CANDY: A social engineering attack to leak information from infotainment system

The introduction of Information and Communications Technologies (ICT) systems into vehicles make them more prone to cyber-security attacks that may impact of vehicles capability and, consequently, on the safety of drivers, passengers. In this paper, we focus on how to exploit security vulnerabilities affecting user-to-vehicle and intra- vehicle communications to hack the infotainment system to retrieve information about both vehicle and driver. Indeed, we designed and developed CANDY, a set of malicious APP injecting in a genuine Android APP, acting as a Trojan-horse on the Android In-Vehicle infotainment system. It opens a back-door that allows an attacker to remotely access to the infotainment system. We use this back-door to hit the privacy of the driver by recording her voice and collect information circulating on the CAN bus about the vehicle. CANDY is distributed by using social engineering techniques.