Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Let Me Entertain You: Car Infotainment Hacking and Attack Surface Scenarios

Jay Turla

2 vote(s)

The battle for supremacy for the control of the dashboard display or infotainment systems has always been a race. Most of these systems run on Linux, Android, Windows (customized dashboards - perhaps Windows ME or CE) and Blackberry's QNX. In-Vehicle Infotainment (IVI) or In-car entertainment (ICE) Systems are indeed fun consoles where you can play media, movies, or work with your car's navigational system. But somehow it also comes with a risk of being hacked or attacked because they have also been plagued with vulnerabilities like the following:

- Remote Code Execution and Command Injection
- Default and Weak System Logins (SSH authentication or web-based dashboard panel)
- Data Leakage (call logs or histories)
- Format String Injections which could lead to the bricking of your device or application crashes
- Race Conditions or Unhandled Exceptions which takes you to the Windows Desktop GUI or Debug Options. Can it run DOOM?

In this talk, join Jay as he presents his own Car Hacker's Methodology in finding security bugs in order to pwn a car's infotainment system without having to do a drive by wire or CANbus hacking tools but will simply point out the common attack surfaces e.g WiFi, Bluetooth, USB Ports, etc. and some scenarios on how to exploit it just like how he popped a shell or issue an arbitrary command in his car which he tweeted in Twitter before.

===

Jay Turla is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.