Hacking a car – or rather, its infotainment system


Privacy

Our ‘computers on wheels’ are more connected than ever, but the features that enhance our convenience often come with privacy risks in tow

A presentation that includes in its title ‘Compromise of Modern Vehicles” may set the expectation that you are about to see a dramatic demonstration of a hacked car suddenly stopping or swerving under the control of a bad actor. Read the abstract to learn that “only” the car’s infotainment system, rather than its critical driving systems, has vulnerabilities and you nearly feel disappointed. Despite this anticlimactic twist, however, the research by PCAutomotive, presented by Danila Parnishchev and Artem Ivachev at Black Hat Europe 2024, is important.

The two security researchers detailed how malicious actors could exploit various flaws in infotainment units to control the vehicle’s microphone, record the occupants and play back the recording over the same system, exfiltrate personal data, track the car and speed via the built-in GPS, and steal the contact list that had been uploaded through a connected device.

Yet, for some reason it feels less invasive than, say, an attack on a smartphone that allows the attacker to track the device, control its microphone and exfiltrate data and contacts. The expectation of being able to hack a car provides a visual image of catastrophe, a danger to the lives of those in the car and others, so when the issue turns out to involve “only” privacy and personal data, it feels like a relief. However, this is not to say that the potential privacy implications should be underestimated.

The mechanics of a hack

When you first connect a smartphone to a car’s infotainment system, you typically have the option to upload and sync the contacts directly to the car’s system. This enables seamless access to the contacts on the screen and lets you make calls as needed. The researchers discovered that by uploading a modified contact list they could exploit a vulnerability in the system and remotely issue commands (remote code execution – RCE).

Once in the system, and as mentioned above, they can control some elements of the infotainment system and exfiltrate the data. The vulnerabilities described by the team at the conference impacted 1.4 million vehicles, but importantly all 21 vulnerabilities have been resolved with updated software through the manufacturers concerned.

That said, the privacy concerns highlighted are significant, as is the opportunity for abuse. Imagine a controlling partner tracking their significant other and accessing their contact and other data – all through the car’s infotainment system and without the victim’s knowledge or consent. There’s also the equally troubling espionage angle, I am sure you can visualize how this type of hack could be exploited for surveillance and intelligence gathering on a large scale.

Approaching evolution with caution

The title of the presentation, and other similar presentations, may unintentionally mislead the mind and even cause distrust of what we should be embracing. The automotive industry is transforming, and such portrayals of risk may even undermine public confidence in these innovations.

For example, I recently had the experience of riding in a Waymo driverless taxi in Phoenix. Requested through an app, the car pulls up, you jump in, and once comfortable press the button to begin the journey: I went from a hotel to the airport. I did the mandatory thing and took a short video to share with friends and family – look there was no driver. The common response was “never, not for me, did you feel safe?”.

I am sure a psychologist can explain these feelings in detail; for me, though, it’s about trusting a regulatory process, risk assessment and the talented engineers who developed it. Waymo’s cars are not haphazard prototypes; they’ve been tested, vetted by regulators and safety advocates, while insurers have decided that the risk is acceptable – no small feat.

When asked about the presentations I attended at Black Hat Europe this year, I will not say that “someone demonstrated how to hack a vehicle”. I will be more accurate and explain that “someone demonstrated how to compromise a vehicle’s infotainment system”.

This distinction is important. We must not instill a fear of technology but rather embrace its evolution. The flaws and subsequent fixes are part of the evolution, and we need to approach change with a sense of openness but also, I admit, some caution.

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here