• General

  • Bluetooth leaks SIM number and cell uplink connectivity to rental car.

I just used bluetooth to play music on a rental car.
It also connected phone audio.
I blocked phonebook and messages access.
The prompts are heterogenous and cumbersome.
When I was waiting in a traffic jam I fiddled with the car settings to improve the sound.
During that I saw, that the cars display showed my SIM number.
It did not show contacts or messages.
But I am not sure about that either.

Because of: https://discuss.grapheneos.org/d/16226-bluetooth-shares-contacts-and-calls-history-despite-being-turned-off-by-default/

In another rental car, the car was allowed to use my phones' cell internet uplink for internet without anything asking for my permission.

(Doesn't matter if GOS or stock btw. So not a GOS specific problem.)

Are fixes for such such bad defaults in the works from GOS side?

Whats the best course of action?
Never using bluetooth with connected/rental cars or other untrusted handsfree devices?

    Toasted_Mustard Whats the best course of action?
    Never using bluetooth with connected/rental cars or other untrusted handsfree devices?

    Bingo. Even if the bugs/flaws you mentioned are addressed, you still connect your phone to a potentially malicious receiver. You don't know who drove the car before you and whether they modified the system in any way. Its simply not worth it IMO. You would not (I hope) connect your phone to some random charger, or computer. So why would you do it with something else you don't own/trust.

        0xsigsev

        This is all from a paranoid perspective.
        But imagine something being resilient enough that you can connect it to all kinds of stuff, that works and only gets access to what you expect.

        The other part of security is fitting onto human usage patterns and mental models.

        So it is reasonable to wish for things to work as expected.

        It is also a different mental abstraction between, malicious device gets access to things by default and malicious device must use bugs to access unexpected data.

            Toasted_Mustard

            Sadly everyone I know that was deeper into bluetooth was horrified by the details. So I can't assume things getting magically better.

            As for as GOS people say, some groundwork was done in newer bluetooth versions, for having things less bad from an exploitability perspective.
            @gos people, is that still true?

              “Healthy paranoia” is not a contradiction.

              0xsigsev

              Maybe you misunderstand.
              I did not want to call "you" anything. You do you and I don't care if it does not affect me.

              I used paranoid as a descriptive word of using things.
              I am very aware of that approach. But other things are getting more important partially. One is my own mental health. And both sides of paranoid and not have other m.h. detrimental side effects.

              This is independent of my statement:
              "I wish this thing could be so clear and well designed, that I did not need to be paranoid about it because the fuzzy risks are properly prevented with some margin."