Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux

Seonghoon Jeong; Minsoo Ryu; Hyunjae Kang; Huy Kang Kim

doi:10.1145/3577923.3583650

Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux

Seonghoon Jeong, Minsoo Ryu, Hyunjae Kang, Huy Kang Kim

School of Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

12 Citations (Scopus)

Abstract

An in-vehicle infotainment (IVI) system is connected to heterogeneous networks such as Controller Area Network bus, Bluetooth, Wi-Fi, cellular, and other vehicle-to-everything communications. An IVI system has control of a connected vehicle and deals with privacy-sensitive information like current geolocation and destination, phonebook, SMS, and driver's voice. Several offensive studies have been conducted on IVI systems of commercialized vehicles to show the feasibility of car hacking. However, to date, there has been no comprehensive analysis of the impact and implications of IVI system exploitations. To understand security and privacy concerns, we provide our experience hosting an IVI system hacking competition, Cyber Security Challenge 2021 (CSC2021). We use a feature-flavored infotainment operating system, Automotive Grade Linux (AGL). The participants gathered and submitted 33 reproducible and verified proofs-of-concept exploit codes targeting 11 components of the AGL-based IVI testbed. The participants exploited four vulnerabilities to steal various data, manipulate the IVI system, and cause a denial of service. The data leakage includes privacy, personally identifiable information, and cabin voice. The participants proved lateral movement to electronic control units and smartphones. We conclude with lessons learned with three mitigation strategies to enhance the security of the IVI system.

Original language	English
Title of host publication	CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy
Publisher	Association for Computing Machinery, Inc
Pages	201-212
Number of pages	12
ISBN (Electronic)	9798400700675
DOIs	https://doi.org/10.1145/3577923.3583650
Publication status	Published - 2023 Apr 24
Event	13th ACM Conference on Data and Application Security and Privacy, CODASPY 2023 - Charlotte, United States Duration: 2023 Apr 24 → 2023 Apr 26

Publication series

Name	CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy

Conference

Conference	13th ACM Conference on Data and Application Security and Privacy, CODASPY 2023
Country/Territory	United States
City	Charlotte
Period	23/4/24 → 23/4/26

Bibliographical note

Publisher Copyright:
© 2023 ACM.

Keywords

automotive grade linux
car hacking
cybersecurity competition
exploit
privacy leakage
vulnerability

ASJC Scopus subject areas

Computer Science Applications
Software
Information Systems
Computer Networks and Communications

Access to Document

10.1145/3577923.3583650

Cite this

Jeong, S., Ryu, M., Kang, H., & Kim, H. K. (2023). Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux. In CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy (pp. 201-212). (CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy). Association for Computing Machinery, Inc. https://doi.org/10.1145/3577923.3583650

Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux. / Jeong, Seonghoon; Ryu, Minsoo; Kang, Hyunjae et al.
CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2023. p. 201-212 (CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Jeong, S, Ryu, M, Kang, H & Kim, HK 2023, Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux. in CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy. CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy, Association for Computing Machinery, Inc, pp. 201-212, 13th ACM Conference on Data and Application Security and Privacy, CODASPY 2023, Charlotte, United States, 23/4/24. https://doi.org/10.1145/3577923.3583650

Jeong S, Ryu M, Kang H, Kim HK. Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux. In CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc. 2023. p. 201-212. (CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy). doi: 10.1145/3577923.3583650

Jeong, Seonghoon ; Ryu, Minsoo ; Kang, Hyunjae et al. / Infotainment System Matters : Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux. CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, Inc, 2023. pp. 201-212 (CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy).

@inproceedings{167c971f407149c3afa8a1b42b115c9b,

title = "Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux",

abstract = "An in-vehicle infotainment (IVI) system is connected to heterogeneous networks such as Controller Area Network bus, Bluetooth, Wi-Fi, cellular, and other vehicle-to-everything communications. An IVI system has control of a connected vehicle and deals with privacy-sensitive information like current geolocation and destination, phonebook, SMS, and driver's voice. Several offensive studies have been conducted on IVI systems of commercialized vehicles to show the feasibility of car hacking. However, to date, there has been no comprehensive analysis of the impact and implications of IVI system exploitations. To understand security and privacy concerns, we provide our experience hosting an IVI system hacking competition, Cyber Security Challenge 2021 (CSC2021). We use a feature-flavored infotainment operating system, Automotive Grade Linux (AGL). The participants gathered and submitted 33 reproducible and verified proofs-of-concept exploit codes targeting 11 components of the AGL-based IVI testbed. The participants exploited four vulnerabilities to steal various data, manipulate the IVI system, and cause a denial of service. The data leakage includes privacy, personally identifiable information, and cabin voice. The participants proved lateral movement to electronic control units and smartphones. We conclude with lessons learned with three mitigation strategies to enhance the security of the IVI system.",

keywords = "automotive grade linux, car hacking, cybersecurity competition, exploit, privacy leakage, vulnerability",

author = "Seonghoon Jeong and Minsoo Ryu and Hyunjae Kang and Kim, \{Huy Kang\}",

note = "Publisher Copyright: {\textcopyright} 2023 ACM.; 13th ACM Conference on Data and Application Security and Privacy, CODASPY 2023 ; Conference date: 24-04-2023 Through 26-04-2023",

year = "2023",

month = apr,

day = "24",

doi = "10.1145/3577923.3583650",

language = "English",

series = "CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy",

publisher = "Association for Computing Machinery, Inc",

pages = "201--212",

booktitle = "CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy",

}

TY - GEN

T1 - Infotainment System Matters

T2 - 13th ACM Conference on Data and Application Security and Privacy, CODASPY 2023

AU - Jeong, Seonghoon

AU - Ryu, Minsoo

AU - Kang, Hyunjae

AU - Kim, Huy Kang

PY - 2023/4/24

Y1 - 2023/4/24

N2 - An in-vehicle infotainment (IVI) system is connected to heterogeneous networks such as Controller Area Network bus, Bluetooth, Wi-Fi, cellular, and other vehicle-to-everything communications. An IVI system has control of a connected vehicle and deals with privacy-sensitive information like current geolocation and destination, phonebook, SMS, and driver's voice. Several offensive studies have been conducted on IVI systems of commercialized vehicles to show the feasibility of car hacking. However, to date, there has been no comprehensive analysis of the impact and implications of IVI system exploitations. To understand security and privacy concerns, we provide our experience hosting an IVI system hacking competition, Cyber Security Challenge 2021 (CSC2021). We use a feature-flavored infotainment operating system, Automotive Grade Linux (AGL). The participants gathered and submitted 33 reproducible and verified proofs-of-concept exploit codes targeting 11 components of the AGL-based IVI testbed. The participants exploited four vulnerabilities to steal various data, manipulate the IVI system, and cause a denial of service. The data leakage includes privacy, personally identifiable information, and cabin voice. The participants proved lateral movement to electronic control units and smartphones. We conclude with lessons learned with three mitigation strategies to enhance the security of the IVI system.

AB - An in-vehicle infotainment (IVI) system is connected to heterogeneous networks such as Controller Area Network bus, Bluetooth, Wi-Fi, cellular, and other vehicle-to-everything communications. An IVI system has control of a connected vehicle and deals with privacy-sensitive information like current geolocation and destination, phonebook, SMS, and driver's voice. Several offensive studies have been conducted on IVI systems of commercialized vehicles to show the feasibility of car hacking. However, to date, there has been no comprehensive analysis of the impact and implications of IVI system exploitations. To understand security and privacy concerns, we provide our experience hosting an IVI system hacking competition, Cyber Security Challenge 2021 (CSC2021). We use a feature-flavored infotainment operating system, Automotive Grade Linux (AGL). The participants gathered and submitted 33 reproducible and verified proofs-of-concept exploit codes targeting 11 components of the AGL-based IVI testbed. The participants exploited four vulnerabilities to steal various data, manipulate the IVI system, and cause a denial of service. The data leakage includes privacy, personally identifiable information, and cabin voice. The participants proved lateral movement to electronic control units and smartphones. We conclude with lessons learned with three mitigation strategies to enhance the security of the IVI system.

KW - automotive grade linux

KW - car hacking

KW - cybersecurity competition

KW - exploit

KW - privacy leakage

KW - vulnerability

UR - https://www.scopus.com/pages/publications/85158150039

U2 - 10.1145/3577923.3583650

DO - 10.1145/3577923.3583650

M3 - Conference contribution

AN - SCOPUS:85158150039

T3 - CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy

SP - 201

EP - 212

BT - CODASPY 2023 - Proceedings of the 13th ACM Conference on Data and Application Security and Privacy

PB - Association for Computing Machinery, Inc

Y2 - 24 April 2023 through 26 April 2023

ER -

Infotainment System Matters: Understanding the Impact and Implications of In-Vehicle Infotainment System Hacking with Automotive Grade Linux

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this