Penetration Testing of an In-Vehicle Infotainment System

Sammanfattning: With the growing demand for smart and luxurious vehicles, the automotive industry has moved toward developing technologies to enhance the in-vehicle user experience. As a result, most vehicles today have a so-called In-Vehicle Infotainment (IVI) system, or simply an infotainment system, which provides a combination of information and entertainment in one system. IVI systems are used to control, for instance, the audio, navigation, and air conditioning in vehicles. Increasingly more IVI systems are also connected to the internet which has enabled features such as web browsers and third-party apps on them. This raises questions concerning the cybersecurity of IVI systems. As more vehicles are connected to the internet, it increases the risk of vehicles getting hacked. Previous research has shown that it is possible to take control of an entire vehicle by hacking the IVI system. In this thesis, penetration testing was conducted on an IVI system included on a rig from Volvo Cars to find potential vulnerabilities in the system. To the best of the author’s knowledge, this is the first paper describing penetration tests performed on a greater attack surface of the Android Automotive operating system used by the IVI system than previous research which only focused on the attack surface of third-party apps. Moreover, threat modeling was performed by employing the threat analysis and risk assessment part of the ISO/SAE 21434: Road vehicles — Cybersecurity engineering. This has not yet been done in the research area of security of IVI systems as far as the author knows. The results from the various penetration tests show that no major vulnerabilities were discovered in the IVI system. However, several findings were made in the thesis where the main one was that multiple content providers, managing access to storage (e.g., relational databases) in Android, were found to be exported by Android apps on the IVI system, and that some of these were vulnerable to SQL injection. This vulnerability of some of the content providers was exploited but did not lead to any collection of private information. For future work, penetration testing of the cellular interface of the IVI system is suggested.