4Secure Vehicle Forensics
Good day to you and welcome back to my blog on my adventures in Vehicle Forensics. Since I last wrote the following has happened:
Delving through the weeds of Audi MMI 3G
Attend the 1st Car Forensics and Cyber Threat Working Group at Interpol HQ Lyon
The Audi MMI Job
Audi cars are one of the vehicles du-jour at the moment. The quality engineering and easily recognisable style has made it a popular choice with many people. They are also one of the cars either favoured by criminals as a status symbol or stolen to enable the pursuance of an offence. (My accountant brother-in-law has an S3 – enough said). In my ongoing quest for attributable data my focus is remains firmly planted on the infotainment system.
Audi cars use the Harman Multi Media Interface (MMI) as the backbone of its infotainment suite. Wikipedia has a great article: https://en.wikipedia.org/wiki/Multi_Media_Interface.
As with all vehicles what is actually there in the hardware and software of the MMI is dependent on many things: Model; Trim; Customer Options; Mid-term Facelift et al. Key points that I have found so far are:
- MMI use the QNX Real Time Operating System (RTOS) embedded on two flash chips.
- Sometimes a hard drive is present too. This appears to store map updates for the navigation and also allows a user to download media files and store them.
- Chip off is the means to obtain data at present. But we are working non-destructive means too.
The main challenge with this data is mounting it to enable examination. So far the big hitters in forensics (Magnet, Guidance Software, Accessdata, Cellebrite et al) do not fully support QNX. The only solutions are mounting in Linux or using QNX’s proprietary SDK. This a. costs money and b. you need to have a clear business case they approve of to receive. Not easy.
Notwithstanding the issues, so far we have found the following nuggets of gold in our analysis:
- Data is stored in SQLite 3 databases.
- Data retrieved includes: Connected mobile device MAC Addresses; SMS messages; Contact lists and more.
- Still looking for geo-location data.
Next steps are now investigate non-destructive method of extracting data and keep looking for geo-location data of worth.
1st Car Forensics and Cyber Threat Working Group at Interpol HQ Lyon
In October I had the great pleasure of attending the 1st Car Forensics and Cyber Threat Working Group at Interpol HQ Lyon as a speaker. The event was attended by a mixture of law enforcement, cyber professionals and member of vehicle manufacturing community. What was reassuring (or not so, dependent on your point of view) was the common themes that everyone was facing. Lots of interesting points were raised and hopefully this group can continue forward and provide an excellent link between ourselves and the motor vehicle manufacturers and provide an international platform for discussion on vehicle forensics.