IVI systems are often based on well-known Operating Systems, such as Android or Linux-based.
#Hack redacted pdf driver
It aims to improve the driver user-experience by providing apps for navigation and control vehicle functionalities, such as the HVAC. However the CAN protocol is not secure-by-design: it lacks security measures entirely Īs a node of the in-vehicle network, an IVI system communicates with other ECUs by using the CAN protocol.
The most used in-vehicle communication protocol is the “Controller Area Network”, also known as CAN bus, which dates back to 1983 with Bosch and is standardised in ISO 11898-1:2015 as a simple protocol based on “CAN-H” and “CAN-L” lines. An IVI system is usually connected to the intra-vehicle network as well as all the other Electronic Control Units (ECUs) that, by communicating one another, manage all the vehicle functionalities. The possibility to connect a vehicle to the Internet by means of its In-Vehicle Infotainment (IVI) system or through the Telematic Unit turns it into a vulnerable device similar to PCs, smartphones and IoT devices. Nowadays vehicles have so much technologies that cannot be considered simple mechanical devices. Finally, we show how an attacker can easily control the IVI and inject CAN bus frames by means of a Metasploit module that we wrote. By reverse engineering the IVI, we identified four important vulnerabilities that affect all Kia vehicles that embed the studied IVI. In particular, we focused on reverse engineer the Kia IVI system to discover vulnerabilities that may allow an attacker to compromise the IVI functionalities and inject CAN frames into the CAN bus to alter the behaviour of (part of) the vehicle.
In this paper, we present a vulnerability assessment, through a reverse engineering process, of Kia vehicles IVI system. Thus, the uncontrolled access to the CAN bus may have serious impact on the vehicle itself and its passengers. The intra-vehicle network, based on the CAN protocol, is vulnerable by design: messages are exchanged in clear. The IVI system of a car is part of the intra-vehicle network and can be the entry-point of offensive cybersecurity attacks. As with PCs in the past, cars, being connected to the Internet can be potentially vulnerable. Modern vehicles resemble four-wheels computers connected to the Internet via their In-Vehicle Infotainment (IVI) systems.
0 kommentar(er)
