Spotify’s discontinued Car Thing accessory has been hacked and root achieved thanks to security loopholes.
The Car Thing is ultimately a failed experiment from Spotify to try and give those with older cars easy access to music streaming. The device originally retailed for $89.99 before Spotify realized no one was willing to pay that for such a pitifully limited device. Plus, most cars made in the last ten years or so include Bluetooth at least.
Nolen Johnson and security researcher Frédéric Basse managed to come up with a chain-of-trust bypass for the Spotify Car Thing. The device itself is powered by an Amlogic SD905D2 SoC, which introduces an attack vector in the form of USB burning mode. Amlogic-based devices are notoriously hackable using USB burning tools.
After prying open the outer shell of the device and accessing the pin-outs meant of debugging and repairs, the researchers were able to use USB-mode specific commands to obtain root access. Rooting a Spotify Car Thing doesn’t require you to do the same though, since they’ve packaged everything into a series of scripts on GitHub. The only thing required is a Spotify Car Thing, a USB cable, and a PC running Linux to use the libusb-dev package.
Developing anything meaningful for the software would be hard, though, considering it only features 500MB of RAM. If you’re curious to see the researcher’s documentation for this Spotify Car Thing root project be sure to check out the GitHub page. It’s highly technical, but there are plenty of photos to highlight how researchers were able to achieve root on the device.
Ultimately this just goes to show how little effort Spotify put into developing the Car Thing. Researchers alerted Spotify on October 20, 2022 that they have managed to hack the hardware device. Spotify responded the following day saying the product is “unsupported, and end-of-life, and therefore no bugs would be accepted pertaining to the product.”