I got a new company car. W00t! After the basic welcome-tour of the different options, I went deeper and reviewed the on-board computer configuration options. Today, modern cars integrate multimedia interfaces to manage information from several sources:
- GPS coordinates (past as well as present)
- Phone books synchronized from phones over Bluetooth/IR or cable
- Address books also synchronized from phones or manually configured in the GPS (Your home, your office, …)
- Audio data (your favorite music types or pod-casts may reveal interesting stuff about your personality or activities)
Unauthorized access to those data can definitively break your privacy. There are different types of threats. The software developed by the car manufacturers can be buggy (Do you remember the story of the Nissan LEAF?). It’s difficult to protect yourself against this. Patches or updates must be provided by the manufacturers and (often) installed by car dealers or official repair centers. Another thread is an unprotected access to your private data: They can be access by engineers during maintenance or your car may be stolen. What about a replacement of the multimedia system with a brand now one? Such devices have more and more built-in storage based on hard-drivers or memory flash. Do they have a procedure to wipe them properly? The problem is the same with old drives still containing data and sold on eBay. The car can also be sold… with interesting content! In high-level cars, it’s not uncommon to have an on-board Internet access via 3G. Your multimedia system becomes a real browser with… cookies, history, credentials. Lot of fun!
In my car, all this information is centrally managed via a MMI or “Multi Media Interface“. While browsing the options, I found this interesting one: “Data Encryption”.
This option allows you to define a master password to encrypt your personal data stored in the system. Of course, I activated this option. It remains basis, you just have to enter a password. Good point, there is no limitation on the length and allowed characters:
Until now, the system never asked me my password again, even if I power-cycle the MMI. I suppose it prompts for the password after the system has been completely disconnected from its power source? I searched for technical information about this feature (which algorithm is used, how is stored the key) but I did not find anything relevant. If you’ve more details, please share.
Also, it looks that most Audi ECU (“Engine Control Unit“) also implement encryption via a 1024-bits RSA key. This is know as an “anti-tuning” feature which prevents unauthorized modifications of the engine parameters.
Conclusion: Like mobile phones, cars are also computers and may contain sensitive data!