Presentation Material
Abstract
As the automobile industry accelerates towards the era of fully autonomous vehicles, the sophistication of in-vehicle entertainment systems, especially those integrating web browsers within the head unit, has dramatically increased. This integration not only enhances the user experience but also introduces significant security risks, potentially compromising driver privacy and vehicle safety. Despite the critical importance of these systems, there is a severe lack of resources dedicated to vulnerability research, browser fuzzing, and exploit creation targeting automobile browsers.
Addressing this critical gap, our research delves into the unexplored domain of automobile browser security, showcasing the successful identification, submission, and mitigation of a browser vulnerability within an electric vehicle (EV) head unit. Focused on a customized Chromium browser embedded in one of the vehicle vendors that I had worked for in my past employment (real car), we present a detailed case study of creating a heap overflow exploit. This demonstration revealed the vulnerability of such systems to sophisticated cyber-attacks, emphasizing the necessity for responsible disclosure and collaboration with manufacturers to enhance vehicle security.
Attendees will be given a comprehensive walkthrough of the exploit development process, starting from initial vulnerability research to the final creation of a heap overflow exploit. We will detail the tools and techniques employed, offering insights into the methodology used to uncover vulnerabilities in the Android Auto browser. Furthermore, the presentation will provide a roadmap for security researchers on how to set up a virtual environment for safe and effective exploit creation and testing, highlighting the practical aspects of cybersecurity research in the automotive context.
This session stands out as a fundamental investigation of a novel attack vector in the automotive area, underscoring the urgent need for the industry to shift towards more robust cybersecurity measures. Through this discussion, we aim to catalyze the development of innovative security protocols and foster collaborative efforts among manufacturers, researchers, and cybersecurity professionals. Our goal is to navigate these emerging threats together, securing the future of transportation in the digital age and ensuring the safety and privacy of users in the era of autonomous vehicles.
AI Generated Summary
This talk presents research on exploiting in-vehicle browsers within Android Automotive OS, detailing a previously unaddressed attack vector discovered in 2022. The core research area is the security of browser applications that interact directly with critical vehicle systems via the car service APIs, contrasting with the phone-projected Android Auto.
The key technical findings revolve around a vulnerability chain in a vendor-customized Chromium-based browser. The exploit leveraged a type confusion flaw in the V8 JavaScript engine, followed by a use-after-free to achieve arbitrary code execution. The critical impact stemmed from the browser’s privileged access to car service APIs, allowing the proof-of-concept to trigger denial-of-service conditions affecting safety-critical functions: disabling the airbag system, wiper fluid control, SOS services, and emergency calls. The research establishes that standard browsers like Chrome do not inherently possess these high-privilege car API integrations; the attack surface is primarily exposed through OEM-customized browsers and web view-based applications (e.g., connected car, diagnostic, or payment apps) that are explicitly granted vehicle data permissions.
The practical exploitation methodology emphasizes simultaneous monitoring of the CAN bus for physical effects, logcat for car service failures (e.g., “Car Watchdog killed” messages in /data/anr), and active fuzzing of the target browser application. A key takeaway is that while browser sandboxing presents hurdles, the integration with vehicle HAL via car services creates a path to compromise core vehicle functions if the browser holds the android.car.permission.BIND_CAR_SERVICE permission.
The primary implication is a systemic risk in modern vehicles where software, not the driver, controls functions. The speaker argues vehicle manufacturers often prioritize regulatory compliance over robust security, leaving exploitable attack surfaces in deployed systems that are difficult to patch. Mitigation strategies proposed include rigorous use of static analysis and fuzzing (e.g., Android’s Catbox) in the CI/CD pipeline for automotive OS builds, strict implementation of access controls for cloud-connected diagnostic services, and deployment of vehicle security operations centers (VSOC) to detect anomalous behavior. The research underscores that any application interacting with the vehicle HAL must be treated as a high-value target for security assessment.