Hacked Car Infotainment System Reveals Personal User Data

Security researchers recently discovered a vulnerability in the infotainment unit of a Japanese-manufactured car that could be exploited to expose personal data including text messages, contacts, call histories, and emails. In addition to sensitive personal information, the infotainment system also contained GPS coordinates, including a list of locations marked as “favorites” by the driver, user voice profiles, and vehicle status information. The vulnerability exists after a user synchronizes a mobile device with the car’s infotainment system via Bluetooth. Once connected, data transferred from the mobile device to the vehicle is stored unencrypted and in plain text and can reside there indefinitely. Researchers hacked into the infotainment unit by connecting a USB device and executing code that detected and extracted files with full administrative privileges. Although a firmware update has been issued to block the USB exploit, this exposure highlights a potential security risk for similar vehicle infotainment systems. The NJCCIC is not aware of any malicious attacks currently exploiting this vulnerability; however, we recommend owners and operators of potentially affected vehicles consider this risk before storing any personal or sensitive data on their in-vehicle infotainment systems. We also recommend never connecting personal mobile devices to rented or borrowed vehicles as that data could later be accessed by unauthorized parties.