MOUNTAIN VIEW, Calif.--(BUSINESS WIRE)--Zingbox, the leading Internet of Things (IoT) device management and security provider, today announced new research that shows how a car’s driver can be subject to cybersecurity attacks through the car’s “infotainment” system, the embedded operating system powering the iPad-looking display on today’s modern cars. Daniel Regalado, Zingbox principal security researcher, will describe how he and his colleagues infected a car’s infotainment system with malware, making it possible to exfiltrate the driver’s personal information via SMS messages, at the DefCon 26 Car Hacking Village in Las Vegas on August 10, 2018. These research findings could have important implications for rental car drivers and the $28B U.S. rental car market, according to Regalado.
Previous car hacking efforts focused on the car’s functionality – brakes, steering and door locking mechanisms. The idea that a car could be infected with ransomware or other viruses was hypothetical until now. Zingbox researcher Regalado, co-author of Gray Hat Hacking, and independent researchers Gerardo Iglesias and Ken Hsu broke into a car’s infotainment system and reverse-engineered its main components with one goal in mind: to determine if a car’s operating system could be infected with malware and prove that this Trojan could be controlled remotely through SMS messages. In this way, a driver’s personal data and safety could be compromised using the driver’s own cell phone.
“In order to provide real-time security to all IoT devices, Daniel Regalado and others on Zingbox’s research team continuously push the boundaries of IoT vulnerability research,” said Xu Zou, Zingbox CEO and co-founder. “We’re glad to share our latest findings with the broader security community and raise the awareness of the impact of IoT device vulnerabilities.”
An auto infotainment system depends on the Internet of Things (IoT) to operate. The fact that an infotainment system can be infected is important learning for the industry, suggesting the need for stepped-up IoT cybersecurity solutions similar to what is already available for IoT devices in healthcare, financial services and manufacturing. This would protect drivers, especially the millions of car renters around the world.
“The fact that we can infect a car’s infotainment system and expose private data sheds light on an important vulnerability for manufacturers going forward,” said Regalado. He has also recently hacked a Telepresence Robot, an IV pump and other medical devices.
A car’s infotainment system powers GPS navigation and music selection, makes and receives phone calls, reads SMS messages, and can manage firmware updates. A maliciously crafted USB device plugged into a vehicle can infect the infotainment system, something that could be done by a driver via social engineering tricks, such as a USB loaded with free music that entices a driver to plug in the infected USB drive. Once paired with the driver’s phone, malware in the infotainment system leverages the phone’s SMS message service to access personal information such as contact lists. It can also intercept banking authentication pins, or even block incoming or outgoing calls. The same SMS service could then be used to take control of the infotainment system remotely and create distractions for the driver or put the system into an unusable state that requires repair from the manufacturer.
Zingbox is the leading provider of an Internet of Things (IoT) analytics platform for device management and security. Named a Cool Vendor in IoT Security by Gartner and recipient of the Stevie Award for Most Innovative Company, Zingbox helps organizations realize the full potential of their IoT devices, delivering a new standard for uninterrupted service, operational efficiency and security for the entire IoT environment. The company’s AI machine learning platform uses the first real-time deep behavioral learning technology for IoT devices. For more information, please visit http://www.zingbox.com.