As the automobile industry accelerates towards the era of fully autonomous vehicles, the sophistication of in-vehicle entertainment systems, especially those integrating web browsers within the head unit, has dramatically increased. This integration not only enhances the user experience but also introduces significant security risks, potentially compromising driver privacy and vehicle safety. Despite the critical importance of these systems, there is a severe lack of resources dedicated to vulnerability research, browser fuzzing, and exploit creation targeting automobile browsers.
Addressing this critical gap, our research delves into the unexplored domain of automobile browser security, showcasing the successful identification, submission, and mitigation of a browser vulnerability within an electric vehicle (EV) head unit. Focused on a customized Chromium browser embedded in one of the vehicle vendors that I had worked for in my past employment (real car), we present a detailed case study of creating a heap overflow exploit. This demonstration revealed the vulnerability of such systems to sophisticated cyber-attacks, emphasizing the necessity for responsible disclosure and collaboration with manufacturers to enhance vehicle security.
Attendees will be given a comprehensive walkthrough of the exploit development process, starting from initial vulnerability research to the final creation of a heap overflow exploit. We will detail the tools and techniques employed, offering insights into the methodology used to uncover vulnerabilities in the Android Auto browser. Furthermore, the presentation will provide a roadmap for security researchers on how to set up a virtual environment for safe and effective exploit creation and testing, highlighting the practical aspects of cybersecurity research in the automotive context.
This session stands out as a fundamental investigation of a novel attack vector in the automotive area, underscoring the urgent need for the industry to shift towards more robust cybersecurity measures. Through this discussion, we aim to catalyze the development of innovative security protocols and foster collaborative efforts among manufacturers, researchers, and cybersecurity professionals. Our goal is to navigate these emerging threats together, securing the future of transportation in the digital age and ensuring the safety and privacy of users in the era of autonomous vehicles.
===
Ravi Rajput is a preeminent cybersecurity expert and innovator, renowned for his deep expertise in telecom and automotive security, as well as his mastery of zero-day exploits across Windows, Linux, and ARM platforms. His leadership in complex security operations and talent for developing advanced exploits have established Ravi as a visionary in cybersecurity, delivering pragmatic solutions to some of the industry’s toughest challenges.
As the creator of AutoHackOS, a tailored penetration testing framework for the automotive industry, Ravi has significantly impacted cybersecurity. Launched at the prestigious Blackhat Conference, AutoHackOS has trended globally, with millions of downloads by researchers enhancing their vehicle penetration testing capabilities. This system is acclaimed for its customized tools and scripts that efficiently identify and mitigate vulnerabilities, especially in telematics, marking it as a monumental success in product innovation.
Additionally, Ravi plays a crucial role at the Telecom Village during DEFCON, the world’s leading hacking conference. He manages the Capture The Flag (CTF) and Call For Papers (CFP) review processes, fostering a dynamic, educational environment for cybersecurity enthusiasts to showcase and expand their skills.
A prominent public speaker, Ravi frequently shares his insights at international platforms including NullCon, HITCON, and Bsides, covering topics from reverse engineering to advanced automotive security strategies. His contributions continue to resonate across the cybersecurity community globally, inspiring professionals and advancing the field.
Информация по комментариям в разработке