In our previous Kenwood DNR1007XR blog, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of the main PCB. In this post, we aim to outline the attack surface of the DNR1007XR in the hopes of providing inspiration for vulnerability research.
We will cover the main supported technologies that present potential attack surfaces, such as USB, Bluetooth, Android Auto, Apple CarPlay, Kenwood apps, and more.
All information has been obtained through reverse engineering, experimenting, and combing through the following resources:
· DNR1007XR product page
· DNR1007XR instruction manual
· DNR1007XR quick start guide
· Kenwood Portal app
· Kenwood Remote S app
USB
The DNR1007XR is equipped with a single USB-A port that operates at USB 2.0 speeds, providing the necessary interface for wired Android Auto and Apple CarPlay.
The USB port also supports playback of audio files from a USB flash drive. The supported audio filetypes and their associated extensions are:
· MP3 (.mp3)
· WMA (.wma)
· AAC-LC (.m4a)
· WAV (.wav)
· FLAC (.flac, .fla)
· Vorbis (.ogg)
· DSD (.dsf, .dff)
As well as audio, a USB flash drive can also be used to play back video files. The supported video filetypes and their associated extensions are:
· MPEG-1 (.mpg, .mpeg)
· MPEG-2 (.mpg, .mpeg)
· H.264 / MPEG-4 (.mp4, .m4v, .avi, .flv, .f4v)
· WMV (.wmv)
· MKV (.mkv)
Robustly parsing and decoding these file formats is notoriously complicated and error-prone, which makes for a potentially rewarding attack surface.
USB flash drives must be formatted as either FAT16, FAT32, exFAT, or NTFS for the head unit to be able to read them.
SD Card
A full-sized SD card slot is tucked away behind the screen and is used for audio/video playback as well as updating map data. As previously mentioned, a large attack surface is exposed when parsing audio and video files. Map updates are likely a good research target, too.
SD cards must be formatted as either FAT16, FAT32, exFAT, or NTFS for the head unit to be able to read them.
Bluetooth
Bluetooth version 5 is supported by the head unit and is used for making and receiving phone calls, as well as playing audio from a paired mobile phone. The following Bluetooth profiles are officially documented in the user manual:
· Hands Free Profile v1.7
· Serial Port Profile
· Phonebook Access Profile
· Audio/Video Remote Control Profile (AVRCP) v1.6
· Advanced Audio Distribution Profile (A2DP)
o Supporting codecs: SBC, AAC, or LDAC
Android Auto, Apple CarPlay, and the Kenwood apps also utilise Bluetooth in varying capacities.
Interrogating the unit shows a few more Bluetooth services that are not documented; these could be a great area to research. Judging by the service names, they may all be related to Kenwood apps.
Service RecHandle: 0x10003
Service Class ID List:
UUID 128: 00001101-0000-1000-8000-00805f9b34fb
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Service Name: App1
Service RecHandle: 0x10004
Service Class ID List:
UUID 128: 00000000-deca-fade-deca-deafdecacaff
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 3
Service Name: App2
Service RecHandle: 0x10005
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 4
Service Name: App3
Service RecHandle: 0x10006
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 5
Service Name: App4
Service RecHandle: 0x10007
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 6
Service Name: App5
Service RecHandle: 0x10008
Service Class ID List:
UUID 128: 4de17a00-52cb-11e6-bdf4-0800200c9a66
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 7Wi-Fi
The head unit provides a WiFi access point that is primarily used for wireless Android Auto and Apple CarPlay. There is no intention for the end user to directly connect to this network and there is no officially documented way of acquiring the password. However, internal research has discovered multiple methods to obtain the password.
Once connected to the access point, the following ports are open:
· TCP: 7000, 8086, 8888, 5355, 22
· UDP: 67, 5353, 5355, 34613, 50842
TCP 22 is an SSH server and can be logged into. As per the competition rules, "If the entry leverages hardcoded credentials and/or exposed encryption keys, the entry must leverage an additional vulnerability to gain code execution to be in scope."
TCP 7000, 8086, and 8888 are all running non-standard services and are likely great places to research further.
Android Auto and Apple CarPlay
Both wired and wireless Android Auto and Apple CarPlay are supported without the need for a 3rd party app to be installed on the paired mobile phone. When using the wireless versions, the paired phone connects to the aforementioned secured WiFi network to establish a high-bandwidth channel for data to be sent and received.
When connecting using a USB cable, the WiFi network isn't used by Android Auto or Apple CarPlay, but it is still active.
Kenwood
Kenwood offers 2 Android/iOS apps to interface with the DNR1007XR. The first app is the Kenwood Portal App, which allows users to transfer photos from a mobile phone to the head unit over Bluetooth. The transferred photos can then be viewed as a slideshow on the head unit or be used as the wallpaper.
This presents an interesting attack surface, especially if the DNR1007XR itself performs any complex image handling tasks on the received images, such as resizing or converting between different image formats. The user-supplied images also need to be persisted to the head unit's filesystem, further expanding the attack surface.
The second app is the Kenwood Remote S app, which connects to the head unit over Bluetooth and allows for multimedia control such as selecting a radio station, skipping a track, and more. The Bluetooth Audio/Video Remote Control Profile (AVRCP) is designed for this exact task; however, no research was performed to confirm if the Remote S app takes advantage of AVRCP.
There are a few other Kenwood apps available, but they are not listed as supported on the DNR1007XR product page and therefore have not been explored.
Open Source Software
A list of open source licences can be viewed from the head unit by navigating to Settings -> System -> Open Source Licenses. There's no guarantee these open source projects are actually used by the unit.
Summary
We hope that this blog post has provided enough information about the DNR1007XR threat landscape to guide vulnerability research. Not every attack surface has been mentioned, and we encourage researchers to investigate further.
We are looking forward to Automotive Pwn2Own again in Tokyo in January 2026 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.
You can find me on Twitter @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
