The novel 1984 by George Orwell predicted most of what's presently going on in society, when you think about technology. It spoke of a world where cameras and microphones were everywhere, and personal privacy was basically nonexistent.
In 2017, cameras and microphones are everywhere embedded in the smartphones everyone carries around with them. Our phones are an extension of our lives and can give someone a great wealth of information if they are able to obtain access to the data stored on them.
Securing users data and privacy has been a hot topic for the last couple of years. Call logs, text messages, emails, location tracking, ad tracking and social media activity are all sources of sensitive information people want protected.
There are a wide range of methods a hacker could use to obtain this data from a smartphone or computer, but a researcher recently found that his car's infotainment system stored personal info unencrypted that could be of value to hackers.
Gabriel Cirlig, a senior software engineer at security firm Ixia, discovered his vehicle was not designed using modern security software principles. He was able to execute code on his car's infotainment system by inserting a USB drive with specially crafted scripts. The system automatically recognized the files and executed them, granting full administrative privliges.
It's the same tactic used by car enthusiasts who want to customize their in-dash system and run non-standard applications, but Cirlig, wanted to understand the security ramifications of this method.
His work revealed a major privacy issue where call histories, contacts, emails, text messages, and directory listings from smartphones were synced to the car. Stored consistently on the infotainment unit in plain text.
Despite the fact that mobile operating systems like Android and iOS require app permissions to help protect user data, that security step could be rendered useless if people pair their phones via Bluetooth to a system like the one in Cirlig's vehicle.
With the help of a fellow Ixia colleague, Stefan Tanase, Cirlig wanted to see how the infotainment system could be abused by a hacker or even law enforcement, to obtain info they would otherwise have to get from the mobile device.
Equipped with a Cortex-A9 CPU with 1GB of RAM, Wi-Fi and GPS, the in-dash system is more powerful than most home routers. The OS is based on Linux and has a fully functional Bash command-line shell with all the regular utilities. There are also various debugging tools the system's developers neglected to remove, according to Cirlig.
Cirlig told Motherboard, "It looks like the technology was created in a rush without any concern for security engineering. A production system, at least for a car, should be completely locked down."
He believes decisions about the software design were made out of convenience. For example, storing unencrypted sensitive user data indefinitely as opposed to requesting it again from the device when it is in range.
Not only was data copied from mobile devices accessible, but info stored directly in the infotainment unit like voice profiles, vehicle status info, GPS coordinates and favorite locations the car had been driven to and from, were also visible.
According to Motherboard, at the DefCamp security conference in Bucharest, Cirlig and Tanase showed a proof-of-concept malware program—a Bash script—that "continuously looked for open Wi-Fi hotspots, connected to them and could exfiltrate newly collected data. By combining this malware with location data from the GPS, an attacker could also track the car in real time on a map."
Cirlig stated the rogue script is installed as a cron job—a schedule Linux task---and is persistent, so even if the infotainment system is reset to factory settings, cron jobs aren't removed. Hackers could enhance the potency of the attack by creating a USB worm, where a compromised infotainment system could infect all future USB drives inserted, potentially spreading the exploit to other vehicles. The car could also be used in a "wardriving scenario" where it tries to automatically exploit Wi-Fi networks and other systems in range.
Cirlig and Tanase chose not to disclose the make and model of the car, because they are still researching the privacy issue they found. Infotainment systems are typically outsourced to third-parties and not made by the car manufacturer in-house, so it's likely this issue is consistent among multiple vehicle makes and models.
Cirlig believes the style of coding utilized by the auto industry looks ancient, with outdated programming principles and technology stacks not suited for a modern software development environment. Perhaps Cirlig's findings will be the catalyst to help spur a change in the way auto makers secure their in-car entertainment system.
What do you guys think? Do automakers need to update how user information is stored in their vehicles? If so, should this open the door for manufacturers to work directly with Google and Apple to build infotainment systems in the future? Drop a comment below and let us know.