Ask HN: can Wireless-CarPlay dongles steal your data?

46 points by concerned_citi 9 days ago

35 comments

View on Hacker News

So I recently ordered one of the many wireless Carplay dongles from Aliexpress that work via USB in your car connecting your iPhone to the car's Carplay via Bluetooth (and/or Wifi) to the USB dongle.

The instruction manual mentioned a firmware upgrade which had an interesting way of connecting to the internet. So when the dongle is connected to a power source you can connect to it via Wifi and an IP address in your browser. Now in the dongle's web UI, there is a button to upgrade your firmware. But how does this work when the dongle is not connected to the internet at all?

Well as I learned, the dongle simply uses the iPhone's mobile connection to send/receive data from the internet. I wasn't aware this is even possible and there doesn't appear to be a way to stop this or be notified of an active connection (aside from the wifi connection obv).

Now my concern is: when the dongle is connected to the iPhone in the car, is there a way for the dongle to use the same mechanism and send Carplay data (messages, contacts, etc) to a remote server using the iPhone's mobile connection?

packtreefly 8 days ago

If the dongle acts as a wifi AP with a DHCP server, it could give the iPhone an ip address but no gateway upon connection. This will cause the iPhone to talk directly to the dongle via the WiFi interface, but talk to the rest of the internet via the cellular connection.

You can determine this by checking the WiFi network's properties after the connection is established. If there's no value in the "Router" field, that's how it works.

Once you load the firmware update page, JavaScript on the page instructs the browser to fetch the firmware payload from a server on the public Internet, then relays that data to the dongle's web server to execute the firmware update process.

As the other reply mentioned, this can be tricky, as CORS likes to prevent this kind of data transfer for security reasons, the right configuration on the web server will make it work.

It's a fairly clever setup.

If you want a low-tech way of confirming this design, try running the firmware update with a device that doesn't have two network connections, like a laptop, instead of a cell phone. If it doesn't work from such a device, the scenario I described above is probably how it works.

Reply View 5 replies
  • joshstrange 6 days ago

    This is almost certainly the answer and clever as hell. You just have to make sure the server storing the firmware (which you control) has the right CORS headers (as you mention) and you are in business.

    This means that the CarPlay device has no "internet" (spoiler: it never had real internet access) unless you are on that page interacting with it.

    I'm not sure how these devices work, I mean I know they broadcast themselves as a CarPlay head unit then "somehow" pass that to the car via a wired connection (pretending to be a phone connecting via USB). "somehow" being the important part. Does it hand along an encrypted stream that it can't decode or does it decode/re-encode?

    Either way I'd bet these devices are pretty safe to use. The phone sends a video feed, not raw "data" so the MitM (again, if that's how it works) would need to OCR the video to get anything useful since the raw video would be too large to store and too heavy to transfer over cellular (via it's own hidden radio, again, worst-case-scenario).

    If the device decodes the stream in the middle then the worst case I can think of is it could be doing on-device OCR and cellular radio to exfiltrate the text but I feel confident that you could spot the cellular radio (or someone who did a teardown). Without the radio it has no way to get data off the device which means the best it could do it sneak some out while you were on that update screen. Though I think that's all pretty far-fetched.

    EDIT: I went looking for some way to act as a CarPlay receiver and get the raw video feed and it looks like it's possible [0] so yeah, a malicious device could proxy the connect, OCR the result, and send data via its own cellular connection but that would be relatively easy to detect and not worth it unless you are the target of a nation state which, at that point, you have bigger problems.

    [0] https://github.com/harrylepotter/carplay-receiver

    Reply View 3 replies
    • niteshade 6 days ago

      > Does it hand along an encrypted stream that it can't decode or does it decode/re-encode?

      It definitely does decode/re-encode audio streams, as music playback quality suffers quite a bit (both latency and quality).

      Reply View 0 replies
    • [removed] 6 days ago
      [deleted]
      Reply View 0 replies
    • olyjohn 6 days ago

      If you want to capture what's going on, you don't need 120fps video. Take a low-res snapshot every 5-10 minutes and send it off. It doesn't need OCR or anything fancy. That's still a ton of information, with very little bandwidth.

      Reply View 0 replies
  • [removed] 6 days ago
    [deleted]
    Reply View 0 replies
niteshade 6 days ago

Something that might be useful to know with these devices is that they're quite liable to bricking during updates.

If you do install an update, make sure you reopen its' web portal and confirm the version number is different to what it was before. If it hasn't changed from before, you'll have to wait a while as its still flushing bytes to its flash memory, and if you accidentally trigger an update again here, you'll be left with a brick (speaking from experience).

Depending on the device you bought, you might also be able to flash custom firmware on it: https://github.com/ludwig-v/wireless-carplay-dongle-reverse-...

Reply View 0 replies
car 6 days ago

CarPlay sends a H264/5 video stream from the iPhone to the car's head unit, and receives touchscreen, knob, etc. input in the other direction (afaik). I'm not sure if the video is encrypted, but it seem rather unlikely that the dongle could exfiltrate such an amount of data undetected.

Reply View 1 reply
hackernudes 6 days ago

I wondered about this exact scenario with my Android auto dongle.

I never could get the upgrade to work when connected to my phone. I did get it to work connecting my PC to the dongle (which acts as a wifi access point). My PC then loaded the firmware in a desktop browser window as I was connected to Ethernet and the dongle at the same time. I may have had to set some up routes manually.

They absolutely should not get Internet access through the phone. I really hope it doesn't work that way! I searched quite a bit but could not find a definitive answer.

Edit: I read the other replies and it makes sense. The browser on your phone can make a request over wifi and over cellular, so really the browser would do the fetching over the internet, not the device.

Reply View 0 replies
runjake 6 days ago

I can think of several ways to exfiltrate data, even with the limited information you provided, so, yes.

But is it happening? Who knows. Maybe it doesn't now, but a future firmware update will. Who knows. Given your wise threat model, I'd avoid buying stuff from AliExpress.

Reply View 5 replies
  • ddtaylor 6 days ago

    What makes you think "American" products aren't just rebranded AliExpress products essentially?

    Reply View 1 reply
    • runjake 6 days ago

      Nothing. I didn't mention anything about American products. I only said it was wise, given OP's security posture, not to buy electronics off of AliExpress, which is specifically what they were asking about.

      Reply View 0 replies
  • fragmede 6 days ago

    Is it any better if it's Sony or Audi that has my data?

    Reply View 2 replies
    • mrobins 6 days ago

      No but I think it’s more likely the data is going back to the original manufacturer and the white labeler has no idea it’s happening.

      Despite assuredly rigid QC and security testing /s.

      Reply View 0 replies
kelnos 6 days ago

I kinda just don't get wireless CarPlay/Android Auto at all. If I'm going to connect my phone to my car wirelessly for that, it's gonna drain the battery. So I'm going to plug it in so it can charge. So... now it's wired, so why do I need wireless?

I guess if you have a wireless charging pad in your car, then that's a little bit more convenient. But the big inconvenience for me is just to have to take it out of my pocket in the first place, not to plug it into the car. (And my car does have wireless charging, but my phone rarely seems to sit on it stably enough for it to charge all that well.)

To get fully back on topic: sure, a wireless dongle could exfil data, but unclear what data is all that valuable. The car (and thus the dongle) just gets video and audio streams, not the actual textual content of your text messages, for example. Sure, it could try to OCR the video and/or do voice recognition on the audio, but those are fairly computationally expensive. And sending all that video to a remote server would be... a lot.

Reply View 10 replies
  • snapetom 6 days ago

    For Lightning at least, it was touchy as hell. It required a really good constant connection, or you'd constantly disconnect to the base car OS and reconnect to CarPlay. My wife and I had a handful of cables, even quality ones like Anker and Belkin, that were no longer good enough for CarPlay, but worked perfectly fine for regular charging.

    Reply View 0 replies
  • watermelon0 6 days ago

    I practically always use it wirelessly, because it's just so convenient to place it in the phone compartment, and not have to deal with the charging cable hanging around.

    I generally don't have any issues with charging, so phone either stays at the same battery level, or charges a bit (depending on how long I drive).

    The only downside is that phone heats up due to the usage of CarPlay as well as due to the wireless charging, which triggers heavy throttling of iOS, and I assume this is not ideal for the phone/battery as well.

    Reply View 0 replies
  • pritambarhate 6 days ago

    I have wireless CarPlay in my car and I don't care about plugging it in for short rides. It's convenient that I don't have to plug it in every time I am on a 20-30 min ride just to get directions. It's a very useful feature. Not a deal breaker but a very good nice to have.

    Reply View 0 replies
  • teo_zero 6 days ago

    > I kinda just don't get wireless CarPlay/Android Auto at all. If I'm going to connect my phone to my car wirelessly for that, it's gonna drain the battery. So I'm going to plug it in so it can charge. So... now it's wired, so why do I need wireless?

    For short trips. Like the two many of us do every single working day.

    Reply View 1 reply
    • kelnos 6 days ago

      "Short" is perhaps relative. I know many people with hour+ commutes; they'll be wanting to plug in, presumably.

      I guess I'm also just a low-key battery-life stresser. If I have the opportunity to plug in outside the home, with a charging cable readily in front of, me, I'm gonna do it... just in case.

      I dunno, I still don't get it. Wireless anything is always going to be significantly less reliable than wired, and I've heard enough stories of wireless CarPlay/AA flaking out (with dongles and built-in setups) to turn me off on it.

      Wireless is incredibly convenient when you don't have a wire and a port nearby, but that will essentially never be that case while you're in the car.

      Reply View 0 replies
  • smackeyacky 5 days ago

    For quick trips where you don’t want to screw with cables, or where you don’t want to override your passenger doing the connect. I like wireless for CarPlay eve though my phone isn’t hard plugged into the head unit bit is still charging from the car. So for me a cigar lighter power plug is still better for charging the phone even though I have CarPlay wireless active

    Reply View 0 replies
  • Fr0styMatt88 6 days ago

    I immediately thought of the magnetic charging as well before getting to your second paragraph.

    One other concern I’d have with wired charging in the car long-term is wear and tear on the USB port and the cable over time (also considering the cable is likely being left in a sometimes very hot car).

    Reply View 1 reply
    • kelnos 6 days ago

      I leave the cable always plugged in on the car side, so I'm not worried about that port failing. I'm just not that worried about the port on the phone, though.

      And if the cable dies, they're simple and cheap to replace.

      Reply View 0 replies
  • lttlrck 5 days ago

    Do you feel the same way about WiFi? The big hassle is getting the laptop out of the bag, not plugging in the Ethernet cable?

    Reply View 0 replies
panosv 6 days ago

Can someone recommend a dongle that actually works? I’ve tried a few and they are highly unreliable or stop working after a few months.

Reply View 2 replies
  • devilbunny 5 days ago

    I've used a Sunweyer dongle from Amazon. If you can't get the "new shopper" discount on Aliexpress, it's cheaper. Seems to work fine. Doesn't like pairing to multiple phones, and the phone doesn't like being plugged into one of the car's USB outlets (it drops the audio because AFAICT the phone thinks it's plugged into the car for audio, but the car is still expecting audio over the Bluetooth "CarPlay" connection), even if it's one of the outlets that's not supposed to do anything but power.

    I'd use it a little differently, but it's my wife's car, not mine. Who would have thought a 2022 Mercedes would have wired-only CarPlay?

    Anyway, I find it excellent for podcast control. If maps are off (in my case, because location services are turned off) it doesn't really use more power than plain Bluetooth audio, and when I approach my destination on a trip I'll turn on location and plug it in to juice up the last bit.

    Reply View 0 replies
  • cihad 6 days ago

    I have been using CarlinKit 5.0 from AliExpress for last 1 year. No issues so far.

    Reply View 0 replies
cj 6 days ago

Reply View 1 reply
  • Operyl 6 days ago

    I have to ask: why didn't you plug your phone in while stationary? That seemed entirely avoidable.

    Reply View 0 replies
stop50 9 days ago

If the dongle has enough space to store the data until the upload: yes.

This is nothing new. Some websites split the content between html, javascript and api access. To limit the requests coming from websites there is CORS, an allowlist of the API. But this requires that an webpage is open to the dongle and you don't run into cors problems.

Reply View 0 replies