A sketchy looking person walked up to my car the other day while I was parking and asked if he could charge his cell phone in my car and offered to pay me $5. I didn't allow him to charge his phone in my car of course, but it made me wonder if there was anything he could have done (other than charge his phone) if I had connected his phone to my car's USB port. Anyone know if this is a scam of some sort?
-
10I'd just offer him one of my frighteningly large number of battery cells! – etherealflux Apr 09 '16 at 02:28
-
What car is this? – George Apr 09 '16 at 02:54
-
6Could you not have done it for free via the lighter port, with the phone switched off? – Pranab Apr 09 '16 at 02:57
-
23This sounds like the set up for hijacking the car. As @Pranab suggests, the lighter port would have been the best option. Keeping the window only half open and the doors locked while you charged it would be the obvious precautions. – Burgi Apr 09 '16 at 14:23
-
10Seems more likely he was just trying to steal your car through less advanced means. – djechlin Apr 09 '16 at 18:55
-
15I'm thinking social engineering more than technical engineering – user1886419 Apr 09 '16 at 19:10
-
6Is the person was going to perform an electronic or "cyber" attack on your car, he would probably be savvy enough to avoid a toi shady appearance (at this point in time). So other scenarios (including the honest case of really needing the charge) are far more likely. – hyde Apr 10 '16 at 07:14
-
3or MAYBE he just wanted to charge his phone? – gopi1410 Apr 12 '16 at 07:14
-
1I'm a sketchy looking person and sometimes I just really need to charge my phone. I bought power-bank recently because it's really not easy. – Tomáš Zato - Reinstate Monica Apr 15 '16 at 09:40
4 Answers
Since I don't know your car model but you seem to be concerned about information security and the fact that the possible attacker chose your car I make the assumption that the USB port in your car is not power-only.
The telephone could do anything on this USB port because every USB device can identify itself as any device (storage, keyboard, network, display, ...). Have a search for bad USB.
The most critical attack vector is the bus system in your car. CAN is the best known protocol but there are others which are based on it like UDS (which is still weak from a security perspective). You can imagine it as a network in your car where all components can communicate with each other with more or less restrictions.
Here are some possible scenarios:
The USB port could be dual used as a maintenance port which could allow full access to the car bus system.
The car media system could have a vulnerability which could allow privilege escalation to the bus system. (By design the media system should be isolated from the critical components on the bus but in practice all vendors fail to do so.)
If you car supports some kind of wireless features for unlocking and starting, this could be a part of some exploitation technique.
The car could be used as a bridge between the attacker device and your phone (if it's paired somehow with your car via Bluetooth or WiFi) for some kind of attack against your phone.
The car media system could be infected with some kind of malware targeting your smartphone or other connected devices.
Malware which targets your car directly (like ransomware for example) would be also possible but I really really hope that this industry is not at this point yet.
Just to have a sneak peek for some details or to distract you for some reason.
Just to name a few. However. This is a very interesting question and attack scenario. Maybe I would have given this person $100 just to know their real intent in exchange for not calling the cops immediately.
-
This is a better answer. I should've went into it some more, but I definitely agree that this answer is much better than mine. – Mark Buffalo Apr 09 '16 at 00:17
-
1Can you explain what a CAN bus is and how it relates to the risks? – Brent Kirkpatrick Apr 09 '16 at 02:00
-
23#8: Good old USB-killer. -220V down the data lines can't do anything good to your car. – John Dvorak Apr 09 '16 at 07:31
-
28Option 7 is absolutely my first guess - distracting you in order to commit theft is simple and common. – Rory Alsop Apr 09 '16 at 08:33
-
1What if the USB port was power-only, connected to the cigarette lighter adapter? Is there any infosec danger there? (I say infosec danger because to exclude burning up the circuitry etc.) – user541686 Apr 09 '16 at 09:49
-
@RoryAlsop Probably yes but where's the fun for us infosec folks? :P Furthermore it's likely that other attacks will become more feasible in the future. – Noir Apr 09 '16 at 11:08
-
-
-
32"Maybe I would have given this person $100 just to know their real indent" -- hmm, so I can make $100 off you if I can invent some shady-sounding request that could be a scam of some sort or could be innocent, with enough uncertainty to get you interested? Sounds like a good gig ;-) – Steve Jessop Apr 09 '16 at 13:42
-
1Why doesn't someone make a little USB-to-USB plug that passes the power lines only, and breaks the connection between data, for charging only out of a regular port? – BenjiWiebe Apr 09 '16 at 20:23
-
12
-
1Oh, the point at which we have ransomware for cars will be terrifying... – Numeri Apr 09 '16 at 23:47
-
@SteveJessop: Well, yes, but then you have to come up with an explanation that sounds at least mildly plausible. – Kevin Apr 09 '16 at 23:58
-
1@Kevin: well, the $100 is for my true intention, so I was planning to tell the truth, "I invented this dodgy-looking operation in order to earn $100 in return for amusing and informing you with my shenanigans". Granted, I'd need a better explanation than that if I wanted to earn another $100 from Noir for another weird request the next day. To be fair to Noir, paying people for inventing attack scenarios of genuine interest is *not* at all a bad idea, I just think this is a generous rate for potentially very low-quality work! – Steve Jessop Apr 10 '16 at 00:56
-
4@BenjiWiebe: indeed. For those expecting to be in courtney's position, and who *don't* think the sketchy-looking person is hoping to mug them while distracted, they're often called "USB condoms". Or you can just disconnect some of the pins on a USB extension cable. But I don't carry one around, because the opportunity to charge some untrusted stranger's phone from my USB data ports isn't worth enough to me to justify the effort. – Steve Jessop Apr 10 '16 at 01:04
-
1@SteveJessop: I'm actually carrying this condom most of the time since I don't know when I have the urge to plug my thing somewhere I don't totally trust. – Noir Apr 10 '16 at 15:07
-
Personal safety issues on the last paragraph. Don't deal with the devil. Don't pet the shark. Don't offer $100 or ever threaten to call the cops. If you are going to take legal action, never threaten to do so, just call the cops or file the lawsuit discreetly. - - - - You never know if the crook will jump the gun (quite literally) or take action and harm you. – Mindwin Apr 11 '16 at 12:58
-
Some USB battery packs made for charging phones cost less than $10, and are a handy thing to own anyway. – Jeanne Pindar Apr 15 '16 at 00:32
-
1@Numeri: Indeed. Just imagine going 60 mph on the highway and your car is like `###Please pay 1000$ to re-enable braking system###`. – fgysin Apr 26 '16 at 08:37
Without being able to research vehicle vulnerabilities, we can't really tell you. It's definitely possible there was some sort of autoplay exploit in your vehicle's USB handling.
We'd need to know your specific model, and then we'd have to go and buy/test the vehicle. After which we'd need to run a lot of tests. However, given that security is an afterthought to most developers, I would say it's definitely possible.
Bottom line, I would not let people do this.
- 22,498
- 8
- 74
- 91
-
2You'd also need to know the software revision it runs. Even my model year 2006 car doesn't have any of these fancy features (USB ports? *Really?*) but it still gets software updates on occasion. – user Apr 09 '16 at 18:42
-
@MichaelKjörling which car is that? A *car* from 2006 still getting software updates is (unfortunately) quite surprising. – André Borie Apr 10 '16 at 22:47
-
1My 1996 car is lucky to get an oil change. The computer seems to be working just fine. I run my simple MP3 player through a cassette slot interface. – Apr 11 '16 at 01:50
-
@AndréBorie It's a Volvo V70 2006. I'm pretty sure it got a software update when I serviced it in summer 2014 (but I'll readily admit I didn't actually look at the paperwork before I posted my previous comment), it got no software update in summer 2015, and it hasn't yet received its 2016 service. (Yes, [I'm crazy enough to spend money to service complex machinery regularly](http://mechanics.stackexchange.com/q/26067/7356).) – user Apr 11 '16 at 06:13
Attacks through USB and other car interfaces such as the stereo are known risks in modern cars. There is research that has shown proof cars can be compromised via various inputs, including the entertainment systems.
Consider the following from this article from IT World:
They found lots of ways to break in. In fact, attacks over Bluetooth, the cellular network, malicious music files and via the diagnostic tools used in dealerships were all possible, if difficult to pull off, Savage said. "The easiest way remains what we did in our first paper: Plug into the car and do it," he said
For more in-depth reading, this paper(linked from previous article) describes some of the research surrounding "unintended acceleration." Some of the examples included being able to do things like turning off brakes, turning off the engine, falsifying speedometer readings, and locking the doors.
All that being said, I highly doubt they wanted to hack your car. More likely, they wanted to rob you, or snag whatever was easy to grab off the dashboard/seat, or maybe even try to steal the car itself.
- 481
- 2
- 10
-
11To be fair, I suspect that they really just wanted to charge their mobile phone. Most people are not criminals. – emory Apr 09 '16 at 15:48
-
1@emory But seriously, what would be the good-faith scenario? The guy leaves his phone in my car, where it gets charged, while I am away possibly for several hours. How is he to get his phone back? He has to wait next to my car to catch me during the thirty seconds it takes me to come back and drive away. - What's worse: He has NO PHONE for several HOURS possibly – Hagen von Eitzen Apr 09 '16 at 15:52
-
6@HagenvonEitzen A good faith scenario is that he needs just enough charge to make a call to SO to pick him up. Another good faith scenario is that he has panicked b/c his mobile phone battery died and he has not really thought of the practical concerns you bring up. Saying that he is probably acting in good faith is not encouraging OP to agree to the offer. If there is even a %0.1 chance that it is a scam, $5 is not worth it. – emory Apr 09 '16 at 16:48
-
5@emory: classic case of an X-Y problem. That first good faith but sketchy-looking person should have offered the questioner the $5 to call his SO for him ;-) – Steve Jessop Apr 10 '16 at 01:12
-
1@Steve Don't know how common this is, but I don't remember my SO's number or anyone's number for that matter. If my phone dies, I can either charge it, or use another computer to access Google Contacts. I might have their business card in my wallet, or I might not. Unless one has a fairly expensive car which stands out, a good-faith explanation seems likely. – Pranab Apr 10 '16 at 06:07
-
4You *should* memorize at least the numbers of your SO and bail bondsman. – JDługosz Apr 10 '16 at 08:09
-
This is starting to sound like the plot to one of the Batman movies. Didn't the Joker or someone hack into and take control of the Batmobile in this manner at some point? Lock the doors, and remote-control it to run over old ladies with shopping carts and the like? – Darrel Hoffman Apr 10 '16 at 19:40
-
@DarrelHoffman Wait until the first self-driving car delivers the first pizza, the first mocha, the first bomb. It is coming. I have no doubt of that. – Booga Roo Apr 11 '16 at 00:18
-
1
It depends on what type of USB port you have. If you have a power-only USB port (i.e. in your cigarette lighter adapter), then there is nothing that can be done to attack the vehicle. On the other hand, if your USB port is a data port for some device, then the vulnerabilities could be quite extensive. In assessing risks, consider what the device with the USB data is capable of. For example, if you just have a stereo system with a USB data port, then only the stereo system is vulnerable. However, if your data port allows you to connect devices to a computer that operates any safety systems for the car, then the risks are quite extensive. The exact vulnerabilities which might lead to these risks becoming active will depend on your the computer manufacture and car makers policies, including update policies, OS vulnerabilities, and so on.
It is wise to be cautious about connecting a strange device to a USB data port that interfaces with your car's main computer.
- 940
- 4
- 19
-
2Note that in modern cars the OEM stereo can be quite integrated into the cars computer systems. – Peter Green Apr 09 '16 at 01:50
-
Thanks. I assume that an after market stereo might not be so integrated into the car's computer system. – Brent Kirkpatrick Apr 09 '16 at 01:59
-
2"if you have a power-only USB port, then there is nothing that can be done to attack the vehicle" - overvoltage? – John Dvorak Apr 09 '16 at 07:33
-
3@JanDvorak to be honest the worst that could happen is blowing up the charging adapter. I doubt there's enough power in something as small as a phone to actually overpower the car's battery and deliver -12V over the lighter port. – André Borie Apr 09 '16 at 12:55
-
@JanDvorak You mean the cell phone sending too much power back into the car's USB charge port? Does that happen often? Just about everything on a car should be fused, excess current would blow it, but I'm not sure about excess voltage, probably as Andre suggests a cell phone battery is too small compared to a car battery? – Xen2050 Apr 09 '16 at 13:23
-
@JanDvorak: for that matter if we're considering physical damage as well as information security, then at the extreme the handset itself could be packed with high explosive, and the request to charge it either is just a ruse to get it inside the vehicle, or else powering it detonates it. – Steve Jessop Apr 09 '16 at 13:45
-
@SteveJessop That's pretty elaborate just to damage a car, and the victim gets a clear look at & conversation with the criminal. A rock thrown from across the street would be a better "damage" plan ;-) – Xen2050 Apr 09 '16 at 15:05
-
@SteveJessop the mobile could be a targeting beacon for a missile. But then why does it have to be in the car. Couldn't he have slid it under the car while OP was not looking. Since it has to be in the car, it might be a precision missile that can take out the driver without touching the passenger (or vice-versa). – emory Apr 09 '16 at 16:50
-
4**It is probably a device to cause lots of otherwise very intelligent people to waste a lot of their time on speculation and argument rather than getting anything useful done, thereby bringing down the economy.** But that is just pure speculation on my part. When I was a child and I would ask my older brother "what's that?" he would reply: **"It is to make people like you ask dumb questions."** So, this is really an old exploit, and we should have known better all along. (If you had an older brother.) – Apr 11 '16 at 01:44
-
-