Zingbox identifies cybersecurity threat for cars and drivers; reveals SMS-commanded malware infection to car ‘infotainment’ system

Zingbox, Internet of Things (IoT) device management and security provider, announced this week new research that shows how a car’s driver can be subject to cybersecurity attacks through the car’s “infotainment” system, the embedded operating system powering the iPad-looking display on modern cars.

Daniel Regalado, Zingbox principal security researcher, described how he and his colleagues infected a car’s infotainment system with malware, making it possible to exfiltrate the driver’s personal information via SMS messages, at the DefCon 26 Car Hacking Village. These research findings could have important implications for rental car drivers and the $28 billion U.S. rental car market, according to Regalado.

An auto infotainment system depends on the Internet of Things (IoT) to operate. The fact that an infotainment system can be infected is important learning for the industry, suggesting the need for stepped-up IoT cybersecurity solutions similar to what is already available for IoT devices in healthcare, financial services and manufacturing. This would protect drivers, especially the millions of car renters around the world.

Previous car hacking efforts focused on the car’s functionality – brakes, steering and door locking mechanisms. The idea that a car could be infected with ransomware or other viruses was hypothetical until now. Zingbox researcher Regalado, co-author of Gray Hat Hacking, and independent researchers Gerardo Iglesias and Ken Hsu broke into a car’s infotainment system and reverse-engineered its main components with one goal in mind: to determine if a car’s operating system could be infected with malware and prove that this Trojan could be controlled remotely through SMS messages. In this way, a driver’s personal data and safety could be compromised using the driver’s own cell phone.

“In order to provide real-time security to all IoT devices, Daniel Regalado and others on Zingbox’s research team continuously push the boundaries of IoT vulnerability research,” said Xu Zou, Zingbox CEO and co-founder. “We’re glad to share our latest findings with the broader security community and raise the awareness of the impact of IoT device vulnerabilities.”

A car’s infotainment system powers GPS navigation and music selection, makes and receives phone calls, reads SMS messages, and can manage firmware updates. A maliciously crafted USB device plugged into a vehicle can infect the infotainment system, something that could be done by a driver via social engineering tricks, such as a USB loaded with free music that entices a driver to plug in the infected USB drive.

Once paired with the driver’s phone, malware in the infotainment system leverages the phone’s SMS message service to access personal information such as contact lists. It can also intercept banking authentication pins, or even block incoming or outgoing calls.

The same SMS service could then be used to take control of the infotainment system remotely and create distractions for the driver or put the system into an unusable state that requires repair from the manufacturer.

“The fact that we can infect a car’s infotainment system and expose private data sheds light on an important vulnerability for manufacturers going forward,” said Regalado. He has also recently hacked a telepresence robot, an IV pump and other medical devices.


IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.