research-article

Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux

Authors:

Seonghoon Jeong,

Huy Kang KimAuthors Info & Claims

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

Pages 201 - 212

https://doi.org/10.1145/3577923.3583650

Published: 24 April 2023 Publication History

Abstract

An in-vehicle infotainment (IVI) system is connected to heterogeneous networks such as Controller Area Network bus, Bluetooth, Wi-Fi, cellular, and other vehicle-to-everything communications. An IVI system has control of a connected vehicle and deals with privacy-sensitive information like current geolocation and destination, phonebook, SMS, and driver's voice. Several offensive studies have been conducted on IVI systems of commercialized vehicles to show the feasibility of car hacking. However, to date, there has been no comprehensive analysis of the impact and implications of IVI system exploitations. To understand security and privacy concerns, we provide our experience hosting an IVI system hacking competition, Cyber Security Challenge 2021 (CSC2021). We use a feature-flavored infotainment operating system, Automotive Grade Linux (AGL). The participants gathered and submitted 33 reproducible and verified proofs-of-concept exploit codes targeting 11 components of the AGL-based IVI testbed. The participants exploited four vulnerabilities to steal various data, manipulate the IVI system, and cause a denial of service. The data leakage includes privacy, personally identifiable information, and cabin voice. The participants proved lateral movement to electronic control units and smartphones. We conclude with lessons learned with three mitigation strategies to enhance the security of the IVI system.

References

[1]

BlackBerry. 2022. BlackBerry QNX. https://blackberry.qnx.com.

[2]

, Tim Bray. 2014. The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7159. https://www.rfc-editor.org/info/rfc7159

[3]

Zhiqiang Cai, Aohui Wang, and Wenkai Zhang. 2019. 0-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars. In Black Hat USA, Vol. 39. 1--37.

[4]

Luca Carettoni, Claudio Merloni, and Stefano Zanero. 2007. Studying Bluetooth Malware Propagation: The BlueBag Project. IEEE Security & Privacy, Vol. 5, 2 (2007), 17--25.

Digital Library

[5]

Ankita R Chordiya, Subhrajit Majumder, and Ahmad Y Javaid. 2018. Man-in-the-Middle (MI™) Attack Based Hijacking of HTTP Traffic Using Open Source Tools. In 2018 IEEE International Conference on Electro/Information Technology (EIT). 0438--0443.

[6]

Common Vulnerability Scoring System SIG. 2019. Common Vulnerability Scoring System version 3.1: Specification Document Revision 1. Technical Report. The Forum of Incident Response and Security Teams.

[7]

Gianpiero Costantino and Ilaria Matteucci. 2019. CANDY CREAM - Hacking Infotainment Android Systems to Command Instrument Cluster via Can Data Frame. In Proc. 2019 IEEE Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC). 476--481.

[8]

Scott Gayou. 2018. Jailbreaking Subaru StarLink. https://github.com/sgayou/subaru-starlink-research.

[9]

Google. 2022. Android Automotive OS (AAOS). https://developers.google.com/cars/design/automotive-os.

[10]

Jie Guo, Bin Song, Ying He, Fei Richard Yu, and Mehdi Sookhak. 2017. A Survey on Compressed Sensing in Vehicular Infotainment Systems. IEEE Communications Surveys & Tutorials, Vol. 19, 4 (May 2017), 2662--2680.

[11]

Institute for Information & Communications Technology Planning & Evaluation (IITP). 2021a. 2021 Cyber Security Challenge: the final round (in Korean). https://youtu.be/E-ZTuWSg-JU.

[12]

Institute for Information & Communications Technology Planning & Evaluation (IITP). 2021b. Call for Challenge: 2021 Cyber Security Challenge (in Korean). https://youtu.be/HS2PfBpwjU4.

[13]

Hyo Jin Jo and Wonsuk Choi. 2022. A Survey of Attacks on Controller Area Networks and Corresponding Countermeasures. IEEE Transactions on Intelligent Transportation Systems (Jul. 2022), 6123--6141.

Digital Library

[14]

Hyo Jin Jo, Wonsuk Choi, Seoung Yeop Na, Samuel Woo, and Dong Hoon Lee. 2017. Vulnerabilities of Android OS-Based Telematics System. Wireless Personal Communications, Vol. 92, 4 (2017), 1511--1530.

Digital Library

[15]

S. M. Ahsan Kazmi, Tri Nguyen Dang, Ibrar Yaqoob, Anselme Ndikumana, Ejaz Ahmed, Rasheed Hussain, and Choong Seon Hong. 2019. Infotainment Enabled Smart Cars: A Joint Communication, Caching, and Computation Approach. IEEE Transactions on Vehicular Technology, Vol. 68, 9 (Sep. 2019), 8408--8420.

[16]

Siti-Farhana Lokman, Abu Talib Othman, and Muhammad-Husaini Abu-Bakar. 2019. Intrusion detection system for automotive Controller Area Network (CAN) bus system: a review. EURASIP Journal on Wireless Communications and Networking, Vol. 2019, 184 (Jul. 2019), 1--17.

[17]

Sahar Mazloom, Mohammad Rezaeirad, Aaron Hunter, and Damon McCoy. 2016. A Security Analysis of an In-Vehicle Infotainment and App Platform. In Proc. 10th USENIX Workshop on Offensive Technologies (WOOT 16).

[18]

Alexey Melnikov and Ian Fette. 2011. The WebSocket Protocol. RFC 6455. https://www.rfc-editor.org/info/rfc6455

[19]

Charlie Miller. 2019. Lessons learned from hacking a car. IEEE Design & Test, Vol. 36, 6 (Dec 2019), 7--9.

[20]

Charlie Miller and Chris Valasek. 2014. A survey of remote automotive attack surfaces. In Black Hat USA.

[21]

Charlie Miller and Chris Valasek. 2015. Remote exploitation of an unaltered passenger vehicle. In Black Hat USA. 1--91.

[22]

Nateq Be-Nazir Ibn Minar and Mohammed Tarique. 2012. BLUETOOTH SECURITY THREATS AND SOLUTIONS : A SURVEY. International Journal of Distributed and Parallel systems, Vol. 3, 1 (2012), 127--148.

[23]

Abdul Moiz and Manar H. Alalfi. 2022. A Survey of Security Vulnerabilities in Android Automotive Apps. In 2022 IEEE/ACM 3rd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS). 17--24.

[24]

Sen Nie, Ling Liu, and Yuefeng Du. 2017. Free-fall: Hacking Tesla from wireless to CAN bus. In Black Hat USA, Vol. 25. 1--16.

[25]

National Institute of Standards and Technology. 2017. Guide to Bluetooth Security. Technical Report Special Publications 800--121 Revison 2. U.S. Department of Commerce, Washington, D.C.

[26]

OpenWeatherMap Ltd. 2022. OpenWeatherMap. https://openweathermap.org

[27]

Pranav Kumar Singh, Sunit Kumar Nandi, and Sukumar Nandi. 2019. A tutorial survey on vehicular communication state of the art, and future research directions. Vehicular Communications, Vol. 18, 100164 (2019), 1--39.

[28]

Hyun Min Song, Jiyoung Woo, and Huy Kang Kim. 2020. In-vehicle network intrusion detection using deep convolutional neural network. Vehicular Communications, Vol. 21, 100198 (2020), 1--13.

Digital Library

[29]

Tencent Keen Security Lab. 2020. Experimental Security Assessment on Lexus Cars. https://keenlab.tencent.com/en/2020/03/30/Tencent-Keen-Security-Lab-Experimental-Security-Assessment-on-Lexus-Cars/.

[30]

Tencent Keen Security Lab. 2021. Mercedes-Benz MBUX Security Research Report. Technical Report.

[31]

The Linux Foundation. 2016. Automotive Grade Linux. https://www.automotivelinux.org.

[32]

The Linux Foundation. 2020. Git Repository: agl-service-weather/afm-weather-binding.c. https://git.automotivelinux.org/apps/agl-service-weather/tree/binding/afm-weather-binding.c?id=3b723a2f50dc467607a6e8b6d9c41e2d18cef17e

[33]

The OpenStreetMap Foundation. 2022. OpenStreetMap. https://www.openstreetmap.org

[34]

Trifinite. 2004. BlueBug. https://trifinite.org/stuff/bluebug/

[35]

Wufei Wu, Renfa Li, Guoqi Xie, Jiyao An, Yang Bai, Jia Zhou, and Keqin Li. 2020. A Survey of Intrusion Detection for In-Vehicle Networks. IEEE Transactions on Intelligent Transportation Systems, Vol. 21, 3 (Mar. 2020), 919--933.

[36]

Wenchao Xu, Haibo Zhou, Nan Cheng, Feng Lyu, Weisen Shi, Jiayin Chen, and Xuemin Shen. 2018. Internet of vehicles in big data era. IEEE/CAA Journal of Automatica Sinica, Vol. 5, 1 (Jan. 2018), 19--35. io

Cited By

Polanco NCheng BCombemale BWimmer MChechik MEgyed A(2024)Socio-technical Automotive Security Design Patterns: Applying a Stakeholder-Based Approach to Securing Self-Driving VehiclesProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3652620.3687817(735-744)Online publication date: 22-Sep-2024
https://dl.acm.org/doi/10.1145/3652620.3687817
Tiberti WCivino RGavioli NPugliese MSantucci F(2023)A Hybrid-Cryptography Engine for Securing Intra-Vehicle CommunicationsApplied Sciences10.3390/app13241302413:24(13024)Online publication date: 6-Dec-2023
https://doi.org/10.3390/app132413024
Vanajakshi JRenuka AAdesh N(2023)Simulation of Message Injection Attacks on Control Area Networks2023 IEEE 3rd Mysore Sub Section International Conference (MysuruCon)10.1109/MysuruCon59703.2023.10396861(1-6)Online publication date: 1-Dec-2023
https://doi.org/10.1109/MysuruCon59703.2023.10396861
Show More Cited By

Index Terms

Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections
  2. Systems security
    1. Operating systems security
      1. Mobile platform security
    2. Vulnerability management
      1. Penetration testing

Recommendations

InShift: A Shifting Infotainment System to Enhance Co-Driver Experience and Collaboration
AutomotiveUI '21 Adjunct: 13th International Conference on Automotive User Interfaces and Interactive Vehicular Applications

Car manufacturers introduced a variety of non-driving-related features to enhance the trip experience for drivers and passengers. However, using an in-vehicle infotainment system (IVIS) can be mentally demanding and cause driver distraction. In addition,...
Impact of Infotainment System Complexity on Driver Situation Awareness in Manual Vehicles
AutomotiveUI '24 Adjunct: Adjunct Proceedings of the 16th International Conference on Automotive User Interfaces and Interactive Vehicular Applications

The complexity of automotive user interfaces impacts cognitive load and situation awareness of drivers. The aim of the present study is to empirically investigate the relationship between the complexity of the infotainment system in manual vehicles and ...
A java application programming interface for in-vehicle infotainment devices
Traveling long distances by vehicle in the modern world has become bearable with the availability of In-Vehicle Infotainment systems to entertain and inform both drivers and other occupants. One of the problems faced by application developers for In-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

April 2023

304 pages

ISBN:9798400700675

DOI:10.1145/3577923

General Chair:
Mohamed Shehab
University of North Carolina at Charlotte, USA
,
Program Chairs:
Maribel Fernandez
King's College London, UK
,
Ninghui Li
Purdue University, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 April 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Information & Communications Technology Planning & Evaluation (IITP)

Conference

CODASPY '23

Sponsor:

SIGSAC

CODASPY '23: Thirteenth ACM Conference on Data and Application Security and Privacy

April 24 - 26, 2023

NC, Charlotte, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
595
Total Downloads

Downloads (Last 12 months)249
Downloads (Last 6 weeks)31

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Polanco NCheng BCombemale BWimmer MChechik MEgyed A(2024)Socio-technical Automotive Security Design Patterns: Applying a Stakeholder-Based Approach to Securing Self-Driving VehiclesProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3652620.3687817(735-744)Online publication date: 22-Sep-2024
https://dl.acm.org/doi/10.1145/3652620.3687817
Tiberti WCivino RGavioli NPugliese MSantucci F(2023)A Hybrid-Cryptography Engine for Securing Intra-Vehicle CommunicationsApplied Sciences10.3390/app13241302413:24(13024)Online publication date: 6-Dec-2023
https://doi.org/10.3390/app132413024
Vanajakshi JRenuka AAdesh N(2023)Simulation of Message Injection Attacks on Control Area Networks2023 IEEE 3rd Mysore Sub Section International Conference (MysuruCon)10.1109/MysuruCon59703.2023.10396861(1-6)Online publication date: 1-Dec-2023
https://doi.org/10.1109/MysuruCon59703.2023.10396861
Nikhade SPatil W(2023)Advanced Android Based In-Vehicle Infotainment (IVI) Software Testing2023 3rd Asian Conference on Innovation in Technology (ASIANCON)10.1109/ASIANCON58793.2023.10270081(1-9)Online publication date: 25-Aug-2023
https://doi.org/10.1109/ASIANCON58793.2023.10270081

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten