{"id":8675,"date":"2024-12-13T12:00:00","date_gmt":"2024-12-13T10:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/?p=8675"},"modified":"2026-06-14T19:43:06","modified_gmt":"2026-06-14T16:43:06","slug":"black-hat-europe-2024-hacking-a-car-or-rather-its-infotainment-system","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2024\/12\/13\/black-hat-europe-2024-hacking-a-car-or-rather-its-infotainment-system\/","title":{"rendered":"Black Hat Europe 2024: Hacking a car \u2013 or rather, its infotainment system"},"content":{"rendered":"<p>A presentation that includes in its title \u2018Compromise of Modern Vehicles\u201d may set the expectation that you are about to see a dramatic demonstration of a hacked car suddenly stopping or swerving under the control of a bad actor. Read the abstract to learn that \u201conly\u201d the car\u2019s infotainment system, rather than its critical driving systems, has vulnerabilities and you nearly feel disappointed. Despite this anticlimactic twist, however, the <a href=\"https:\/\/www.blackhat.com\/eu-24\/briefings\/schedule\/index.html#over-the-air-compromise-of-modern-volkswagen-group-vehicles-42466\">research by PCAutomotive<\/a>, presented by Danila Parnishchev and Artem Ivachev at Black Hat Europe 2024, is important.<\/p>\n<p>The two security researchers detailed how malicious actors could exploit various flaws in infotainment units to control the vehicle\u2019s microphone, record the occupants and play back the recording over the same system, exfiltrate personal data, track the car and speed via the built-in GPS, and steal the contact list that had been uploaded through a connected device.<\/p>\n<p>Yet, for some reason it feels less invasive than, say, an attack on a smartphone that allows the attacker to track the device, control its microphone and exfiltrate data and contacts. The expectation of being able to hack a car provides a visual image of catastrophe, a danger to the lives of those in the car and others, so when the issue turns out to involve \u201conly\u201d privacy and personal data, it feels like a relief. However, this is not to say that the potential privacy implications should be underestimated.<\/p>\n<h2>The mechanics of a hack<\/h2>\n<p>When you first connect a smartphone to a car\u2019s infotainment system, you typically have the option to upload and sync the contacts directly to the car\u2019s system. This enables seamless access to the contacts on the screen and lets you make calls as needed. The researchers discovered that by uploading a modified contact list they could exploit a vulnerability in the system and remotely issue commands (remote code execution \u2013 RCE).<\/p>\n<p>Once in the system, and as mentioned above, they can control some elements of the infotainment system and exfiltrate the data. The vulnerabilities described by the team at the conference impacted 1.4 million vehicles, but importantly all 21 vulnerabilities have been resolved with updated software through the manufacturers concerned.<\/p>\n<p>That said, the privacy concerns highlighted are significant, as is the opportunity for abuse. Imagine a controlling partner tracking their significant other and accessing their contact and other data \u2013 all through the car\u2019s infotainment system and without the victim\u2019s knowledge or consent. There\u2019s also the equally troubling espionage angle, I am sure you can visualize how this type of hack could be exploited for surveillance and intelligence gathering on a large scale.<\/p>\n<h2>Approaching evolution with caution<\/h2>\n<p>The title of the presentation, and other similar presentations, may unintentionally mislead the mind and even cause distrust of what we should be embracing. The automotive industry is transforming, and such portrayals of risk may even undermine public confidence in these innovations.<\/p>\n<p>For example, I recently had the experience of riding in a Waymo driverless taxi in Phoenix. Requested through an app, the car pulls up, you jump in, and once comfortable press the button to begin the journey: I went from a hotel to the airport. I did the mandatory thing and took a short video to share with friends and family \u2013 look there was no driver. The common response was \u201cnever, not for me, did you feel safe?\u201d.<\/p>\n<p>I am sure a psychologist can explain these feelings in detail; for me, though, it\u2019s about trusting a regulatory process, risk assessment and the talented engineers who developed it. Waymo\u2019s cars are not haphazard prototypes; they\u2019ve been tested, vetted by regulators and safety advocates, while insurers have decided that the risk is acceptable \u2013 no small feat.<\/p>\n<p>When asked about the presentations I attended at Black Hat Europe this year, I will not say that \u201csomeone demonstrated how to hack a vehicle\u201d. I will be more accurate and explain that \u201csomeone demonstrated how to compromise a vehicle\u2019s infotainment system\u201d.<\/p>\n<p>This distinction is important. We must not instill a fear of technology but rather embrace its evolution. The flaws and subsequent fixes are part of the evolution, and we need to approach change with a sense of openness but also, I admit, some caution.<\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/privacy\/black-hat-europe-2024-hacking-car-infotainment-system\/\" rel=\"nofollow noopener\" target=\"_blank\">Read the full analysis on WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our \u2018computers on wheels\u2019 are more connected than ever, but the features that enhance our convenience often come with privacy risks in tow<\/p>\n","protected":false},"author":5,"featured_media":8678,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[167],"tags":[],"class_list":["post-8675","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8675","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=8675"}],"version-history":[{"count":1,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8675\/revisions"}],"predecessor-version":[{"id":9342,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/8675\/revisions\/9342"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/8678"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=8675"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=8675"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=8675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}