The instruction manual mentioned a firmware upgrade which had an interesting way of connecting to the internet. So when the dongle is connected to a power source you can connect to it via Wifi and an IP address in your browser. Now in the dongle's web UI, there is a button to upgrade your firmware. But how does this work when the dongle is not connected to the internet at all?
Well as I learned, the dongle simply uses the iPhone's mobile connection to send/receive data from the internet. I wasn't aware this is even possible and there doesn't appear to be a way to stop this or be notified of an active connection (aside from the wifi connection obv).
Now my concern is: when the dongle is connected to the iPhone in the car, is there a way for the dongle to use the same mechanism and send Carplay data (messages, contacts, etc) to a remote server using the iPhone's mobile connection?
You can determine this by checking the WiFi network's properties after the connection is established. If there's no value in the "Router" field, that's how it works.
Once you load the firmware update page, JavaScript on the page instructs the browser to fetch the firmware payload from a server on the public Internet, then relays that data to the dongle's web server to execute the firmware update process.
As the other reply mentioned, this can be tricky, as CORS likes to prevent this kind of data transfer for security reasons, the right configuration on the web server will make it work.
It's a fairly clever setup.
If you want a low-tech way of confirming this design, try running the firmware update with a device that doesn't have two network connections, like a laptop, instead of a cell phone. If it doesn't work from such a device, the scenario I described above is probably how it works.
This means that the CarPlay device has no "internet" (spoiler: it never had real internet access) unless you are on that page interacting with it.
I'm not sure how these devices work, I mean I know they broadcast themselves as a CarPlay head unit then "somehow" pass that to the car via a wired connection (pretending to be a phone connecting via USB). "somehow" being the important part. Does it hand along an encrypted stream that it can't decode or does it decode/re-encode?
Either way I'd bet these devices are pretty safe to use. The phone sends a video feed, not raw "data" so the MitM (again, if that's how it works) would need to OCR the video to get anything useful since the raw video would be too large to store and too heavy to transfer over cellular (via it's own hidden radio, again, worst-case-scenario).
If the device decodes the stream in the middle then the worst case I can think of is it could be doing on-device OCR and cellular radio to exfiltrate the text but I feel confident that you could spot the cellular radio (or someone who did a teardown). Without the radio it has no way to get data off the device which means the best it could do it sneak some out while you were on that update screen. Though I think that's all pretty far-fetched.
EDIT: I went looking for some way to act as a CarPlay receiver and get the raw video feed and it looks like it's possible [0] so yeah, a malicious device could proxy the connect, OCR the result, and send data via its own cellular connection but that would be relatively easy to detect and not worth it unless you are the target of a nation state which, at that point, you have bigger problems.
[0] https://github.com/harrylepotter/carplay-receiver
It definitely does decode/re-encode audio streams, as music playback quality suffers quite a bit (both latency and quality).
If you do install an update, make sure you reopen its' web portal and confirm the version number is different to what it was before. If it hasn't changed from before, you'll have to wait a while as its still flushing bytes to its flash memory, and if you accidentally trigger an update again here, you'll be left with a brick (speaking from experience).
Depending on the device you bought, you might also be able to flash custom firmware on it: https://github.com/ludwig-v/wireless-carplay-dongle-reverse-...
I never could get the upgrade to work when connected to my phone. I did get it to work connecting my PC to the dongle (which acts as a wifi access point). My PC then loaded the firmware in a desktop browser window as I was connected to Ethernet and the dongle at the same time. I may have had to set some up routes manually.
They absolutely should not get Internet access through the phone. I really hope it doesn't work that way! I searched quite a bit but could not find a definitive answer.
Edit: I read the other replies and it makes sense. The browser on your phone can make a request over wifi and over cellular, so really the browser would do the fetching over the internet, not the device.
But is it happening? Who knows. Maybe it doesn't now, but a future firmware update will. Who knows. Given your wise threat model, I'd avoid buying stuff from AliExpress.
[0]:https://www.bleepingcomputer.com/news/security/audi-volkswag...
Despite assuredly rigid QC and security testing /s.
I guess if you have a wireless charging pad in your car, then that's a little bit more convenient. But the big inconvenience for me is just to have to take it out of my pocket in the first place, not to plug it into the car. (And my car does have wireless charging, but my phone rarely seems to sit on it stably enough for it to charge all that well.)
To get fully back on topic: sure, a wireless dongle could exfil data, but unclear what data is all that valuable. The car (and thus the dongle) just gets video and audio streams, not the actual textual content of your text messages, for example. Sure, it could try to OCR the video and/or do voice recognition on the audio, but those are fairly computationally expensive. And sending all that video to a remote server would be... a lot.
I generally don't have any issues with charging, so phone either stays at the same battery level, or charges a bit (depending on how long I drive).
The only downside is that phone heats up due to the usage of CarPlay as well as due to the wireless charging, which triggers heavy throttling of iOS, and I assume this is not ideal for the phone/battery as well.
For short trips. Like the two many of us do every single working day.
I guess I'm also just a low-key battery-life stresser. If I have the opportunity to plug in outside the home, with a charging cable readily in front of, me, I'm gonna do it... just in case.
I dunno, I still don't get it. Wireless anything is always going to be significantly less reliable than wired, and I've heard enough stories of wireless CarPlay/AA flaking out (with dongles and built-in setups) to turn me off on it.
Wireless is incredibly convenient when you don't have a wire and a port nearby, but that will essentially never be that case while you're in the car.
One other concern I’d have with wired charging in the car long-term is wear and tear on the USB port and the cable over time (also considering the cable is likely being left in a sometimes very hot car).
And if the cable dies, they're simple and cheap to replace.
In addition to your argument, wireless CarPlay is also notoriously unreliable.[1]
[1]: https://www.google.com/search?q=wireless+carplay+not+working...
I'd use it a little differently, but it's my wife's car, not mine. Who would have thought a 2022 Mercedes would have wired-only CarPlay?
Anyway, I find it excellent for podcast control. If maps are off (in my case, because location services are turned off) it doesn't really use more power than plain Bluetooth audio, and when I approach my destination on a trip I'll turn on location and plug it in to juice up the last bit.
This is nothing new. Some websites split the content between html, javascript and api access. To limit the requests coming from websites there is CORS, an allowlist of the API. But this requires that an webpage is open to the dongle and you don't run into cors problems.