MOUNTAIN VIEW, Calif. — Connected device management and security provider Zingbox announced new research that shows how a car’s driver can be subject to cybersecurity attacks through the car’s “infotainment” system, the embedded operating system powering the iPad-looking displays found on many recent new vehicles.
Daniel Regalado, Zingbox’s principal security researcher, has agreed to demonstrate the vulnerability at the DefCon 26 Car Hacking Village in Las Vegas tomorrow. In a statement released today, the company revealed that Regalado teamed with independent researchers Gerardo Iglesias and Ken Hsu to break into a car’s infotainment system and reverse-engineer its main components with one goal in mind: to infect the operating system with malware and prove the system could be controlled remotely through SMS messages, using the driver’s own phone to compromise their personal data and safety.
“In order to provide real-time security to all IoT devices, Daniel Regalado and others on Zingbox’s research team continuously push the boundaries of IoT vulnerability research,” said Xu Zou, the company’s CEO and co-founder. “We’re glad to share our latest findings with the broader security community and raise the awareness of the impact of IoT device vulnerabilities.”
An auto infotainment system depends on the Internet of Things to operate. The fact that an infotainment system can be breached suggests the need for stepped-up IoT cybersecurity solutions similar to what is already available for such devices in healthcare, financial services, and manufacturing. This would protect drivers, especially the millions of car renters around the world, Regalado said.
“The fact that we can infect a car’s infotainment system and expose private data sheds light on an important vulnerability for manufacturers going forward,” he added, noting he has also recently hacked a telepresence robot, an IV pump, and other medical devices.