Digital Forensics prepares for the future with Android Auto and Apple CarPlay
In-car systems are like Loot Boxes filled with unexplored Artifacts
It’s 2020 and Automakers cannot help but market In-Vehicle Infotainment System as one of the features of their smart cars. Recently, the buzz around Android Auto and Apple CarPlay creating distraction and serving as potential subjects of cyber-attack is alarming.
Android Auto and Apple CarPlay along with the Voice command (Hands-Free) feature assist drivers by taking off the burden of browsing through long call lists to make a call and typing in the location to figure navigation, allowing them to focus on the road.
According to the AAA Foundation for Traffic Safety, drivers who take their eyes off the road for over two seconds, double their risk of a crash. Moreover, distracted driving is responsible for 3.5k deaths and 390k injuries (Forbes 2018).
Their research on vehicles (2017 and 2018 models) also proved that on a rating scale for demand, both Android Auto and CarPlay generated an overall moderate demand in comparison to automaker’s native built-in systems that create a high level of demand which is equal to balancing a chequebook while driving.
On the Cybersecurity side, it’s interesting to find what artifacts are created and left behind that can serve as potential evidence in investigations.
News about Hackers stealing Tesla by cloning its Key Fob made rounds over the internet last year (Wired 2019). As a result, Tesla is now offering a Model 3 along with a million dollars to anyone that can evade the multiple security layers in Model 3 and pull off a complete compromise of the vehicle. Tesla Model 3 is claimed to be one of the most secure vehicles in the market at the moment (Forbes 2020).
On one hand, manufacturers are battling to fulfil the growing demand for secure vehicles. On the other hand, Digital Forensics Examiners are working round the clock to catch bad guys involved in car thefts and misuse of stolen vehicles in crimes.
In the SANS DFIR Summit 2019, Sarah Edwards (Forensic Specialist, Parsons; SANS Instructor) and Heather Mahalik (Senior Director of Digital Intelligence, Cellbrite, SANS Instructor) spoke on Forensics of iOS CarPlay and Android Auto and the standard behaviour for connected devices.
Sarah looked into Forensics of iOS CarPlay and Heather looked into Forensics of Android Auto for testing. They also looked into the possible correlation between the interaction and distracted driving.
USER INTERFACE
The User Interface for Apple Carplay and Android Auto doesn’t support every App on the phone. There are only certain mobile applications that are allowed to be used on these systems. The most common ones include Phone, Messages, Maps, WhatsApp and Spotify.
Apple Carplay
Apple CarPlay displays icons on the home screen. Each icon represents a mobile app. Apps are arranged in rows and columns. The icons are big enough and require minimum motor skill to press one, allowing drivers to stay focused on the road.
According to the author of thebinaryhick Blog, CarPlay does leave behind interesting artifacts that could prove useful in forensic investigations. For example, forensic examiners can use these artifacts in conjunction with data obtained from other sources, to get a complete picture of the device.
Sarah’s findings were similar to the findings demonstrated in thebinaryhick Blog.
According to the findings, the following artifacts can be obtained:
1. Timestamps: When the device was first connected (CarPlay initialised) and last disconnected.
2. Cars connected to the device: in cases where the iPhone is connected to more than one car, data reveals names of all the cars it has been connected to.
3. App icon layout: What apps have been placed where on the screen. This can be analysed using numbers allotted to apps found during analysis. Different cars could have different placement of icons on their screens.
From the KnowledgeC.db (DB Browser for SQLite), researchers also found
· plug-in events,
· CarPlay connect/disconnect status
· Cached Locations that displays GPS Coordinates of where the Car was parked before the device was disconnected.
Sarah used the Apollo tool that takes different databases on iOS and runs a query through them to display results on a different database. This tool was used to do the correlation between multiple databases.
The process of obtaining artifacts requires a Jailbroken version and iTunes backup.
Android Auto
Like CarPlay, Android Auto also displays a home screen with icons representing mobile applications.
In Heather’s testing, she gained access to data via file system extraction android backup. The process is relatively difficult as it depends on the manufacture of Android and its OS.
According to her findings, the following can be obtained:
1. Temperature: Android Auto records the temperature where you plug in the device. Good footprint for tracking the location of the start point of the car.
2. Time zone and Date: preferences XML
3. Bluetooth/USB connections: Bluetooth address with date timestamps and location. Also, plug-in events are tracked by Power Manager.
4. Data usage: Tracks the very first-time device was connected (Android Auto initialised) to the very last time it was monitoring. Gives Two Date Stamps.
5. Cars connected to the device: Can find this in the search index.
Heather also conducted a test to find what artefacts were synced. She ticked yes to syncing all permissions, contacts, and SMS on the settings menu of her test device. This was only for testing purposes as its risky to sync personal data, especially in rental cars.
In the peoplelog.db, she found that whenever the device was connected to a new car, it had to conduct fresh sync since Android Auto didn’t sync contacts from the contact list. However, Google syncs contacts when using Google Assistant to make calls.
MESSAGES APPLICATION
CarPlay
The Handsfree setting for Apple CarPlay lets us command Siri to read messages from the Messaging App and also WhatsApp messages.
Moreover, we can give dictations to send a message to someone in our contact list or to reply to a message.
From KnowledgeC.db, InteractionsC.db and sms.db, Sarah could find data on the following:
-What audio was being used?
Inputs/Outputs, for example, speakers/headphones
-How long Siri was used?
Timestamps-BundleIDs of Mobile Apps
For example, Apple Music BundleID was tracked. If you are listening to music while dictating your message to Siri, bundleID of the music app gets listed.
-What Messages were sent or received?
Parsing lets you see messages.
However, there was no flag that indicated if a message was dictated. So, in case someone else picks up the device to draft the message to Siri, it’s not possible to find out if the Handsfree feature was used.
Android Auto
In Android Auto, The Handsfree feature lets us talk to Google Assistant, to read messages from the Messaging App and WhatsApp messages.
Moreover, we can give dictations to send a message to someone in our contact list or to reply to a message just like in CarPlay.
Likewise, The MMSSMS.DB for Android Auto didn’t indicate a flag in Heather’s testing. In both events where the device was Plugged-in and when it was connected through Bluetooth, it didn’t indicate if the driver was using the Handsfree feature.
On the other hand, Tools don’t timeline the artifacts. Heather suggested finding a starting point and then looking for evidence since parsing doesn’t occur and everything has to be done manually.
Correlation to assess Distracted Driving
CarPlay
KnowledgeC.db and Cache encrypted files can be useful to determine if a person is actually in the car and if the vehicle is moving. The geo coordinates can serve as good footprints.
In case you use an app that is not supported by CarPlay, such as Signal, there is data on tracked speed in m/s whilst the app was in use, that can be used to find if distraction has occurred (Sarah Edwards, SANS).
Also, in cases where the driver stops by to check the phone or at intersections.
Data from Third Party Apps must also be looked at to connect any missing dots.
Android Auto
Google tracks everything even while it's spinning. For instance, you ask Google Assistant to look something up for you while you’re driving and it displays dots spinning around. It records everything you speak in that window even when it isn’t responding. All that data is in session files.
Google also keeps copies of messages if you draft it for WhatsApp. The audio files along with Timestamps can be looked into to understand if distraction has occurred. Especially, in case of an encrypted WhatsApp device.
Conclusion
Apple Carplay and Android Auto were designed to help drivers stay focused on the road by taking care of tasks such as making phone calls, reading or sending messages and navigating hassle-free with limited motor demand. The artifacts thus generated, have huge potential in solving criminal cases involving vehicles. The evidence can link information and/or serve as missing links in ongoing digital forensic investigations. As a result, giving rise to a new field in digital forensics called Vehicle Forensics.
However, lots of research is required to help forensic investigators and examiners establish standard techniques.
Researchers are also looking forward to receiving contributions as there is abundant information and it’s difficult to get to. Moreover, different investigations require different data. Therefore, current forensic tools need upgrades to support future investigations.
