Something that might be useful to know with these devices is that they're quite liable to bricking during updates.
If you do install an update, make sure you reopen its' web portal and confirm the version number is different to what it was before. If it hasn't changed from before, you'll have to wait a while as its still flushing bytes to its flash memory, and if you accidentally trigger an update again here, you'll be left with a brick (speaking from experience).
Depending on the device you bought, you might also be able to flash custom firmware on it: https://github.com/ludwig-v/wireless-carplay-dongle-reverse-...
CarPlay sends a H264/5 video stream from the iPhone to the car's head unit, and receives touchscreen, knob, etc. input in the other direction (afaik). I'm not sure if the video is encrypted, but it seem rather unlikely that the dongle could exfiltrate such an amount of data undetected.
I wondered about this exact scenario with my Android auto dongle.
I never could get the upgrade to work when connected to my phone. I did get it to work connecting my PC to the dongle (which acts as a wifi access point). My PC then loaded the firmware in a desktop browser window as I was connected to Ethernet and the dongle at the same time. I may have had to set some up routes manually.
They absolutely should not get Internet access through the phone. I really hope it doesn't work that way! I searched quite a bit but could not find a definitive answer.
Edit: I read the other replies and it makes sense. The browser on your phone can make a request over wifi and over cellular, so really the browser would do the fetching over the internet, not the device.
I can think of several ways to exfiltrate data, even with the limited information you provided, so, yes.
But is it happening? Who knows. Maybe it doesn't now, but a future firmware update will. Who knows. Given your wise threat model, I'd avoid buying stuff from AliExpress.
I kinda just don't get wireless CarPlay/Android Auto at all. If I'm going to connect my phone to my car wirelessly for that, it's gonna drain the battery. So I'm going to plug it in so it can charge. So... now it's wired, so why do I need wireless?
I guess if you have a wireless charging pad in your car, then that's a little bit more convenient. But the big inconvenience for me is just to have to take it out of my pocket in the first place, not to plug it into the car. (And my car does have wireless charging, but my phone rarely seems to sit on it stably enough for it to charge all that well.)
To get fully back on topic: sure, a wireless dongle could exfil data, but unclear what data is all that valuable. The car (and thus the dongle) just gets video and audio streams, not the actual textual content of your text messages, for example. Sure, it could try to OCR the video and/or do voice recognition on the audio, but those are fairly computationally expensive. And sending all that video to a remote server would be... a lot.
Can someone recommend a dongle that actually works? I’ve tried a few and they are highly unreliable or stop working after a few months.
[dead]
[dead]
…
If the dongle has enough space to store the data until the upload: yes.
This is nothing new. Some websites split the content between html, javascript and api access. To limit the requests coming from websites there is CORS, an allowlist of the API. But this requires that an webpage is open to the dongle and you don't run into cors problems.
If the dongle acts as a wifi AP with a DHCP server, it could give the iPhone an ip address but no gateway upon connection. This will cause the iPhone to talk directly to the dongle via the WiFi interface, but talk to the rest of the internet via the cellular connection.
You can determine this by checking the WiFi network's properties after the connection is established. If there's no value in the "Router" field, that's how it works.
Once you load the firmware update page, JavaScript on the page instructs the browser to fetch the firmware payload from a server on the public Internet, then relays that data to the dongle's web server to execute the firmware update process.
As the other reply mentioned, this can be tricky, as CORS likes to prevent this kind of data transfer for security reasons, the right configuration on the web server will make it work.
It's a fairly clever setup.
If you want a low-tech way of confirming this design, try running the firmware update with a device that doesn't have two network connections, like a laptop, instead of a cell phone. If it doesn't work from such a device, the scenario I described above is probably how it works.