Did you ever imagine that your car infotainment system can prove as a data goldmine for hackers? If not, then you better take a look at this article.
A researcher named Gabriel Cirlig working for a California based security firm called ‘Ixia’ has found out that Car Infotainment systems can leak out sensitive data to hackers, due to the fact that they are not designed using modern software security principles.
What it was discovered in Cirlig’s research was that details such as call history, contacts, text messages, email messages and videos on the phone were being stored on the infotainment unit in plain text format- irrespective of the medium which is being connected- Apple Car Play or Android Auto.
Gabriel, along with her Ixia colleague named Stefan Tanase decided to investigate further on how the data could prove as a gold mine to hackers. The two tech enthusiasts found out that cyber crooks love to have their hands on such data which couldn’t be otherwise gathered from the mobile devices.
The key findings of the research were presented to the world at the DefCamp security conference in Bucharest last year. But since the researchers failed to disclose the car make and the model of the infotainment systems, the issue did not receive any attention from the media.
Gabriel says that car infotainment systems have turned into a data-stealing paradise to hackers these days. As these units are powered with Linux OSes which are leveled with bash command line shells, they can be easily hacked by online criminals.
Moreover, as these units are usually produced in a rush, car makers often ignore to educate the customers about the basic security rules to be followed while using such systems.
As most of the infotainment systems are now offering navigation and GPS facility, information stored on the systems such as voice profiles, vehicle status data, and GPS coordinates can be used by hackers to locate or blackmail a person using the system in his/her car at some point of time in later stages of life.
In their presentation, Cirlig and Tanase showed a proof of concept malware program- a bash script induced via USB into the system. And as soon as the system connected to the web, the malware was seen collecting latest data including the info from the GPS and was seen sending to the hacker (in this case the researchers). It includes info of the car located real time on a map.
What makes this issue more concerning is that the malware was induced into the system as a Cron job- which is treated as a scheduled job by Linux OS. And even if the user chose to reset the system to factory defaults, ‘Cron jobs’ will never get erased.
And if the hackers chose to create a USB worm the cyber threat further deteriorate, as the spying malware can spread to different cars, if in case the same USB device is used on multiple cars equipped with infotainment systems.