Infotainment & Telematics
The infotainment head unit is where most of the high-risk external interfaces come together: Wi-Fi, Bluetooth, cellular, USB, media parsing, browser content, and backend connectivity. On a weak architecture, one exploitable bug in that software stack becomes the first link in a chain that crosses gateways or companion controllers and reaches CAN. The chapter is organised by OEM (Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan) and closes with a multi-OEM web-API survey. Miller and Valasek's Jeep papers (2015 and 2016), which established this attack model, sit in the Introduction chapter. The Synacktiv TPMS 2024 chain, which enters through forged BLE TPMS advertisements, is in the Other Wireless Attack Surfaces chapter.
Tesla
FREE-FALL: Hacking Tesla From Wireless to CAN Bus
Nie, Liu, Du (Tencent Keen Security Lab), Black Hat USA 2017 [1]
Tencent's Keen Security Lab put together the first public end-to-end remote chain against a Tesla, targeting the Model S P85/P75 on firmware v7.1. Tesla had the disclosure nine months before the talk and pushed an OTA patch within ten days, adding code signing that had not existed before.
The way in was the QtWebKit browser on the CID. Two bugs chained together for browser sandbox RCE: a type-confusion in JSArray::sort() and a DOM memory disclosure (CVE-2011-3928). Kernel privilege escalation then came through CVE-2013-6282 against the unpatched Linux 2.6.36 on the Nvidia Tegra SoC, bypassing AppArmor. The surrounding systems handed the researchers lateral movement: the IC accepted root SSH from the CID, the Parrot module ran anonymous Telnet on port 23, and the Gateway ECU's UDP diagnostic service was gated only by a static hardcoded token (1q3e5t7u). The Gateway also accepted boot.img updates behind nothing more than a CRC32 check, so the team replaced the firmware wholesale and used that to enable CAN injection at any speed. On the physical side, they forced the ESP/ABS module into programming mode, disabling power-assisted braking and steering. Tesla's response shipped Linux 4.4.35, stricter AppArmor profiles, and ECU firmware code signing.
Important in-vehicle network components in the Tesla Model S, showing the CID, IC, Parrot, and Gateway arrangement. Figure from Nie, Liu, Du, 2017 (FREE-FALL: Hacking Tesla from Wireless to CAN Bus).
Gateway firmware structure (IDA view) showing the CAN message forwarding table used to inject arbitrary frames onto the powertrain bus. Figure from Nie, Liu, Du, 2017 (FREE-FALL: Hacking Tesla from Wireless to CAN Bus).
Exploiting Wi-Fi Stack on Tesla Model S
Keen Security Lab of Tencent, Keen Security Lab Blog 2020 [2]
In a January 2020 blog post, Keen Security Lab detailed two bugs in the Marvell 88W8688 Wi-Fi chip that sits in the Parrot module on the Tesla Model S. The chip runs ThreadX RTOS on an ARM9 Feroceon core and talks to the host over SDIO. One bug is a heap overflow in the 802.11e WMM ADDTS action frame handler; the other is in the Linux mwifiex driver that processes Wi-Fi events coming from the chip. Chained together, they let an attacker within wireless range run code on the CID host Linux system. Both went to Tesla and Marvell before publication.
Architecture of the Parrot/Wi-Fi module on the Tesla Model S, showing the 88W8688 chip connecting via SDIO to the CID host Linux system. Figure from Tencent Keen Security Lab, 2020 (Exploiting Wi-Fi Stack on Tesla Model S).
TBONE, A Zero-Click Exploit for Tesla MCUs
Weinmann, Schmotzle (Comsecuris), 2020 [3]
Weinmann and Schmotzle built TBONE for the Pwn2Own 2020 event that ended up cancelled. It is unauthenticated RCE over Wi-Fi with no user interaction: Tesla vehicles automatically connect to access points broadcasting the SSID "Tesla Service", and the WPA2 credentials for that network are hardcoded in the firmware.
The exploit chains two bugs in ConnMan 1.37. The first is a stack overflow in the DNS proxy uncompress() function: a strncpy() copies label data into a fixed 1025-byte buffer but advances the destination pointer by the actual string length, so writes run past the end. DNS compression pointers can steer that advance over the stack canary. The second is an information disclosure in the DHCP client: an unzeroed packet buffer leaks 4-byte chunks of uninitialized stack memory through crafted DHCP options. Iterated across successive offers, that leak yields a libc address and a stack pointer, enough to defeat ASLR and build a ROP chain. The stage 2 payload disables iptables and opens the charge port. Tesla patched CVE-2021-26675 and CVE-2021-26676 in a later OTA update.
The uncompress() function in ConnMan 1.37 showing the strncpy / pointer-advance pattern that causes the stack overflow when processing crafted DNS reply records. Figure from Weinmann and Schmotzle, 2020 (TBONE).
I Feel a Draft: Opening the Doors and Windows
Berard, Dehors (Synacktiv), Hexacon 2022 [4]
For Pwn2Own Vancouver 2022 (written up at Hexacon 2022), Synacktiv went after the Tesla Model 3 over Wi-Fi. Entry again leans on the "Tesla Service" auto-connect SSID, as in TBONE. The Model 3 infotainment runs Linux 4.14 on an Intel Atom A3950 SoC, with an internal Ethernet switch tying all major ECUs together.
Two previously unknown ConnMan bugs sit at the core. CVE-2022-32292 is an out-of-bounds byte swap in the WISPR captive portal HTTP client: after connecting, ConnMan issues an HTTP GET to an attacker-controlled URL, and one specific byte gets converted to null one byte past an allocation boundary, corrupting heap metadata. CVE-2022-32293 is a double free in the same path, used to clean up the heap state. The exploit brought together heap shaping, a libc pointer infoleak through DHCP hostname manipulation, and tcache poisoning for an arbitrary write. For the sandbox escape, ConnMan had access to a raw socket that gave direct Ethernet access, enough for CAN proxy injection to the Gateway. The fixes covered both ConnMan CVEs plus two kernel issues, CVE-2022-42431 and CVE-2022-42430.
Model 3 ICE architecture (Ethernet network), showing the Infotainment, Wi-Fi/BT chip (BCM4359), Gateway, Connectivity card, and Autopilot interconnections. Figure from Berard and Dehors, 2022 (I Feel a Draft).
Unlocking the Drive
Berard, Dehors (Synacktiv), Pwn2Own Vancouver 2023 [5]
At Pwn2Own Vancouver 2023, Synacktiv ran a three-stage chain against the Model 3 over Bluetooth Classic. The entry point is the bsa_server process (the BSA vendor Bluetooth stack), compiled without PIE and shipping debug symbols that a related open-source project made available. Its Bluetooth Imaging (BIP) profile, which fetches phone cover art over OBEX, has a heap overflow that a malformed image properties descriptor triggers. The exploit used heap spraying, a libc pointer infoleak via DHCP hostname manipulation, and ROP. A new Linux kernel LPE handled the sandbox escape, and an RCE in the Security Gateway process gave CAN write access. All three components were later patched.
Exploit chain for the 2023 Pwn2Own entry: Bluetooth BIP heap overflow in bsa_server, kernel LPE, and Security Gateway RCE leading to CAN write. Figure from Berard and Dehors, 2023 (Unlocking the Drive).
0-Click RCE on the Tesla Infotainment Through Cellular Network
Berard, Dehors (Synacktiv), OffensiveCon 2024 [6]
At OffensiveCon 2024 (Pwn2Own Automotive Tokyo 2024), Synacktiv attacked the Tesla from the cellular network. The connectivity card is a Quectel modem that bridges LTE to the internal Ethernet switch over a VLAN.
The entry bug is a command injection in the ql_awd process (AT+QABFOTA="package","$(injected)") on the connectivity card, which should only be reachable internally. An iptables race condition at boot leaves the firewall absent roughly 25% of the time: the firewall service and QCMAP_ConnectionManager contend for the iptables lock, and if QCMAP_ConnectionManager wins, firewall exits without loading any rules. Synacktiv worked out a reliable way to trigger this remotely. The infotainment reboots the connectivity card after three consecutive internet probe failures, which an attacker-controlled base station can force by dropping the probe requests, and NTP spoofing gets around the reboot rate limit. With the firewall gone, the command injection is reachable from the base station. From the modem, the team pivoted to the infotainment over Ethernet and reached the same CAN path as the earlier entries.
Network architecture of the Tesla Model 3 showing the Ethernet switch, Connectivity card (LTE), Infotainment, Security Gateway (with CAN connections), and Autopilot. Figure from Berard and Dehors, 2024 (0-Click RCE Through Cellular Network).
BMW
Beemer, Open Thyself! - Security Vulnerabilities in BMW's ConnectedDrive
Spaar, heise online 2015 [7]
In January 2015, Dieter Spaar disclosed six vulnerabilities in BMW's ConnectedDrive telematics service, affecting approximately 2.2 million BMW, Mini, and Rolls Royce vehicles. After extracting the Combox telematics module firmware by desoldering its flash, Spaar found that all affected vehicles shared the same static symmetric keys for encrypting ConnectedDrive messages. Decrypting any ConnectedDrive message or forging new ones was therefore straightforward. The HTTP connection between car and backend carried no TLS, allowing an emulated GSM base station to intercept and substitute provisioning XML, activating Remote Services even on vehicles where the owner had disabled them. Replay attacks against door unlock succeeded because the protocol had no replay protection. BMW responded with an OTA configuration push enabling TLS for all ConnectedDrive traffic.
Attack flow for the BMW ConnectedDrive door unlock exploit: an SMS triggers the car to fetch a command over an unencrypted HTTP connection intercepted using an emulated GSM base station. Figure from Spaar, 2015 (Beemer, Open Thyself).
0-Days & Mitigations: Roadways to Exploit Connected BMW Cars
Cai, Wang, Zhang (Tencent Keen Security Lab), Black Hat USA 2019 [8]
Over an 18-month study of several BMW models, Cai, Wang, and Zhang documented fourteen vulnerabilities across the NBT Head Unit, the Telematic Communication Box, and the Central Gateway.
The NBT splits across HU-Intel (QNX on x86, running ConnectedDrive and multimedia) and HU-Jacinto (QNX on TI DRA44x, handling CAN). Three local paths reach HU-Intel. A USB-to-Ethernet adapter is recognised by the QNX USB stack and exposed as an unfiltered interface to internal services. A stack overflow in the navigation map update service (apnnavc) comes from an unbounded sprintf() on USB-supplied filenames. And a TOCTOU race in the diagnostic service lets an attacker swap a file between the signature check and execution. Remotely, the unencrypted ConnectedDrive HTTP polling channel let a fake GSM base station inject provisioning XML that redirected browser requests to attacker-controlled servers. Put together, these paths gave code execution from the cellular network all the way to CAN injection via HU-Jacinto.
Architecture of the BMW NBT Head Unit, showing the Intel x86 HU-Intel and TI Jacinto HU-Jacinto processors, their QNET interconnect, and connections to the TCB and Central Gateway. Figure from Cai, Wang, Zhang, 2019 (0-Days and Mitigations).
Mercedes-Benz
Mercedes-Benz MBUX Security Research Report
Keen Security Lab of Tencent, 2020 [9]
Keen Security Lab's 91-page report covers the MBUX NTG6 platform used in the W177 A-Class, E-Class, GLE, GLS, and EQC. The head unit runs an Nvidia Parker SoC under a QNX hypervisor, and a Renesas RH850 handles CAN. The T-Box pairs a cellular baseband with a Renesas SH-2A MCU for CAN-D access.
The chain the team verified on a real vehicle ran the head-unit browser to code execution, then a kernel privilege escalation to root on the head unit. With that, they achieved persistence and body-function control such as ambient lighting, reading lights, and the sunshade. A separate bench/removal scenario reached the head unit over the internal CSB/MMB network and exploited HiQnet parser bugs. The report also works through the T-Box paths: the team found no cellular-network compromise, but on a debug-version T-Box they performed an SH-2A firmware downgrade and code-signing bypasses that let them send arbitrary CAN-D messages.
MBUX hardware architecture overview showing the Nvidia Parker SoC head unit, T-Box, and their CAN and Ethernet network topology. Figure from Tencent Keen Security Lab, 2020 (Mercedes-Benz MBUX Security Research Report).
Security Research on Mercedes-Benz: From Hardware to Car Control
Sky-Go Team, Qihoo 360, Black Hat USA 2020 [10]
At Black Hat USA 2020, the Sky-Go team studied a Mercedes-Benz E300L with the NTG 5.5 head unit and the HERMES telematics control unit. They read the HERMES NAND flash (a desoldered BGA) and rebuilt the YaFFS filesystem, where they found client TLS certificates encrypted with a hardcoded AES key; once the private key was decrypted, they could authenticate to Mercedes-Benz backend servers as a vehicle. A server-side SSRF in a social plugins web application then exposed internal backend files. Between them, the two issues gave access to backend services and let the team unlock the doors and start the engine remotely through the cloud. Mercedes-Benz shipped a full patch within weeks.
Volkswagen Group
The Connected Car: Ways to Get Unauthorized Access and Potential Implications
Keuper, Alkemade (Computest), 2018 [11]
Computest's 2018 report covers the Harman MIB2 platform in the Volkswagen Golf GTE and the Audi A3 e-tron. The MIB2 runs QNX 6.5.0 on an Nvidia Tegra T30. With the Wi-Fi hotspot active, a port scan turned up Telnet, undocumented TCP services, and UPnP; the Telnet root password was a descrypt() hash, capped at the 8-character maximum that algorithm imposes, and an FPGA dictionary attack broke it for under $100. A remotely exploitable bug in an undocumented service took the researchers from arbitrary file read to a root shell on the MMX unit. An internal 10.0.0.0/24 network with a default Telnet password led to the RCC unit (a second QNX processor for CAN), which talked to a Renesas V850 CAN controller over SPI. V850 firmware updates from the RCC needed no signature re-validation; the team mapped out the path to arbitrary CAN injection through backdoored V850 firmware but did not implement it, for IP reasons. The CAN gateway blocked access to the safety-critical buses. Two more entry vectors are documented. On the Audi, the cellular (Audi connect) interface exposed a public IPv4 address reachable from the internet wherever the ISP allowed client-to-client traffic. And a USB-to-Ethernet dongle plugged into the head unit was recognised as an unfirewalled debug interface, exposing the same internal services as the Wi-Fi.
Attack chain from Computest 2018: Wi-Fi RCE on the MMX unit, through the RCC over Ethernet, to the Renesas V850 CAN controller and the gateway ECU. Figure from Keuper and Alkemade, 2018 (The Connected Car).
Back-connect to the Connected Car
Serdyuk, Kondikov (NavInfo Europe), Black Hat Europe 2022 [12]
At Black Hat Europe 2022, Serdyuk and Kondikov looked at the Volkswagen ID.3, an architecture shared with the ID.4 and ID.5 and covering around 120,000 vehicles at disclosure. Two compute modules were in scope. ICAS3 is the LG MEB ICAS3 infotainment, built on a Qualcomm APQ8096AU that runs QNX 7 as host with Automotive Grade Linux as a QVM guest. ICAS1 is the gateway "brain", a Renesas R-Car M3 R8A77960 running the L4RE Fiasco.OC microkernel with three EB Corbos Linux guest VMs (vm_java, vm_adaptive, vm_housekeeping), a squashfs+dm-verity rootfs, and an OP-TEE TrustZone. ICAS1 also holds a PPC SPC58 RTOS that is the actual CAN gateway.
The work disclosed three CVEs. CVE-2022-41557 is in the IVI guest's /usr/bin/swdlusb.sh USB software update script: a FAT32 USB drive containing swdl-entry.conf and swdl-pre-extra-exec.sh is executed as root with no signature check, giving guest AGL root from an inserted USB stick. CVE-2022-23778 is in the IVI host QNX MgrLog/MgrTsk service listening on 0.0.0.0:54323 and reachable from the AGL guest: the tcpSnifferWriteConfigFile command writes attacker-controlled arguments to a config file that tcpSnifferStart then passes to tcpdump, yielding root command execution on the QNX host, a VM escape from guest AGL. CVE-2022-23777 is in ICAS1's coredump-filter handling: with physical eMMC access an attacker plants files that cause /sbin/init.pre to copy coredump-filter into a writable dm-integrity partition where it can be replaced, used to extract per-VM dm-integrity keys from TrustZone, and then to execute arbitrary code in any of the three Corbos Linux VMs.
Together the chain gave root on both the AGL guest and the QNX host of the IVI, plus root inside the ICAS1 application VMs, with backdoor persistence. From there the team could access the microphone and camera, read GPS position and history, control charging, manipulate the IVI and instrument-cluster displays, and pull the Bluetooth phonebook. They did not escape the Corbos Linux VMs into the SPC58 gateway RTOS, so direct CAN injection was out of reach, and every entry vector needs local access (a USB port or the removed module's eMMC).
Over the Air: Compromise of Modern Volkswagen Group Vehicles
Parnishchev, Ivachev (PCAutomotive), Black Hat Europe 2024 [13]
At Black Hat Europe 2024, Parnishchev and Ivachev took on the MIB3 infotainment platform in Skoda and VW Group vehicles built from 2021 onward. MIB3 uses a Renesas R-Car M3 SoC running Yocto Linux 4.14.75, alongside a CARCOM FreeRTOS co-processor on a Cortex-R7.
Entry is a Bluetooth-triggered heap overflow in the picserver JPEG decoder in the phone contacts service: a crafted PBAP profile photo with a scanline that exceeds the 0x4000-byte allocation (libjpeg's 1/8 scaling can produce up to a 0x7fff-byte scanline) overflows the buffer. From the phone service, the team abused a missing access control check in MIB3's custom IPC mechanism to reach a shell injection primitive in the Networking service, then loaded an unsigned kernel module for root. CARCOM code execution came from patching shared RAM, which gave raw CAN3 frame access. For persistence, they used a secure-boot bypass in Preh's proprietary image-compression extension to the R-Car BL2 stage of ARM Trusted Firmware: each compressed boot image carries a PCCP header with its own size field, and BL2 uses that header size for LZ4 decompression while verifying the signature over a size taken from the certificate. Appending arbitrary content past the authenticated region therefore still passes secure boot. By concatenating extra CPIO records after the initrd's TRAILER!!! marker, they overwrote the init script that brings up dm-verity, keeping code execution across reboots. In the demo, this got them real-time GPS and speed tracking, in-car microphone access, screen control, and DNS-tunnelled C2 over the embedded eSIM.
Vulnerability chaining diagram for the MIB3 exploit: Bluetooth heap overflow, IPC shell injection, kernel module LPE, CARCOM code execution, and secure boot bypass for persistence. Figure from Parnishchev and Ivachev, 2024 (Over the Air).
Nissan
Vulnerabilities in Nissan Infotainment Manufactured by Bosch
Smirnova, Motspan, Evdokimov (PCAutomotive), advisory 2025 [14]
PCAutomotive published this advisory in March 2025, disclosing ten CVEs affecting the infotainment ECU in the Nissan Leaf ZE1 (2020), manufactured by Bosch. The IVI runs Linux on an NXP i.MX 6 SoC; an RH850 co-processor handles CAN.
A paired Bluetooth device gets code execution through three stack overflows in the HFP handler inside libevo_stack.so (CVE-2025-32059, CVE-2025-32061, CVE-2025-32062): the library copies custom +ANDROID AT command parameters into fixed stack buffers with no bounds checking and no stack canaries. From the i.MX 6, a stack overflow in the RH850 firmware's INC interface (CVE-2025-32058) gives code execution on the CAN co-processor and unrestricted CAN frame injection on all connected buses. A separate anti-theft bypass (CVE-2025-32056) relies on a fixed 32-entry seed-to-response lookup table in the startup challenge-response, so an IVI pulled out of its vehicle still clears the anti-theft check. Finally, a TLS misconfiguration in the Redbend OTA service (CVE-2025-32057), combined with the NXP i.MX 6 boot ROM vulnerability (CVE-2017-7932), enables persistent root and arbitrary firmware delivery. The full chain starts from a single Bluetooth pairing.
Vulnerability chaining diagram from the PCAutomotive Nissan advisory: Bluetooth RCE, RH850 stack overflow for CAN access, and persistent root via HAB secure boot bypass. Figure from PCAutomotive, 2025 (Nissan Bosch Advisory).
Multi-OEM Web APIs
Web Hackers vs. The Auto Industry
Sam Curry et al., samcurry.net 2023 [15]
Sam Curry and his collaborators went after the telematics web APIs of more than a dozen automotive brands, applying ordinary web application techniques (IDOR, broken access control, SSO misconfiguration, SQL injection) to the backend services owners use to lock, unlock, locate, and start their vehicles remotely.
The findings ran across many brands. The Kia, Honda, Infiniti, Nissan, and Acura APIs accepted only a VIN as authorisation for remote start and GPS commands. BMW and Rolls Royce shared an SSO portal where a wildcard user query plus an unauthenticated TOTP-generation endpoint gave full account takeover for any employee. Mercedes-Benz ran a repair-shop registration portal that wrote to the same LDAP as employee SSO, which opened up internal GitHub, Jenkins, and Mattermost with RCE on several services. Ferrari's dealer CMS exposed an API key in client-side JavaScript that granted access to every customer record. And Spireon's global administration panel, reachable via SQL injection, could send arbitrary telematics commands, including starter disable, to 15.5 million tracked vehicles.
Spireon global administration portal, accessible via an SQL injection bypass, allowing arbitrary telematics commands to 15.5 million vehicles. Figure from Curry et al., 2023 (Web Hackers vs. The Auto Industry).
The pattern across all of these is that the cloud API tier is often the least defended part of vehicle telematics, and a single backend compromise can amount to a physical connection to every vehicle in a fleet.
Third-Party Telematics
Attacking Vehicle Fleet Management Systems
Pareja Veredas, Mehaboobe, DefCamp 2023 [16][17]
At DefCamp 2023, Pareja Veredas and Mehaboobe looked at aftermarket telematics control units (T-boxes, or TCUs) used in commercial fleet management, across two vendors: the SANY Hopechart HQT401 and a second, undisclosed vendor. The HQT401 is an Android-based 4G/Wi-Fi/Bluetooth device factory-installed in SANY heavy equipment and also sold as an aftermarket unit; the undisclosed vendor supplies a Linux-based TCU to fleet operators in the automotive and logistics sectors. The work started in 2020 as a side project and was done entirely black-box.
The two devices had the same root problem: unauthenticated MQTT brokers with no access control, findable through Shodan and Censys. The HQT401 firmware, obtained by attaching a USB cable to an exposed debug port and pulling a root ADB shell, had no binary stripping or signature enforcement. Its MQTT channel used no authentication or encryption and exposed GPS telemetry, speed, RPM, fuel level, and CAN traffic from the entire connected fleet. The backend even accepted CAN injection commands framed as ordinary MQTT messages, so any unauthenticated client could inject arbitrary frames. For the undisclosed vendor, the firmware came from a URL embedded in an MQTT OTA command, and reverse engineering turned up a privilege escalation path through a web interface buffer overflow and broken token validation, giving root code execution with no physical access to the device. That vendor's platform also exposed live video streams, engine immobilisation commands, and CAN read/write. Between them, the two deployments covered roughly 185,000 vehicles, and as of the conference date neither vendor had shipped a complete patch.
HopeChart HQT401 T-box device, an Android-based fleet TCU. Figure from Pareja Veredas and Mehaboobe, 2023 ((Re)Playing With Your Keys).