Beware: Your car stereo can leak your sensitive, private data
A software engineer, recently decided to investigate his car's infotainment found that it was not designed using modern software security
Data security is one of the primary concerns in this age of technology. People are using stronger passwords for their online accounts; Phone manufacturers are offering more secure solutions like fingerprint, retina scan and even face recognition to ensure data privacy. However, what if your car is leaking your most sensitive data?
According to a report published by ‘Vice’, A senior software engineer at the security firm Ixia, recently decided to investigate his car’s infotainment system found that it was not designed using modern software security principles, yet it stored a lot of personal information such as call histories, contacts, text messages, email messages, and even directory listings which were taken from his phone during sync, that could be valuable to hackers.
Gabriel Cîrlig, the engineer executed a code on the car’s infotainment system by connecting a pen drive with specially crafted scripts. The system automatically picked up those files and executed them with full administrative privileges easily.
The same method in the past has been used by enthusiasts to customise their infotainment systems and run non-standard applications on them, but Gabriel wanted to understand the security implications of this technique.
Mobile operating systems like Android and iOS go to great lengths to protect such data by restricting which applications have access to it or by allowing users to encrypt their devices. All that security is undone, if people pair their devices over Bluetooth with an infotainment system like the one found in Gabriel’s car.
Gabriel and an Ixia colleague Ștefan Tănase decided to go even further and investigate how the car’s infotainment unit could be potentially hacked by an attacker or even law enforcement to track users and obtain information about them that they couldn’t otherwise get from their mobile devices.
They presented their findings Friday at the DefCamp security conference in Bucharest but declined to disclose the car make or model because they're still in the process of reporting the privacy issue they found. However, they mentioned that the car was made by a Japanese manufacturer and infotainment system is based on Linux and consists of a Cortex-A9 CPU with 1GB of RAM, as well as Wi-Fi and GPS.
Gabriel told that there is a firmware update available that blocks the USB attack vector on his car, but installing it requires going to a dealership. This means that a large number of cars will likely never be patched.
It looks like a technology that was created in a rush without any concern for security engineering, Gabriel said. "A production system, at least for a car, should be completely locked down." The system even stored the data indefinitely instead of requesting it again from the phone when the device is reconnected.
In addition to data copied from mobile devices, Gabriel found other sensitive information on the infotainment unit, such as a list of favourite locations the car has been driven to or from, voice profiles, vehicle status information, and GPS coordinates.
During their presentation, they showed how a BASH script executed via USB continuously looked for open Wi-Fi hotspots, and upon connection could combine this data from GPS unit to send real-time car location to the potential hacker. The worst thing is that the script is installed as a 'cron' job so even if you rest the system to factory defaults, the script remains.
The hacker can further create a USB worm that cannot only infect the Car’s infotainment but could also transmit itself to other USB dongles plugged in future in the system and potentially infect other cars or even the car’s WiFi can be used to exploit the script by transmitting it to other systems it can find.
The development of infotainment systems is usually outsourced to third-party electronic component suppliers and not made by the automobile manufacturers themselves. Other researchers have shown in the past that there are ways to jump from the infotainment systems to more critical electronic control units (ECUs)—the specialized embedded computers that control a car’s functions.
The auto industry continues to work using outdated programming principles and very old technology stacks that would be unacceptable today in a modern software development environment; and that needs to change, Cîrlig said. “For someone like myself who has a software development background, that style of coding looks ancient, from the age of the dinosaurs.”