Breaking Down the Attack Surface of the Kenwood DNR1007XR – Part Two

This blog post analyzes the attack surfaces of the Kenwood DNR1007XR in-vehicle infotainment system. The main potential attack vectors include USB, supporting various audio and video file formats, and SD card for media playback and map updates, both using FAT and NTFS file systems. Bluetooth, utilizing version 5 with multiple profiles, offers another avenue, especially exploring undocumented services. A built-in Wi-Fi access point, secured with a discovered password, exposes open ports, including an SSH server and non-standard services, creating vulnerabilities. Android Auto and Apple CarPlay, both wired and wireless, present further targets, particularly via the secure Wi-Fi network. Kenwood's Portal and Remote S apps, facilitating image transfer and multimedia control via Bluetooth, expand the attack surface. The blog emphasizes the importance of thorough investigation and reverse engineering. The post intends to inspire security research, encouraging explorations beyond the discussed surfaces. The author highlights the complexity of file parsing and the role of user-supplied data, such as images, in expanding the attack surface. Open source licenses present another potential area of investigation despite the disclaimer of actual usage. The author encourages participation in the upcoming Automotive Pwn2Own event.