[Cryptography] Identity Theft: Evil car wash attack; evil valet parker attack

[Henry Baker]

Everyone has focused on preventing access to our cellphones, but we give our cars access to our cellphones all the time.  And the car's GPS unit conveniently provides additional important information.

The information in your car is far easier to attack than the information in your phone.  Every car wash (except the ones where you drive through yourself and those big rollers scratch the heck out of your paint job) provides employees more than enough access and time to download all the information from your car's computer.  Ditto for every valet parker.

Your car repair person could also be supplementing his/her income by selling data extracted from customer cars.

It is likely that every car is different, but the following information seems to be available in your car's computer even when your cellphone is out of Bluetooth range:

* all of your personal GPS waypoint locations, including "Home", "Office", "Physician", "Cancer Center", etc.
* perhaps some number of miles (perhaps hundreds) of logged GPS tracking data
* your entire contact list from your cellphone
* your entire call log history
* your entire text message history
* perhaps all of your phone's mp3 playlists
* your cellphone's Bluetooth MAC address (for later attacks on bad Android Bluetooth implementations)

BTW, if you *ever* allow your phone to talk to a rental car's Bluetooth, you deserve the Debbie Wasserman Schultz award for Cyber Security, and be forced to wear a "Kick Me" sign written in Cyrillic.

My car has both an SD card slot, a USB port, as well as the ubiquitous OBD-II (CAN) connector.  All of these data can be written to one or the other of the SD card or a USB stick.  It only takes a few seconds to dump almost everything (the "Easter Egg" modes of the car computer provide a fairly complete dump everything command).

I've been trying to learn how to delete various kinds of information from my car's computer, but it appears to be quite difficult: I may have to do a "factory/hard reset" to eliminate most info, but I know it's all still there on the car computer's hard drive.

There does appear to be a way to dump the user parameters of the car computer onto an SD card for backup purposes; one can apparently reload these data from the same SD card.

Perhaps a sequence of *dump user parameters*; *factory reset*; *reload user parameters* may do the job -- possibly with a mildly hacked version of the user parameters to be reloaded.

----
BTW, we're not even talking about "firmware upgrades" which could easily install spyware to log all of the audio in your car -- not just the audio from the phone calls -- and store it all on your car computer's more-than-capacious hard drive.  Hook up your Bluetooth phone, and suddenly all these data can be accessed from anywhere in the world.

----
The funniest, most ironic thing about my car computer: due to concerns about copyrighted material being abused, it's nearly impossible to retrieve *music* from the car computer.  So Hollywood's data is clearly more important than my own (the actual customer's) data.