SANS Digital Forensics and Incident Response Blog

Digital Forensics - Automotive Infotainment and Telematics Systems

Paul A. Henry - Senior Sans Instructor - phenry@sans.org

MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFE, GCFA, GSEC, GICSP, GCED, GPPA, VCP4/5, VCP-DCV (5.5), vExpert

 

Powerful Features

There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 — Source), including but not limited to:

  • Digital radio
  • Satellite (GPS) navigation
  • Bluetooth connectivity (the vehicle has its own phone number that SMS messages can be sent to and some systems will even read your SMS text messages to you)
  • Audio player — on CD, MP3, USB or Bluetooth
  • Internet access (Hotspot) — enables web browsing for multiple passengers via an in-built Wi-Fi connection, and can also provide real-time traffic updates for GPS navigation systems
  • Satellite TV tuners — for passengers or for everyone as long as the car is parked
  • Cameras — an array of cameras literally showing a bird's-eye view of the car, making maneuvering in tight spaces even easier then ever before
  • Screen mirroring — wirelessly connect mobile devices to the automobile and mirror its user interface on the car's larger touchscreen

Escalade

Figure 1

As automotive infotainment and telematics systems evolve and become more powerful, the value of the historical data they contain from an evidence perspective grows as well.

Automotive Infotainment and Telematics Systems Are Not Crash Data Recorders

It is important to understand that automotive infotainment and telematics systems are not the same as crash data recorders (CDR), or event data recorders (EDR). In a CDR, safety sensor data such as brake position, speed, steering wheel position and airbag deployment is recorded at high frequency but only for a matter of seconds leading up to a crash. In an automotive infotainment and telematics system data is collected from primarily non-safety related components (i.e. speed and coordinates from GPS at a lower frequency but for a substantially longer time period). Hence while CDR systems can determine a point of impact an automotive infotainment and telematics system can perhaps show the longer term driving habits of the vehicle's driver.

Abundant Information but Difficult to Get To

While there is an abundance of available information, vendors of automotive infotainment and telematics systems have not made them easy to acquire. The forensic product vendor Berla (https://berla.co/) use various methods to extract the data. To get to the data, one must use Berla's iVe kit, which is composed of iVe software and hardware components for accessing numerous systems from various automakers (i.e. Ford, GM, FCA, BMW, Toyota, and Volkswagen to name a few). For some systems it is as simple as plugging a USB or on-board diagnostics (OBD-II) cable from the iVe kit into a system running the iVe desktop application and walking through the on-screen steps for performing an acquisition. For some other supported systems, an iVe device interface board (DIB) from the kit is attached to the infotainment/telematics module's PCB as outlined in the in-app instructions. The DIB is then connected to a computer running the iVe application, as well as the kit's power supply (for certain modules). Depending on the particular type of system being acquired, iVe will offer the option for either a physical image, logical image, or both. For certain modules, one must also remove the protective solder mask from certain pads on the module's PCB prior to connecting the DIB, though a scratch pen is included in the iVe kit, and instructions with photos showing the specific pads to scratch are included in the application.

It's the Wild Wild West All Over Again

It is also important to note that a CDR has a definitive government requirement (CFR-2011-title49-vol6-part563) that defines not only what data is to be stored but also the format in which that data is stored. In contrast, infotainment and telematics system vendors are all over the map regarding what data is stored and how and where it is stored. Furthermore, specifically what data is stored can vary from one vehicle model to another, even when the same system appears present in two different vehicles. This requires the forensic tool developer to have a deep understanding of the data structure for each vendor's product as well as for each car model in order to be effective. It reminds the author of the early days of mobile device forensics.

The following is a broad example of available data types for iVe-supported systems. Any given manufacturer's system will have a select subset based on features present for that particular system. The data stored may also vary based on the vehicle's use, actions of the occupant(s), which features were used, etc. The types of data stored can also change when a given manufacture updates the firmware of a system.

To see if a particular vehicle is supported, and what information may be available on the system, use the iVe supported vehicle lookup on Berla's website. The lookup is also included in the iVe application itself.

Vehicle / System Information

  • Serial Number
  • Part Number
  • Original VIN Number
  • Build Number

Installed Application Data

  • Weather
  • Traffic
  • Facebook
  • Twitter

Connected Devices

  • Phones
  • Media Players
  • USB Drives
  • SD Cards
  • Wireless Access Points

Navigation Data

  • Tracklogs and Trackpoints
  • Saved Locations
  • Previous Destinations
  • Active and Inactive Routes

Device Information

  • Device IDs
  • Calls
  • Contacts
  • SMS
  • Audio
  • Video
  • Images
  • Access Point Information

Events

  • Doors Opening/Closing
  • Lights On/Off
  • Bluetooth Connections
  • Wi-Fi Connections
  • USB Connections
  • System Reboots
  • GPS Time Syncs
  • Odometer Readings
  • Gear Indications

 

Oh My! Guess What I Found on eBay?

image003

Figure 2

An eBay seller was parting out a wrecked 2015 Silverado pickup truck (Figure 2) including its infotainment system, an NG 2.0 HMI module (Figure 3, 4, 5).

image005

Figure 3

image007

Figure 4

image009

Figure 5

Primary Components in the NG 2.0 HMI

  • Micron Technology N2M400JDB341A Flash - eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC - Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module - Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM - DDR3-1333, 4Gb, 1.5V- (Qty: 2)
  • Epson AP-6110LR Inertial Sensor - 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • Spansion S29GL512S100DHA02 Flash - NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller - 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer - FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive

 

Lets acquire some data

Preparation for acquisition (Figure 6) involves scratching insulating material away from specific PCB pads, as specifically outlined in iVe's instructions, to permit connectivity with the PC board traces. The fiberglass scratch pen has strands that tend to come apart during the removal process, so gloves and safety glasses are highly recommended. The iVe DIB is then connected to the PCB. Proper alignment of the DIB pins on the PCB is critical.

 

image011

Figure 6

 

The PCB is powered with the variable power supply (Figure 7) that is included in the iVe kit. It is important to ensure the voltage is adjusted to 12V prior to connecting the leads to the PCB power connector.

image053

Figure 7

 

The iVe application includes an acquisition wizard to walk the user through each step for setting up the acquisition.

The iVe DIB is connected to the computer running iVe, and power is applied. After successfully testing the hardware connections by clicking the ?Detect' and ?Test' buttons (Figure 8) in the software, the acquisition can be started. For the HMI module, iVe allows for a logical image to be acquired.

image057

Figure 8

Once extraction has completed, analysis can be performed, and reports can be generated. iVe's data export functionality supports .csv, tab-delimited, and .kml for GPS data, and reports can be exported in HTML or PDF format.

 

Below is some of the data collected by iVe for the HMI device in this test.

Attached Devices (Figure 9)

image029

Figure 9

SMS Messages (Figure 10)

sms

Figure 10

Call Logs (Figure 11)

call

Figure 11

Contacts (Figure 12)contacts

Figure 12

Device Events (Figure 13)

events

Figure 13

Voice Recordings (Figure 14)

voice

Figure 14

Carved Files (Figure 15)

carved

Figure 15

Music (Figure 16)

music

Figure 16

Summary of HMI Device

  • No crash data but good data to establish habits and patterns of the driver
  • Examples of available historical data included
    • Calls
    • SMS
    • Some GPS Information
    • Media (i.e. Music)
    • Connected Devices
    • More Can Possibly Be Parsed from Recovered DB Files

 

Another Visit to eBay

We already imaged an NG HMI so this time I was looking for an OnStar Gen 9 device to analyze (Figure 17).

image045

Figure 17

Primary Components of OnStar Gen 9

  • Micron Technology N2M400JDB341A Flash - eMMC NAND, 32GB
  • Renesas uPD35003-LN6 SoC - Tri-Core ARM11, 400MHz, w/ 2D/3D Graphics Functions & Peripherals Support
  • Alps Electric UGKZ2-201A Bluetooth / WLAN Module - Bluetooth V2.1+EDR, IEEE 802.11b/g/n, Automotive
  • Micron Technology MT41J512M8RA-15E AIT:D SDRAM - DDR3-1333, 4Gb, 1.5V- (2)
  • Epson AP-6110LR Inertial Sensor - 6-Dof, 3-Axis Gyroscope Plus 3-Axis Accelerometer, Analog Output
  • 6-Layer - FR4, Lead-Free
  • Spansion S29GL512S100DHA02 Flash - NOR, 512Mb, 100ns, 65nm
  • SMSC OS81092AM MOST Bus Controller - 50 Mbps, Automotive
  • Texas Instruments DS90UR905QSQ Serializer - FPD-Link II, 24-Bit Color, Up to 65MHz, Automotive

 

Lets acquire some data

As with the previous acquisition, the iVe DIB is attached to the PCB and the computer running iVe. The variable power supply is tested to ensure it is set at 12V before connecting it to the PCB power connector. The step-by-step acquisition wizard in the iVe software is followed to begin the data extraction (Figure 18). iVe allows for a physical extraction on the OnStar Gen 9.

image057

Figure 18

 

Below is some of the data collected by iVe for the OnStar Gen 9 device.

Attached Devices (Figure 19)

attached

Figure 19

SMS Messages (Figure 20)

image061

Figure 20

Call Logs (Figure 21)

image063

Figure 21

Contacts (Figure 22)

image065

Figure 22

Locations (Figure 23)

image067

Figure 23

Power Events (Figure 24)

image069

Figure 24

GPS Tracking (over 5000 entries in one-second intervals — Figure 25)

image071

Figure 25

 

Summary of OnStar Gen 9 Device

  • No crash data but good data to establish habits and patterns of the driver
  • Tons of historical data
  • Calls
  • Tons of GPS information including over 5000 tracking entries in one-second intervals detailing speed, distance and GPS coordinates
  • Connected devices
  • More can possibly be parsed from recovered DB files

 

In Closing

  • No crash data but tons of historical data that can potentially show details of driver's habits prior to a crash
  • Your "mileage may vary" as to exactly what can be recovered, partially depending on how the vehicle was used and what features and actions the occupant(s) employed
  • Big difference between HMI and OnStar devices as far as available data goes, though that is by design, as the latter is intended primarily for telematics functions rather than infotainment
  • Also data recoverable may depend on specific implementation for a given car model
  • There is no clearly defined data standard for vehicle infotainment and telematics systems
  • Very much like the early days of mobile device forensics
  • Crash forensics using Bosch does use the US government standard CFR-2011-title49-vol6-part563 - more on that later in a future blog post
  • Though the above tests covered only GM systems, iVe supports numerous makes, including Ford, GM, FCA, BMW, Toyota, and Volkswagen
  • Support for more and more vehicle makes and models is constantly being added to iVe
  • Using the supported vehicle lookup on will help determine whether a specific vehicle is currently supported in iVe