Pierluigi Paganini
December 04, 2022
Data managed by infotainment systems in modern vehicles are a valuable source of information for the investigation of law enforcement agencies.
Modern vehicles come with sophisticated infotainment systems that are connected online and that could represent an entry point for attackers, as demonstrated by many security experts over the years.
Law enforcement and intelligence worldwide are buying technologies that exploit weaknesses in vehicle systems.
Recently security the security expert researcher Sam Curry warned of vulnerabilities in mobile apps that exposed Hyundai and Genesis car models after 2012 to remote attacks. An attacker could exploit these flaws to unlock and start the vehicles.
The experts also exploited these flaws in attacks targeting the SiriusXM “smart vehicle” platform used by several car makers, including Toyota, Honda, FCA, Nissan, Acura, and Infinity.
An attacker only needs to know the car’s identifying number, known as a VIN, to launch the attack against a target vehicle.
Vulnerabilities in infotainment systems can be generally exploited by remote attackers to lock/unlock a vehicle, interact with several features of the cars (hooking up to drivers’ connected devices), and locate them.
According to a report published by Forbes, federal law enforcement agencies, with immigration and border cops are using technologies that can exploit similar weaknesses to extract data from 10,000 different car models.
“The ability to gather piles of evidence on a potential crime from an automobile—sometimes more than can be obtained from a smartphone and often less well secured—is something that immigration and border cops have increasingly latched on to in 2022.” Forbes reports. “Court documents and government contracting records show the agencies tasked with monitoring the Mexican border have spent record sums on car hacking tools, while talking up the extraordinary amount of valuable evidence that can be reaped from onboard computers.”
Privacy advocates are raising the alarm on surveillance activities operated by law enforcement by collecting data from connected systems in modern cars.
“New cars are surveillance on wheels, sending sensitive passenger data to carmakers and police. Cars also store enormous amounts of passenger data onboard, where police can extract it using specialized tools. We estimate that law enforcement agencies could have accessed car data hundreds of thousands of times in 2020.” warned a report published by Surveillance Technology Oversight Project (S.T.O.P.). “Constitutional loopholes allow access to most data on cars without a warrant. Police can access information from car-connected phones and online accounts without the warrant typically required.”
Forbes reported the case of a recent search of a 2019 Dodge Charger, “used to facilitate the transportation or movement of noncitizens without legal status into and throughout the United States” near, the Mexican border. The police was able to access the infotainment system of the vehicle to obtain a broad range of information, including the suspect’s location, user passwords, email addresses, IP addresses and phone numbers.
Forbes also reports another case related to an investigation conducted by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in Missouri in October. In that case, the law enforcement body used the car hacking technology to gather information from a 2022 Ford F-150.
The ATF investigator pointed out that connected systems in modern vehicles can be targeted to recover a vast amount of data and also spy on a phone connected to the car without access to the phone itself.
ATF confirmed that digital technologies can be used to target over 10000 different vehicle models.
“There are over 10,000 supported vehicles by BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Fiat, Ford, GMC, Hummer, Jeep, Lincoln, Maserati, Mercedes, Mercury, Pontiac, Ram, Saturn, Toyota and Volkswagen,” ATF wrote.
Forbes reported that Customs and Border Protection and Immigration Customs Enforcement have this year spent record sums on car forensics technologies provided by vehicle forensics firm Berla.
The company provides a collection of tools named iVe that supports investigators throughout the entire vehicle forensics process, it includes a mobile application for identifying vehicles, a hardware kit for acquiring systems, and forensic software for analyzing data.
“According to government contract records, in August CBP spent over $380,000 on iVe, nearly eight times its previous single biggest purchase of $50,000 from 2020. ICE, which has been buying Berla’s tools and trainings since 2010, spent $500,000 on iVe in September, well over twice its previous record of $200,000. In a May 2022 contract, CBP specifically asked for “vehicle infotainment forensic extraction tools, licenses, and training” from Berla.” continues Forbes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, infotainment systems)
[adrotate banner=”5″]
[adrotate banner=”13″]
