A Social Engineering Attack to Leak Private Information from Android In-Vehicle Infotainment Systems

The introduction of Information and Communications Technologies (ICT) systems into vehicles brings security and privacy issues into the automotive domains. As a result, vehicles are subject to cyber-security attacks that may affect their capabilities impacting on the safety of drivers, passengers, and so on. In this paper, we focus on how to exploit security vulnerabilities affecting user-to-vehicle and intra-vehicle communications to hack the infotainment system to retrieve information about both vehicle and driver. Indeed, starting from a genuine Android APP, we inject into it a malicious APP acting as a Trojan-horse on the Android-based infotainment system to open a backdoor that allows an attacker to remotely access to the infotainment system. We use this back-door to hit the privacy of the driver by recording her voice and collect information circulating on the CAN bus about the vehicle.