Presentation
Investigating Security Breaches in Vehicle Infotainment Systems
DescriptionIn-vehicle infotainment systems provide a convenient and safe interface for accessing a host of useful features while driving and form an integral part of the internet-of-vehicles (IoV) ecosystem. Previous research has highlighted vulnerabilities of various components within an IoV network to cyber-attacks, particularly in automotive sensor communication channels and Electronic Control Units (ECUs), where breaches enable attackers to gain operation control over vehicles. However, beyond these communication and control interfaces, vulnerabilities in other components of an IoV network, especially in vehicle infotainment systems and web services, remain largely unexplored despite their potential to cause similarly serious consequences. In this work, we design and implement an evaluation framework to uncover security vulnerabilities in in-vehicle infotainment systems and web services, emphasizing that inadequate protection of these systems allows widespread escalation from an isolated vehicle attack to all connected vehicles within the IoV network. Our analysis of representative infotainment systems from several major car manufacturers, including Mercedes and VW, reveals several new vulnerabilities with significant ramifications, such as enabling an attacker to gain back-end control of all connected vehicles in a web service, access to vehicle peripherals (locks, cameras), and privacy information about anyone registered on the IoV network. We found that 7 of manufacturers are vulnerable, affecting approximately 7 million of consumers worldwide. We have responsibly disclosed the vulnerabilities to all parties and requested 6 CVEs which have all been assigned.
Event Type
Networking
Work-in-Progress Poster
TimeSunday, June 226:00pm - 7:00pm PDT
LocationLevel 3 Lobby