Blog Posts

Home 1. Security Reivew of Wireless Car Play Devices 2. Practical IoT Pentest Associate Review

Wireless Car Play 12/03/2025

Recently I brought a Wireless Car Play Adapter to replace the cable I was using in my car. I did this so it looked cleaner and is more seamless when getting in the car and setting up CarPlay. During the set up, I noticed the device wanted a Wi-Fi and Bluetooth connection from my phone... which is expected, but it got me thinking. After a while I finally took the device in and started having a poke.

Awful passwords

After plugging the device into a USB Slot, it powers itself on and creates a Wi-Fi. Of course my phone has connected to this Wi-Fi before so I decided to check what the password is.... and of course it's "12345678". I then connected my laptop, loaded up a Kali VM and started a Nmap scan.

On the network

The scan responded with TCP Ports 80 and 40925 (Nothing came back on UDP). Before looking at Port 80 I did a check of 40925, however nothing came from it. Telnet gave me a connection but nothing I could interact with. Further research didn't conclude anything here.

The Website

The device was hosting a configuration page on port 80 which allowed to do a bunch of things with the device such as:

• Change Wi-Fi Channels
• Toggle GPS
• Factory Reset the device
• Submit an issue to the vendor

Right away this presents the issue; if you're within Wi-Fi vicinity of the device, you could connect using the weak password and stop the GPS from working, or factory reset the device.

Further Enumeration

I ran Gobuster against the website and identified only /cgi-bin/ which was Forbidden. However after looking in the JS, I found direct links to files within this directory:

• getversion.cgi
• switch_p2p.cgi
• downfile.cgi
• factoryreset.cgi
• setprop.cgi
• submition.cgi
• minizip.cgi

Getversion.cgi - does what it says on the tin, it returns information such as Protocol Version, System Version and Platform.

Switch_p2p.gci - disables the Wi-Fi on the USB, which causes me to disconnect from the device...

Factoryreset.cgi - Another one that does what it says on the tin, I don't want to action this right now, so it will be revisted later.

setprop.cgi - Returns HTTP request with "getParameter str=", this is clearly expecting something from the request.

Submition.cgi & minizip.cgi - Both return a blank page with the content headers on.

An external endpoint

The device has multiple references to an external website which has the following endpoints:

• /device-web/upgrade/queryDeviceVersion
• /device-web/open/AddLogFile
• /device-web/open/upload
• /device-web/upgrade/download

I'm interested in getting the device firmware, so the download endpoint seems interesting.

When trying to hit that endpoint I get left with a "Bad Request".