Android-based infotainment systems used in Ford, GM, Honda, and other major vehicle brands can be turned into data-stealing devices, Cisco Talos researchers have uncovered.
As with virtually any electronic device, vehicle infotainment systems, colloquially known as head units, can be engineered to steal user data. Dan Mazzella, security research engineer and malware researcher at Cisco Talos successfully exploited his own vehicle‘s head unit to demonstrate that the attack is possible.
“I was able to very easily just dump process memory and access exact GPS coordinates for my head unit: exactly where my house was, where the GPS latitude longitude coordinates were. That’s a major privacy concern,” Mazzella explained to Cybernews at the Black Hat USA 2024 conference.
The research focused on Android Automotive operating system (OS), an open-source piece of software developed by Google that’s favored by automakers due its easy integration with Android-based devices.
Major vehicle automakers such as GM, Chevy, Cadillac, Buick, Ford, Honda, and others ship their vehicles with head units running on Android Automotive OS. The systems allow users to connect smartphones via Bluetooth, install third-party applications, serve as GPS antennas, and provide other features.
According to Mazzella, attackers could infect the vehicles’ head unit and obtain data that’s being transferred between the unit and smartphone, such as text messages, contacts, photos stored through text, and other private user information.
Since Mazzella tested a head unit without internet connectivity, an attacker would have to employ social engineering tactics to deploy info-stealing malware first. However, prominent threat actor groups like the infamous Fin7 have successfully utilized the so-called “bad USB” attacks in the past.
“An attacker could send an infected USB stick via “snail mail,” convincing a user that this is a critical update for the victim’s car. They usually impersonate device manufacturers and claim that the USB contains a critical software update,“ Mazzella explained.
Another way an attacker could infect a vehicle's infotainment system is via Bluesnarfing, a type of attack where malicious actors infiltrate paired devices via Bluetooth connection.
“Attackers could claim that your most recent software update did not install the necessary software, advising you to install a companion app, which sends a direct malicious payload to a target device,” the researcher explained.
Worryingly, an infected head unit could serve as a vehicle for disseminating malware further, potentially impacting any other device that connects to the head unit. Attackers could leverage this attack path by targeting rental cars. Many users connect their devices to rental cars and may choose to allow for syncing without understanding the potential impact on their data.
“My biggest area of concern would be around rental cars. You don't really know what you're plugging into. It's an untrusted device. And if a malicious actor just started going into a rental car place or just started renting cars and kind of backdooring them, that's where I would be a little bit more concerned with,” Mazella said.
However, before car manufacturers and infotainment system makers devise a way to safeguard against head unit-enabled attacks, Cisco Talos researchers recommend not plugging any untrusted buses into car systems.
Meanwhile for rentals, users are advised to only use mirroring features that do not transfer data, and only repeat the image seen on the paired devices screen.
Your email address will not be published. Required fields are markedmarked