from the four-wheeled-informants dept
For years, cars have collected massive amounts of data. And for years, this data has been extraordinarily leaky. Manufacturers don’t like to discuss how much data gets phoned home from vehicle systems. They also don’t like to discuss the attack vectors these systems create, either for malicious hackers or slightly less malicious law enforcement investigators.
The golden age of surveillance definitely covers cars and their infotainment systems. A murder investigation had dead-ended until cops decided to access the on-board computers in the victim’s truck, which led investigators to the suspect nearly two years after the investigation began.
And whatever investigators can’t access themselves will be sold to them. The Ulysses Group, a data broker with several government contracts, told government agencies in early 2021 it had access to location data pulled from vehicles that could be delivered “in near real time.”
Security researchers have uncovered a vulnerability that somewhat inadvertently exposes just how much access law enforcement agencies can pull from on-board systems. A flaw in satellite radio provider SiriusXM’s system allowed anyone to basically hijack a car (turn on the ignition, lock doors, etc.) using nothing but the VIN. This hack also gave them access to personal data stored in the car, along with other data collected by SiriusXM, like speed, brake use, and door status (open/closed).
While this particular flaw only affected Hondas and Nissans, similar payloads of data are only a hack/forensic scrape away from being harvested by law enforcement on demand, as Thomas Brewster reports for Forbes.
The hack highlighted a weakness in modern vehicles’ internet-connected systems, in particular those that track vehicle use and location, while hooking up to drivers’ cellphones and sucking in user data. They’re the same technologies that are regularly being exploited by federal law enforcement agencies, with immigration and border cops investing more than ever before on tools that extract masses of data—from passwords to location—from as many as 10,000 different car models.
10,000 car models is a tasty target for hackers and cops alike. The near-omnipresence of infotainment systems that link with drivers’ phones make nearly any car a potential source of evidence (or, in the case of malicious hackers, a one-stop shop for personal data).
Federal agencies are definitely making use of this data source, according to court documents.
In a recent search of a 2019 Dodge Charger near the Mexican border, a patrol agent wrote that infotainment systems—those that provide GPS, remote control and entertainment features—were especially useful to government investigators. They could provide information on a suspect’s location, email addresses, IP addresses and phone numbers…
Another vehicle system search — this one performed by the ATF — was accompanied by the same claim: infotainment systems not only give investigators access to useful data, but could also reveal user passwords. This (unverified) claim echoed the one made by the CBP agent in regards to the search of the Dodge Charger. What’s undeniable is the fact that investigators are working around phone encryption (and, perhaps, cell phone search warrants) by accessing phone data via connected infotainment systems, rather than trying to access (possibly locked) phones themselves.
It all adds up to real money for companies like Maryland-based Berla, which sells its iVe forensic extraction tool to federal law enforcement agencies.
According to government contract records, in August CBP spent over $380,000 on iVe, nearly eight times its previous single biggest purchase of $50,000 from 2020. ICE, which has been buying Berla’s tools and trainings since 2010, spent $500,000 on iVe in September, well over twice its previous record of $200,000. In a May 2022 contract, CBP specifically asked for “vehicle infotainment forensic extraction tools, licenses, and training” from Berla.
We’ll probably have to wait for a challenge of these searches to learn more details about what the government is obtaining from in-car systems and what judicial paperwork it’s using to perform these searches. Just because it’s technically in “plain view” doesn’t mean a computer storing massive amounts of data should be considered the equivalent of contraband found laying on a backseat or stashed in the trunk. Like cell phones, the search of a connected infotainment system can reveal far more about a person than a search of their home. Hopefully, someone in the judicial system is keeping an eye on these searches and pushing back when warrant affidavits ask for far more than the government is entitled to obtain.