Law Enforcement Is Extracting Tons Of Data From Vehicle Infotainment Systems
from the four-wheeled-informants dept
For years, cars have collected massive amounts of data. And for years, this data has been extraordinarily leaky. Manufacturers don’t like to discuss how much data gets phoned home from vehicle systems. They also don’t like to discuss the attack vectors these systems create, either for malicious hackers or slightly less malicious law enforcement investigators.
The golden age of surveillance definitely covers cars and their infotainment systems. A murder investigation had dead-ended until cops decided to access the on-board computers in the victim’s truck, which led investigators to the suspect nearly two years after the investigation began.
And whatever investigators can’t access themselves will be sold to them. The Ulysses Group, a data broker with several government contracts, told government agencies in early 2021 it had access to location data pulled from vehicles that could be delivered “in near real time.”
Security researchers have uncovered a vulnerability that somewhat inadvertently exposes just how much access law enforcement agencies can pull from on-board systems. A flaw in satellite radio provider SiriusXM’s system allowed anyone to basically hijack a car (turn on the ignition, lock doors, etc.) using nothing but the VIN. This hack also gave them access to personal data stored in the car, along with other data collected by SiriusXM, like speed, brake use, and door status (open/closed).
While this particular flaw only affected Hondas and Nissans, similar payloads of data are only a hack/forensic scrape away from being harvested by law enforcement on demand, as Thomas Brewster reports for Forbes.
The hack highlighted a weakness in modern vehicles’ internet-connected systems, in particular those that track vehicle use and location, while hooking up to drivers’ cellphones and sucking in user data. They’re the same technologies that are regularly being exploited by federal law enforcement agencies, with immigration and border cops investing more than ever before on tools that extract masses of data—from passwords to location—from as many as 10,000 different car models.
10,000 car models is a tasty target for hackers and cops alike. The near-omnipresence of infotainment systems that link with drivers’ phones make nearly any car a potential source of evidence (or, in the case of malicious hackers, a one-stop shop for personal data).
Federal agencies are definitely making use of this data source, according to court documents.
In a recent search of a 2019 Dodge Charger near the Mexican border, a patrol agent wrote that infotainment systems—those that provide GPS, remote control and entertainment features—were especially useful to government investigators. They could provide information on a suspect’s location, email addresses, IP addresses and phone numbers…
Another vehicle system search — this one performed by the ATF — was accompanied by the same claim: infotainment systems not only give investigators access to useful data, but could also reveal user passwords. This (unverified) claim echoed the one made by the CBP agent in regards to the search of the Dodge Charger. What’s undeniable is the fact that investigators are working around phone encryption (and, perhaps, cell phone search warrants) by accessing phone data via connected infotainment systems, rather than trying to access (possibly locked) phones themselves.
It all adds up to real money for companies like Maryland-based Berla, which sells its iVe forensic extraction tool to federal law enforcement agencies.
According to government contract records, in August CBP spent over $380,000 on iVe, nearly eight times its previous single biggest purchase of $50,000 from 2020. ICE, which has been buying Berla’s tools and trainings since 2010, spent $500,000 on iVe in September, well over twice its previous record of $200,000. In a May 2022 contract, CBP specifically asked for “vehicle infotainment forensic extraction tools, licenses, and training” from Berla.
We’ll probably have to wait for a challenge of these searches to learn more details about what the government is obtaining from in-car systems and what judicial paperwork it’s using to perform these searches. Just because it’s technically in “plain view” doesn’t mean a computer storing massive amounts of data should be considered the equivalent of contraband found laying on a backseat or stashed in the trunk. Like cell phones, the search of a connected infotainment system can reveal far more about a person than a search of their home. Hopefully, someone in the judicial system is keeping an eye on these searches and pushing back when warrant affidavits ask for far more than the government is entitled to obtain.
Filed Under: cars, data brokers, hacking, infotainment, privacy
Companies: siriusxm
Comments on “Law Enforcement Is Extracting Tons Of Data From Vehicle Infotainment Systems”
Illegal data sources?
Are these data sources not a forest of poisonous trees? Suppose LE outfits had to disclose their sources in these cases.
I did wonder why my civic wanted me to install an app that offered zero useful functionality. Glad I passed.
Re:
If you want to use your car’s audio system, and maintain privacy, you should do so via an analog input only. Otherwise, most cars will track every media file they’ve ever seen, every station they’ve been tuned to, etc., and there’s no easy way to securely wipe the data or disable this tracking. (Additionally, there are often exploitable security flaws that can be triggered via malformed files or unexpected radio data.)
“I’m taking anything that isn’t nailed down. And if it can be pried up, it ain’t nailed down any more.” — any thief ever
“The data was there out in the open, just waiting to be picked up by anyone with specialized tools…” — Another satisfied Berla customer
Malice equivalence
“malicious hackers or slightly less malicious law enforcement investigators”
Both law enforcement and hackers can cause me all manner of chaos and financial havoc, but hackers go in to all interactions with malice aforethought. However, hackers cannot treat me to an unsolicited and unannounced high-velocity lead party. So when it comes to malice / ill will, hackers win. But when it comes to menace, LEOs win every time.
Most modern cars are just a variation on the Personalized Tracking Device, much like smartphones. At least most phones will be replaced every few years and get updated security. Most cars will long outlive the support window from the factory and will be a PTD with outdated security. Even worse, most car makers consider any data generated by the vehicle their property to be done with as they see fit.
Why?
Why are you concerned with what the police know? Did you do something wrong or consort with those that break the law?
I don’t speed. I don’t drive like a dumb arse that deserves to die. What’s the big deal? Huh?
If the complaint is hacks and such, yes, patch. But if a cop asked where I have been and where I am going, have at it.
What are you afraid of?