Security Implications of Android Head Units - Watch This!!
Вставка
- Опубліковано 9 кві 2023
- Having an Android head unit is like leaving your old unlocked phone or tablet on your seat in a car whilst it is parked.
Android head units are generally safe and you should not be discouraged from using them, but I've created this video to help you remain secure. - Фільми й анімація
The firmware updating has been one of my concerns with android head units. I even brought it up with Eonon support a few times, advising that even though it is a car, due to it being full android, there are security risks. Their standard answer was "It's a car stereo and no one updates firmware on them." So that is a very valid point. The unsecured in the car, in case of break in or theft, is also another good point.
I hope the many people buying Android head units get to see this video as I can guarantee a lot of them don't think of the things you've mentioned.
Aren't security updates handled by updates to the Google services which happens with software updates through the play store and not through base firmware?
100% agree, a 2nd account is the best idea for peace of mind. However it is possible to set a screen lock on most units, even if the option isn't visible in the security settings using a third party app. That way all a potential thief could do is wipe the headunit in which case all your accounts are gone.
Valid point regarding screen lock. It would be interesting to know an opinion of an autor of the video about screen lock effectiveness on HU's in protecting our privacy.
Great eye opening video. I started thinking about the security issues when I got into AI boxes. I am on my third AI box because of multiple issues. Mostly because of their glitchy nature and support from the manufacturer. My first worry was when I would sign into my G account, I would get the security email warning of “did you sign into this device”. What threw me was the device that was listed. They were all older Android phones, not the AI box name. Made me think.
Then I started returning the boxes that I did not like and hoped that I factory reset the device and wiped all my personal data.
Your video brings up the many security issues we all need to be aware of. Great job
Important message, well done. I'd like to add that it's also not a good idea to add your (main) home Wifi connection, use your guest Wifi connection instead. Allot of android devices from unknown brands contain malware, so be cautious.
any way to scan for this malware?
Thank you for your excellent advice. I really appreciate all the good information you put online. Cheers from Arizona!
Great advice and information Stu!
Found your videos from doing a head search for the right screen for the right price.
I figure what I’m going to do with the tablet and sound driver in eg v4a driver
For a 2is Lexus what would you recommend? Have you tried the AOstr as a brand
I just got my Atoto A6 PF and I definitely like the basic security it has. It's locked unless my phone is in range and if not, a PIN I set must be entered.
Of course there's cyber concerns, but I don't have wallets or banking apps installed, except for play store. And I'm not inviting any more risk than I already have without the headunit linked.
I'm looking to upgrade my headunit from stock in my saab 9-3 vector sc biopower 2008. Honestly the only functions I'm interested in is wireless android auto/apple carplay.`Doubt I will install rearview camera or other addons like that. And the HU need to be relatively fast to boot up from start. Would ya'll still recommend going a android headunit over linux based one from "legacy brands" considering what functions I'm mainly interested in?
On a similar note... I have only just come across your very useful channel and have only really discovered that what I would refer to as non-standard head unit brands that I've used for decades (Alpine, Kenwood, Sony, etc) even exist, let alone being actually very good.
This may be a ridiculous question so please bear with me.... Or scoff and laugh :)
My "discovery" has come at a time when there is increasing suspicion about tech manufacturers which may or may not be directly or indirectly funded and monitored by certain governments (for example TikTok) and the outright banning of such apps etc on government officials' devices. Also there's the recently news about Tesla employees sharing video footage from parking cameras installed in customers' cars even when the cars are apparently switched off.... So your note here on security is a timely one.
I am fully aware that our phones are effectively listening to us and monitoring conversations on apps which lead to suspiciously well timed adverts for whatever products we talk about with friends - so there is an argument that we can't stop our privacy being invaded anyway. Where do we balance paranoia with a desire for shiny functionality...? Can we protect our privacy when installing kit in our cars made by brands plenty of people have never heard of? How can we reassure ourselves our data, be it driving data, app usage, routes driven, camera footage etc etc is "safe"? Or shall I just stick with a 15yr old FM radio with an AUX IN connection? I'm almost thinking of whether anyone will write a user friendly packet sniffer/firewall app!
There lies the main point. These are car head units at the end of the day, why give them access to anything that they simply do not need? Ultimately, the data collected by navigation and media apps is only relevant if it can be alligned with with your larger data footprint. So avoiding using key accounts on these will help with that. But in the grand scheme of things, that location data is also on your mobile phone which effecitvely doubles as a GPS tracker.
To be honest, we're pretty much at a point now where we just have to accept that we are pawns :)
@@SaabUnleashedThank you for the considered reply 👍🏻
Security made me think of theft prevention. In all your experience with head units have you ever seen a quick release slide out/pull out caddy?
We had them many years ago for CB radios etc to help prevent theft? While I would be worried of a high value unit being stolen my main reason would be that on our camper van it could be pulled from the dash and slid into a duplicate mounting 'station' at the back in the sitting/living area, we have had the van a while now and I keep putting off buying incase there's a next best thing!
Thats the nice thing about the Boss floating screen head units; they have quick release screens. Granted they aren't running android, but its still something nice.
My 1984 Saab 900 TU5M came with an Alpine single DIN stereo with a removable "head unit". There was a button on the side that released the front part. Saab/Alpine even provided a carry case to protect your precious device. It became a meme in the 1980s with uncool engineer/architect/accountant types telling their friends about them.
Have you used a secondary account but linked to your main account as a family member? I am trying to figure out if this is how I can share apps and such without compromising my main account.
Another suggestion for any car satnav is to enter a nearby but inaccurate saved home/work address.
Such a great video. Thank you.
Thanks for the info stu
is there any apps to add lock screen on head unit?
I am in the USA and I am looing for a android unit 2008 Toyota Highlander I am looking at the EKIY T8 8G 256G I want to spend around $300.00 US what Android unit do you recommend?
I feel this video is directed directly at me given I asked about this topic 2 weeks ago in a comment 😅
Lots of people asked me about this haha
Yep, im one of the people who asked about the Google sign in. 😊
Thanks for the info
Is a TS 10 android head unit any good? .thanks
What about software installed on those units? How to know if malware is not hidden?
Hi, thanks for reviewing Joying head unit, and I have got one myself. But upon running antivirus in the brand new android system, it gave me several malware warnings. I contacted the customer support, and he told me he did not understand antivirus warnings, and the system did not need antivirus. Should I remove the files of malware warnings? I don't know how it will affect the system.
It depends what the malware software is flagging up. Android head units are different from phones / tablets and have several control features that might be considered malware by some software. What are you using to scan?
@@SaabUnleashed I used Avast Security and it came up with 5 files contain malicious code: "SubServer, Launcher4, and Launcher3 *3" there were news about millions of pre-infected android devices with malware.
Can you do a review of maXpeedingrods unit? Price seems reasonable and quality seems exceptional.
I'll see what I can do
@@SaabUnleashed Thank you. Looking at Xtrons also. I want a volume knob because the vehicle does not have steering wheel controls, so I feel it is important. Thanks again.
If you only mirror phone. Would there be security issues? Or is information bi-directional? Malware could be transferred from head unit to phone via wireless connection or hard connection.
Streaming services, such as screen mirroring, android auto and apple Carplay do not share account data with the head unit. Screen mirroring is very outdated these days.
I suppose what I’m getting at. Can malware or the like be transmitted to phone via mirror link Bluetooth WiFi usb etc… you mentioned unsealed packages could have 3rd party malware. Different category. Remember when vw was cheating emissions only when plugged into obd2 at smog station? Apparently onboard system can transfer data bi directionally. I wonder if the bigger companies will ever offer “component” style head units. Such as mixing and matching universal screens to what ever chassis you like. For now it appears to be proprietary to that specific model
Interesting, if you connect your phone to the head unit, assuming your phone is logged in to your main google account is there a risk with that? I'm thinking about an Atoto for Android Auto
No, there's no risk in that. You phone protects all data
@@SaabUnleashedSimilar question: I’m thinking about getting an AI box which also provides wireless CarPlay (my car is wired only). Is there any security risk in connecting my phone to CarPlay via the AI box? I’m thinking in terms of the box having been produced by some random manufacturer / having been tampered with during shipping as you describe in the video. Thanks.
@@SaabUnleashed these would be the same case for the add-on units that plugs into the OEM head units and provide Apple Carplay to the car OEM screen right? For example: Grom VLINE or CARabc wireless carplay adapter? It's just a remote access from your phone and your phone would protect all the data, don't need to worry about a security risk? Thanks
Honest, but maybe dumb question: If an aftermarket headunit offers Apple Carplay and/or Android Auto and I use this feature with my smartphone - would that theoretically open attack vectors of the headunit towards my phone? (Or is Apple Carplay/Android Auto more of a pass-through functionality, where I don't really need to think about such?)
Because I was thinking: If I was e.g. just buying an aftermarket headunit to use Apple Carplay/Android Auto, that wouldn't even provide my phone's internet connection to the headunit itself, right?
Carplay and Android auto are just apps streaming from the phone, there is no risk with them, but they're just very limited and obviously require a phone
Any quality Android head units with 5 Channel digital out that you don't have to sign into? It's easy enough to use F Droid or Aurora to get FOSS apps on an Android device.
Honestly I'd just like to have a nice device that will screen mirror my android phone and integrate with aftermarket amps and speakers. Easier said than done apparently
Screen mirroring is really counter productive if you buy an android head unit. Regarding logging in, you don't need to, but you should
@@SaabUnleashed been doing a lot of reading and I agree with you. Was trying to pull the trigger and buy the navifly m6pro but I can't make payment on aliexpress without giving every shred of my personal information to include pictures of my driver's license to them. Anybody else having this problem? Aliexpress the only place to buy a new navifly M6?
@@donttasemebroseph can't say I remember ever having to supply them with photo ID
I'm also concerned with spy wear built into the unit. You connect your phone to use android or car play, and they got everything. Same goes for connecting it to home wifi to set it up.
Carplay and Android auto do not share data with the head unit. It's just a streaming function
You beat me to the throwaway account comment ;)
One correction. Chrome passwords are encrypted to a keyring.
Quick question, is it save to use android auto and apple carplay on stereos that have the feature?
I should have answered this in the video. Android Auto and Carplay do not share any sensitive data, they're providing remote access to the apps installed on your phone.
@@SaabUnleashed thank you for the info! Ive been going through your videos (which are great btw) and trying to see if there's any big screen with a physical volume knob. hopefully i find "the one"
@@SaabUnleashedso would that mean it’s even safer than using a second google account? I’d imagine, as a layperson, that using a second google account is only securing your accounts because it’s not directly related to any other account you own. But if you wanted to listen to music through Spotify, you’d need to log in directly to the head unit thus subjecting the account to potential nefarious actors - is that correct?
Sorry to the person who’s comment I’ve hijacked lol
@@jacobsmith3010 Apple CarPlay and Android Auto are safer by default simply because you are keeping any data on your phone, and not on the secondary device (head unit). Your Spotify account is not really sensitive data (unless you use the same password for everything). And I want to be clear that it is highly unlikely that you will be subject to anything malicious. For such a thing to happen, there would need to be tracking / keylogging software on your head unit and that is simply not going to be put there by any business who want to retain the respect of their brand
@@SaabUnleasheddo you mean those respectful Chinise buisenesses?
What about those that aren't on the Alphabet Big Brother Control grid and drive a Saab 9-7X? this is my problem I don't use Windows or Google I use Linux and FOSS
You can side load apps if you don't want to sign in to Google
Also, awesome car
That's what I've done for my Android TV - created a specific Google account just for the TV...
Yea, throwaway account is what I do
Remember to remove your google account whenever your car goes in for service, detailing etc.
hello im from denmark,i juzt got a 9-5 with navi, and want to put all new audio in my car, new speakers,new amplifiers,and android head unit,but its hard to find the wiring harness i need, can u help me to fnd out what i need,to go auround the factury install. its a 9-5 from 06 and denso navi..
also i get a alert on my phone if someone is trying to get into my account saying do you allow this change say no then google locks account till you login your self from a device that google know like your phone in your hand stu you are wrong about this
Again, not wrong. If your account was compromised, yes you'd recieve notification of new device.
But what if you're driving or at work or otherwise unable to read messages? That person already has access and is having fun on your account until you revoke his access. The only exception to this is if you have two factor authentication activated
@@SaabUnleashed no they don't you need to authorize the new device.
@@SakakiDash do you see the 30 Android head units behind me in this video?
& this is why we cant have nice things 😮💨
What about reloading them with GrapheneOS?
GrapheneOS does not support anything other than Google Pixel phones, and it probably never will. And as far as I know there aren't even custom ROMs. Even if there was someone to port over a custom ROM for a specific head unit who would make sure that they don't put anything malicous in it? This is a bit far stretched but if they did put something malicous on it then you wouldn't be able to do anything about it.
I created a throwaway account today to setup my Android head unit. Just one issue, I use UA-cam music to play music and my original account has UA-cam premium 😂 so I just use Android auto🤭
Same with me 😮
Can I use an alternative account on the headunit and then use Android Auto and have access to UA-cam premium from my main account?
Yes, and Android Auto is irrelevant from this video as you are signed in using your phone not the head unit
the atoto has an option to lock it
I used my junk email google account to download everything & dealt with resubscribing to what I like on YT. I wont do any shopping/cash app & the wifi network it connects to at home is a VLAN wireless guest network. My phone only uses that guest network too for wifi in case it sniffs out wifi credentials. Being as I use my hotspot too for the head unit. My car is a 17 y.o Toyota Camry so nobody will steal it.
💯 AGREE.....I've been doing this for a few years now and no problems
Hello, boss. I am a Chinese Android screen manufacturer. Source factory. I watched your videos. You're a professional. I have a team working on Audi, Porsche. Land Rover Jaguar android screen development and sales, so we can carry out more in-depth communication and cooperation, price and service advantage!!
Look forward to cooperating with you
I guess CarPlay isn't a threat because it's just mirroring your phone?
Correct
That's why I have about a million Gmail accounts 😂.
The future is quite scary with ai and quantum computing. Pretty much no password will be safe, not even google.😢
Does anyone please have experience with running a head unit outside of a car? Mine does work when connected in car, but I would like to be able to boot the head unit on my desk (so I can try to figure out why the mic is so quiet.)
I connected black GND and yellow Battery wires, no luck.
Some people also connect the red ACC wire, but on my head unit the red wire does not lead from the quad-lock port to the head unit, but rather from the head unit to the physical controls of the A/C, which is a separate piece of the product. (My head unit is UNISOC UIS7862A 4G LTE QLED, version M700S, by Mekede.)
There are three wires required to power a head unit. Ground (black) , permanent live (yellow) and ignition live (red). It's the ignition live that actually controls the power state, so you need to find that.
Thank you sir, I will try to figure out the red wire or why it's not where it should be
Make a 2nd Google account!
The radio reception for this is very bad, even the DSP is bad across all android head unit due to limited DAC resolution? Don't recommend it
stu you are wrong!!! google has the very best security anyone try to get into your account i get notified also if my car got stolen i can't reformat the radio from my phone 100% wrong stu
I am not wrong. The warnings you are referring to are based on someone accessing your account with a new device. If they have access to the head unit, either via theft or by backdoor access whilst it is online (because no security updates) you'll be none the wiser. But yes, there are available options if you are aware