Bluetooth leaks SIM number and cell uplink connectivity to rental car.

DeletedUser237

Toasted_Mustard Whats the best course of action?
Never using bluetooth with connected/rental cars or other untrusted handsfree devices?

Bingo. Even if the bugs/flaws you mentioned are addressed, you still connect your phone to a potentially malicious receiver. You don't know who drove the car before you and whether they modified the system in any way. Its simply not worth it IMO. You would not (I hope) connect your phone to some random charger, or computer. So why would you do it with something else you don't own/trust.

Toasted_Mustard

DeletedUser237

This is all from a paranoid perspective.
But imagine something being resilient enough that you can connect it to all kinds of stuff, that works and only gets access to what you expect.

The other part of security is fitting onto human usage patterns and mental models.

So it is reasonable to wish for things to work as expected.

It is also a different mental abstraction between, malicious device gets access to things by default and malicious device must use bugs to access unexpected data.

Toasted_Mustard

Sadly everyone I know that was deeper into bluetooth was horrified by the details. So I can't assume things getting magically better.

As for as GOS people say, some groundwork was done in newer bluetooth versions, for having things less bad from an exploitability perspective.
@gos people, is that still true?

DeletedUser237

Toasted_Mustard This is all from a paranoid perspective

This is all from experience, but yeah you can call me paranoid, no issues with that.

Toasted_Mustard

DeletedUser237

Maybe you misunderstand.
I did not want to call "you" anything. You do you and I don't care if it does not affect me.

I used paranoid as a descriptive word of using things.
I am very aware of that approach. But other things are getting more important partially. One is my own mental health. And both sides of paranoid and not have other m.h. detrimental side effects.

This is independent of my statement:
"I wish this thing could be so clear and well designed, that I did not need to be paranoid about it because the fuzzy risks are properly prevented with some margin."

Blastoidea

“Healthy paranoia” is not a contradiction.

Toasted_Mustard

So this conversation went stuck?

Anyone have an idea to solve my problem?

To prevent Bluetooth handsfree profile from leaking my phone number to handsfree devices?

Because I want to use handsfree.
But I do not ever use the SIM phone for calls.
Only encrypted messengers.
Therefore I do not even need "the phone".
Apart from that it is unnecessary to leak the phone number to a handsfree device.

Onlyfun

Toasted_Mustard what do you mean by SIM number? A 10 digit phone number that can be dialed to make a call? I'm just curious here. Anyway the issues you described are too bad to be.

de0u

Toasted_Mustard I suspect that the handshake for the Bluetooth hands-free profile includes a phone number so that the device can manage sets of contacts. In theory it would be possible to provide a fake phone number, but clearly the existing code base does not have that as an option.

You might try filing an issue on the GrapheneOS issue tracker. But my sense is that the developers are pretty busy at present due to Google turmoil, so I would not expect them to address this in under six months. That said, if somebody were to contribute high-quality code implementing a solution, that might work.

mmobder

Toasted_Mustard if you indeed doesn't need a "number" and the leak is important for you, maybe at least as a temp workaround you can consider call-less data-only eSIMs that are discussed here from time to time?

Toasted_Mustard

Onlyfun

The phone number assigned to the sim.
So to say, the thing that is connected to the physical tracking of the phone network and the phone billing account.
So not only does the phone network see that. Rental cars as well.

Toasted_Mustard

mmobder

That makes no difference because I want to get rid of the identifier.

Onlyfun

Toasted_Mustard good to know, I never observed such myself and if I would have been asked I would be sure that such leak is not happening.