[HN Gopher] Ask HN: can Wireless-CarPlay dongles steal your data?
___________________________________________________________________
Ask HN: can Wireless-CarPlay dongles steal your data?
So I recently ordered one of the many wireless Carplay dongles from
Aliexpress that work via USB in your car connecting your iPhone to
the car's Carplay via Bluetooth (and/or Wifi) to the USB dongle.
The instruction manual mentioned a firmware upgrade which had an
interesting way of connecting to the internet. So when the dongle
is connected to a power source you can connect to it via Wifi and
an IP address in your browser. Now in the dongle's web UI, there is
a button to upgrade your firmware. But how does this work when the
dongle is not connected to the internet at all? Well as I learned,
the dongle simply uses the iPhone's mobile connection to
send/receive data from the internet. I wasn't aware this is even
possible and there doesn't appear to be a way to stop this or be
notified of an active connection (aside from the wifi connection
obv). Now my concern is: when the dongle is connected to the
iPhone in the car, is there a way for the dongle to use the same
mechanism and send Carplay data (messages, contacts, etc) to a
remote server using the iPhone's mobile connection?
Author : concerned_citi
Score : 14 points
Date : 2025-03-25 12:20 UTC (3 days ago)
| stop50 wrote:
| If the dongle has enough space to store the data until the
| upload: yes.
|
| This is nothing new. Some websites split the content between
| html, javascript and api access. To limit the requests coming
| from websites there is CORS, an allowlist of the API. But this
| requires that an webpage is open to the dongle and you don't run
| into cors problems.
| packtreefly wrote:
| If the dongle acts as a wifi AP with a DHCP server, it could give
| the iPhone an ip address but no gateway upon connection. This
| will cause the iPhone to talk directly to the dongle via the WiFi
| interface, but talk to the rest of the internet via the cellular
| connection.
|
| You can determine this by checking the WiFi network's properties
| after the connection is established. If there's no value in the
| "Router" field, that's how it works.
|
| Once you load the firmware update page, JavaScript on the page
| instructs the browser to fetch the firmware payload from a server
| on the public Internet, then relays that data to the dongle's web
| server to execute the firmware update process.
|
| As the other reply mentioned, this can be tricky, as CORS likes
| to prevent this kind of data transfer for security reasons, the
| right configuration on the web server will make it work.
|
| It's a fairly clever setup.
|
| If you want a low-tech way of confirming this design, try running
| the firmware update with a device that doesn't have two network
| connections, like a laptop, instead of a cell phone. If it
| doesn't work from such a device, the scenario I described above
| is probably how it works.
| joshstrange wrote:
| This is almost certainly the answer and clever as hell. You
| just have to make sure the server storing the firmware (which
| you control) has the right CORS headers (as you mention) and
| you are in business.
|
| This means that the CarPlay device has no "internet" (spoiler:
| it never had real internet access) unless you are on that page
| interacting with it.
|
| I'm not sure how these devices work, I mean I know they
| broadcast themselves as a CarPlay head unit then "somehow" pass
| that to the car via a wired connection (pretending to be a
| phone connecting via USB). "somehow" being the important part.
| Does it hand along an encrypted stream that it can't decode or
| does it decode/re-encode?
|
| Either way I'd bet these devices are pretty safe to use. The
| phone sends a video feed, not raw "data" so the MitM (again, if
| that's how it works) would need to OCR the video to get
| anything useful since the raw video would be too large to store
| and too heavy to transfer over cellular (via it's own hidden
| radio, again, worst-case-scenario).
|
| If the device decodes the stream in the middle then the worst
| case I can think of is it could be doing on-device OCR and
| cellular radio to exfiltrate the text but I feel confident that
| you could spot the cellular radio (or someone who did a
| teardown). Without the radio it has no way to get data off the
| device which means the best it could do it sneak some out while
| you were on that update screen. Though I think that's all
| pretty far-fetched.
| runjake wrote:
| I can think of several ways to exfiltrate data, even with the
| limited information you provided, so, yes.
|
| But is it happening? Who knows. Maybe it doesn't now, but a
| future firmware update will. Who knows. Given your wise threat
| model, I'd avoid buying stuff from AliExpress.
| ddtaylor wrote:
| What makes you think "American" products aren't just rebranded
| AliExpress products essentially?
| fragmede wrote:
| Is it any better if it's Sony or Audi that has my data?
| car wrote:
| CarPlay sends an H264/5 video from the iPhone to the headunit,
| and receives touchscreen, knob, etc. input in the other direction
| (afaik). I'm not sure if the video is encrypted, but it seem
| rather unlikely that the dongle could exfiltrate such an amount
| of data undetected.
___________________________________________________________________
(page generated 2025-03-28 23:00 UTC)