Can CarPlay / android auto be hacked?
Discussion
When you connect through CarPlay / android auto I wonder if (they) can hack all your other info on the phone like email, messages, contacts, etc since they’re all readable through CarPlay. Think about it - you connect and unlock your phone! Although clearly apple and google would have their clever people protecting it. I did a bit of a search but couldn’t really see any references to it anywhere which is relatively unusual these days (that noone’s tested it or discussed it).
But surely it is going to be a target by both govt agencies as well as the usual organised criminal groups.
Also you can get aftermarket boxes eg I’ve got a Chinese andream fitted so who knows what it can read since I’m using all its functions to operate my phone? (Works well by the way
)
But surely it is going to be a target by both govt agencies as well as the usual organised criminal groups.
Also you can get aftermarket boxes eg I’ve got a Chinese andream fitted so who knows what it can read since I’m using all its functions to operate my phone? (Works well by the way
)It’s quite feasible that malware on a third party head unit (e.g. those cheap aftermarket unbranded ones) might infect your phone. An OEM one for that matter as well, but the trust level is a little higher.
Any time you connect to any device there’s a level of risk; but quite what that level is, is difficult to determine.
There’s probably a suitable standard that manufacturers need to meet in order to be able to market their devices, though, that lowers the risk level. I’m not that hot on commercial devices, so I don’t know the specifics.
Any time you connect to any device there’s a level of risk; but quite what that level is, is difficult to determine.
There’s probably a suitable standard that manufacturers need to meet in order to be able to market their devices, though, that lowers the risk level. I’m not that hot on commercial devices, so I don’t know the specifics.
fozzymandeus said:
Ummm…. That’s not right.
It kinda is though. Sure it’s a two-way interface over bluetooth/802.11/cable, but that two way stream is for input and display only. No application information is stored on or sent to the headunit, only display information. No data is sent from the headunit to the phone except user-input.Processing and storage all remains local to the phone.
Try taking a screenshot on your phone when connected to CarPlay, you’ll soon realise that your phone is simply running in a dual-display configuration.
paradigital said:
It kinda is though. Sure it’s a two-way interface over bluetooth/802.11/cable, but that two way stream is for input and display only. No application information is stored on or sent to the headunit, only display information. No data is sent from the headunit to the phone except user-input.
Processing and storage all remains local to the phone.
Try taking a screenshot on your phone when connected to CarPlay, you’ll soon realise that your phone is simply running in a dual-display configuration.
Thanks, that's quite interestingProcessing and storage all remains local to the phone.
Try taking a screenshot on your phone when connected to CarPlay, you’ll soon realise that your phone is simply running in a dual-display configuration.
EmailAddress said:
And not necessarily correct.
Some screens are a mirror. Some are their own integration percentage running off the back of your data.
I wouldn't be so quick to draw a line of distinction.
My car syncs. And has its own accounts. Though it needs the mobile as a 'key' for user access.
But the topic is about Android Auto and Apple Carplay. Neither of those systems use remote processing. Some screens are a mirror. Some are their own integration percentage running off the back of your data.
I wouldn't be so quick to draw a line of distinction.
My car syncs. And has its own accounts. Though it needs the mobile as a 'key' for user access.
Syncing your phone to the car’s in-built infotainment system is different, and of course allows access to the data stored in your contacts application(s) and phone/messaging applications, but that isn’t what was asked, and isn’t a prerequisite for using AA/CarPlay.
paradigital said:
It kinda is though. Sure it’s a two-way interface over bluetooth/802.11/cable, but that two way stream is for input and display only. No application information is stored on or sent to the headunit, only display information. No data is sent from the headunit to the phone except user-input.
Processing and storage all remains local to the phone.
Try taking a screenshot on your phone when connected to CarPlay, you’ll soon realise that your phone is simply running in a dual-display configuration.
Good job you told the malware it was for input and display only.Processing and storage all remains local to the phone.
Try taking a screenshot on your phone when connected to CarPlay, you’ll soon realise that your phone is simply running in a dual-display configuration.
paradigital said:
What malware, and how, exactly, does it get into the walled garden when you aren’t granting any permission besides input control?
The question of “what malware” is a separate issue; but how would the OP’s phone get hacked w/o malware?And re: penetration - the same way all successful attacks manage it - exploits.
The likelihood of a successful attack from an otherwise unconnected peripheral like a random car head unit, with an updated phone as the victim, is very very low. But OP asked if it was possible and, well, it is.
Edited by fozzymandeus on Tuesday 3rd January 22:03
I was thinking about fairly 'regular'but notable people who would use such systems, such as politicians which would be a target just for general intel I imagine. I presume cabinet politicians etc probably have protocols in place / separate phones etc but we saw with Suella Bravaman (who sent confidential documents to her personal email) that there is clearly opportunity there.
CoolHands said:
I was thinking about fairly 'regular'but notable people who would use such systems, such as politicians which would be a target just for general intel I imagine. I presume cabinet politicians etc probably have protocols in place / separate phones etc but we saw with Suella Bravaman (who sent confidential documents to her personal email) that there is clearly opportunity there.
Yep, this is a feasible risk for such individuals.Gassing Station | In-Car Electronics | Top of Page | What's New | My Stuff