Looking at a brand new vehicle console interface for BlueTooth connections we found it prompted the user to select a device name, yet used a limited visual space. The prompt, right in front of the driver on the center console, asks (changed slightly to mask offending vehicle manufacturer):
Would you like to connect…
Then the device name gets inserted immediately after. This led to the natural question whether we could dictate behavior instead of asking the user to make a decision.
We changed a phone name to “Press OK to Continue” put phone into discovery/connect mode and waited in a parking lot. Soon after we had a rogue connection to a car, as a driver thought “Press OK to Continue” was a prompt, not the device name.
That’s a bit of social engineering to fool the human, testing human vulnerability to formatting. To check the device itself before human, you could similarly change the device name to odd characters and test non-human vulnerability to string formats.
This is a Security Bloggers Network syndicated blog post authored by Davi Ottenheimer. Read the original post at: flyingpenguin