As cybersecurity researchers detail a flaw that allowed them to unlock and start Honda and Nissan cars from anywhere in the world, border and immigration agencies are buying up tech to exploit weaknesses in vehicle security.
For anyone with a Honda or Nissan car, it was possible for a hacker with a laptop to unlock or start their vehicles, locate them and raid personal data stored inside, cybersecurity researchers warned on Wednesday. They could even honk the horn.
The hack highlighted a weakness in modern vehicles’ internet-connected systems, in particular those that track vehicle use and location, while hooking up to drivers’ cellphones and sucking in user data. They’re the same technologies that are regularly being exploited by federal law enforcement agencies, with immigration and border cops investing more than ever before on tools that extract masses of data — from passwords to location — from as many as 10,000 different car models.
The latest vulnerability was due to a now-fixed flaw in the cars’ shared telematics system — which records data like speed, and brake and door use — created by SiriusXM, according to researcher Sam Curry. The only data he needed to start the hack was a car’s identifying number, known as a VIN, easily retrievable from a windshield on many models. Using what the researcher called a “simple” computer program, Curry could take the VIN number and send it to a SiriusXM server as a kind of fake identification, tricking it into believing he was the real car owner. The program would then ask SiriusXM to pull the personal data stored in the car, turn on the ignition or perform other functions.
References in the code indicated Honda’s Acura line and Nissan’s Infiniti models were also affected, Curry said. SiriusXM confirmed to Forbes the weakness had been addressed within 24 hours after Curry’s team alerted the company. Honda said it hadn’t seen any indication hackers had maliciously exploited the vulnerability. (Nissan hadn’t provided comment at the time of publication.)
The research has not only highlighted how one digital vulnerability could have a physical effect on a huge number of cars, but also how much personal data can be retrieved from a vehicle. The ability to gather piles of evidence on a potential crime from an automobile — sometimes more than can be obtained from a smartphone and often less well secured — is something that immigration and border cops have increasingly latched onto in 2022. Court documents and government contracting records show the agencies tasked with monitoring the Mexican border have spent record sums on car hacking tools, while talking up the extraordinary amount of valuable evidence that can be reaped from on-board computers. Privacy advocates, meanwhile, are raising the alarm, calling modern cars “surveillance on wheels.”
“While we don’t know how many cars CBP and ICE have hacked, we do know that nearly every new car is vulnerable…”
In a recent search of a 2019 Dodge Charger near the Mexican border, a patrol agent wrote that infotainment systems — those that provide GPS, remote control and entertainment features — were especially useful to government investigators. They could provide information on a suspects’ location, email addresses, IP addresses and phone numbers, all “used to facilitate the transportation or movement of non-citizens without legal status into and throughout the United States.” It could even point to “the account user’s state of mind, including knowledge, motive, and voluntariness, regarding the offenses under investigation.”
An infotainment system could also reveal user passwords, the agent wrote, though didn’t provide detail on how. The same claim — again without explanation — was made in a warrant filed by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) in Missouri in October, as they sought to gather information from a 2022 Ford F-150. Regardless of the lack of proof from the feds, the risk is real: Previous reports claimed Tesla infotainment systems stored Wi-Fi and Spotify passwords.
The ATF investigator did, however, detail how cars’ internal computers were “designed to store a vast amount of data” and it was “possible to recover a great deal of information off the phones that have been connected to the car without access to the phone itself.” They went on to outline the sheer number of car models that can be raided thanks to their use of digital technologies. “There are over 10,000 supported vehicles by BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Fiat, Ford, GMC, Hummer, Jeep, Lincoln, Maserati, Mercedes, Mercury, Pontiac, Ram, Saturn, Toyota and Volkswagen,” they wrote.
There’s plenty of public information that either hackers or police can obtain on cars of interest too. Cybersecurity researcher Curry told Forbes that, after seeing what could be done with just a VIN, it was “terrifying” that those identifying numbers were public. “We found so many different pieces of functionality across so many different car companies where having the VIN number allowed you to query things about the car,” he added.
To get the most usable data from seized automobiles, Customs and Border Protection and Immigration Customs Enforcement have this year spent record sums on car forensics technologies made by the number one industry player, Maryland-based Berla. Its iVe tool can dig out data from vehicles for local and federal law enforcement, as well as military agencies.
According to government contract records, in August CBP spent over $380,000 on iVe, nearly eight times its previous single biggest purchase of $50,000 from 2020. ICE, which has been buying Berla’s tools and trainings since 2010, spent $500,000 on iVe in September, well over twice its previous record of $200,000. In a May 2022 contract, CBP specifically asked for “vehicle infotainment forensic extraction tools, licenses, and training” from Berla.
As cops dive into information pouring out of modern cars, privacy defenders are anxious. In October, the Surveillance Technology Oversight Project (S.T.O.P.) released a report warning, “Cars collect much more detailed data than our cellphones, but they receive fewer legal and technological protections.”
S.T.O.P. research director Eleni Manis told Forbes that CBP and ICE were “weaponizing car data.” (Neither CBP nor ICE had provided comment at the time of publication.)
“Berla devices position CBP and ICE to perform sweeping searches of passengers’ lives, with easy access to cars’ location history and most visited places and to passengers’ family and social contacts, their call logs, and even their social media feeds,” she said. “While we don’t know how many cars CBP and ICE have hacked, we do know that nearly every new car is vulnerable.”