On Thursday 13th of March 2025, McCaulay Hudson (@_mccaulay) and Alex Plaskett (@alexjplaskett) presented this talk at Insomnihack, Lausanne, Switzerland.
The slides for the talk can be downloaded here:
The abstract for the talk presented was as follows:
Abstract
How easy is it to compromise an aftermarket in-vehicle entertainment system?
What can an attacker do when they install spyware on there? In the rapidly evolving automotive industry, the integration of technological systems such as remote servers, Wi-Fi hotspots, and mobile devices has expanded the attack surface. Modern vehicles are equipped with in-vehicle infotainment systems that connect to GPS, cameras, microphones, and mobile devices, syncing data including call logs and contacts.
Description
This presentation will detail the process of attacking an in-vehicle infotainment (IVI) system from start to finish as part of the Pwn2Own Automotive 2024 competition. Starting off with a hardware attack, we discuss the chain of challenges we had to solve first to gain initial access and then later to establish a debugging environment from which we had visibility of the device internals. This included dealing with hidden developer menu’s (Japanese language barrier!) and in-depth eMMC in-circuit programming and many different HW attack approaches.
Using this level of access, we identified multiple software vulnerabilities which were used within the competition to gain remote code execution and compromise the IVI. After examining Pioneer’s novel OS modifications and custom applications, we identified an arbitrary file write and directory traversal which was severely constrained. We then managed to abuse a pkcs11 configuration mechanism to turn this into arbitrary code execution by chaining this together with a denial of service to allow us to fulfil the constraints of the competition.
In this talk we will disclose in detail what these vulnerabilities were and how we chained them together to compromise the device.
In conclusion, we will showcase a real-world attack scenario, by showing spyware exfiltrating data from the infotainment system to track an individual's location, contacts, and call history.
Finally, we will give examples of good practices that Pioneer specifically did well when securing the device and suggest improvements which could also be applied to other automotive vendors.