Federal law enforcement agencies such as U.S. Border Customs and Border Protection (CBP) and U.S. Immigration and Customs Enforcement (ICE) have begun exploiting vulnerabilities in modern cars’ infotainment systems using specially created vehicle forensics technology to extract valuable data for investigations, including location, tracking and passwords.
Researcher Sam Curry recently explained to Forbes how certain vehicles are vulnerable to hacking. For instance, he said hackers could exploit a flaw in Honda and Nissan’s shared telematics system, which records data like speed, brakes and door use.
Using a simple computer program, Curry could send a vehicle’s identification number to the car’s SiriusXM system to trick it into believing he was the real car owner. The program then asked SiriusXM to offload the car’s stored personal data. The hacker could also operate the vehicle remotely by turning on the ignition, unlocking the doors and even honking the horn.
While SiriusXM corrected the flaw within 24 hours of it being reported, the example illustrates the lack of security in digital vehicle components, compared to personal computers or cellphones — even though they can also be gold mines of data, as law enforcement agencies already know. Indeed, Border Patrol and immigration officers are utilizing tools that can extract data from thousands of types of vehicles.
Court documents and government contracting records revealed that in 2022, agencies monitoring the Mexican border spent large sums of money on car hacking tools. In one instance, a patrol agent wrote that the infotainment systems (GPS, remote control and entertainment features) of a Dodge Charger near the Mexican border were useful for federal investigators, providing agents with location information, email addresses, IP addresses and phone numbers.
According to the agent, the information was used by traffickers “to facilitate the transportation or movement of noncitizens without legal status into and throughout the United States.”
One ATF source explained how cars’ internal computers are used as a proxy for an individual’s cellphone. The investigator said that the car’s systems are “designed to store a vast amount of data,” making it “possible to recover a great deal of information off the phones that have been connected to the car without access to the phone itself.”
“There are over 10,000 supported vehicles by BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Fiat, Ford, GMC, Hummer, Jeep, Lincoln, Maserati, Mercedes, Mercury, Pontiac, Ram, Saturn, Toyota and Volkswagen,” the ATF agent wrote.
Earlier this year, CBP and ICE purchased forensics technologies developed by Maryland-based tech company Berla. The company’s iVe tool allows military agencies and local and federal law enforcement to pull data from vehicles when searching for evidence. In a May 2022
contract, CBP requested “vehicle infotainment forensic extraction tools, licenses, and training”
The large sums of money spent by agencies on such tools shows just how important they are to law enforcement. According to government contract records, the CBP spent over $380,000 on iVe. In addition, ICE spent $500,000 on iVe in September, which was more than twice its record high for a single purchase.
As more information comes to light about the amount of detailed information that can be collected from cars, and the relatively few technological or legal protections offered to their owners, privacy advocates are worried. Research director Eleni Manis with the Surveillance Technology Oversight Project (S.T.O.P.) nonprofit told Forbes that CBP and ICE were “weaponizing car data.” But as the SiriusXM security flaw shows, it’s much more concerning that criminal hackers could exploit these avenues for more nefarious purposes.
“We found so many different pieces of functionality across so many different car companies where having the VIN number allowed you to query things about the car,” cybersecurity expert Curry said. Given this information, he noted that it’s “terrifying” those identifying numbers are public knowledge.