last Updated:20 Apr 2016
  • Document Revision:25


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/615456

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-284 Access Control (Authorization) Issues

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-05-04 17:40:34
  • Multiple Updates
2016-04-22 09:34:17
  • Multiple Updates
2016-04-20 21:25:34
  • Multiple Updates
2016-04-19 21:25:21
  • Multiple Updates
2016-04-19 17:25:39
  • Multiple Updates
2016-04-14 17:23:36
  • Multiple Updates
2016-04-08 00:23:07
  • First insertion