Security Threat Analysis of Automotive Infotainment Systems

Abstract

This paper presents a security threat that can be induced by exploiting the vulnerabilities of In-Vehicle Infotainment (IVI) systems installed in connected vehicles. Recent IVI systems provide a remote control service that enables control from outside the car through an Internet connection. These systems also provide an in-vehicle Internet service that connects to the outside world. If IVI systems are inadequately implemented, they represent attack targets and the attacker may induce abnormal remote control of the car. In this paper, we analyze the security threat to IVI systems that may be a remote attack target in connected vehicles. We focus on (a) the remote control service that controls the car from the outside and (b) the in-vehicle network service that connects from inside the car to the outside. Regarding (a), we analyze the attack possibilities to verify whether or not previous countermeasures in the IVI system are sufficient to protect against attacks. Analysis results show that an attacker can remotely perform abnormal body control such as unlocking of a door by bypassing previous countermeasures embedded in the remote control service. Regarding (b), we analyze the in-vehicle network service from the aspect of a Denial of Service (DoS) attack, which has not been previously reported. Analysis results show that users are prevented from connecting to the Internet in the car by exploiting the improper implementation of the in-vehicle Wi-Fi service in an attack that has not been previously considered. Furthermore, for advanced attack techniques, (c) we analyze the IVI module itself and gain a root password through development interfaces to compromise the IVI module. We believe that this paper will contribute to the construction of improved secure designs and implementations in IVI systems.