Infotainment & Telematics
The infotainment head unit often concentrates high-risk external interfaces such as Wi-Fi, Bluetooth, cellular, USB, media parsing, browser content, and backend connectivity. In vulnerable architectures, a single exploitable bug in that software stack can become the first link in a chain that crosses gateways or companion controllers and reaches CAN. This chapter follows an OEM-by-OEM structure covering Tesla, BMW, Mercedes-Benz, Volkswagen Group, and Nissan, followed by a multi-OEM web-API survey. The Miller and Valasek Jeep papers (2015 and 2016) that established this attack model are covered in the Introduction chapter. The Synacktiv TPMS 2024 chain, which enters through forged BLE TPMS advertisements, is covered in the Other Wireless Attack Surfaces chapter.
Tesla
FREE-FALL: Hacking Tesla From Wireless to CAN Bus
Nie, Liu, Du (Tencent Keen Security Lab), Black Hat USA 2017 [1]
This was the first public end-to-end remote chain against a Tesla, targeting the Model S P85/P75 on firmware v7.1. Tesla received disclosure nine months earlier and pushed an OTA patch within ten days, introducing code signing that did not previously exist.
Entry was through the QtWebKit browser on the CID. Two bugs chained: a type-confusion in JSArray::sort() and a DOM memory disclosure (CVE-2011-3928) gave browser sandbox RCE. Kernel privilege escalation via CVE-2013-6282 against the unpatched Linux 2.6.36 on the Nvidia Tegra SoC bypassed AppArmor. Adjacent systems provided lateral movement: the IC accepted root SSH from the CID, the Parrot module had anonymous Telnet on port 23, and the Gateway ECU's UDP diagnostic service was gated by a static hardcoded token (1q3e5t7u). The Gateway accepted boot.img updates with only a CRC32 check, allowing full firmware replacement; the team used this to enable CAN injection at any speed. Physical effects included forcing the ESP/ABS module into programming mode, disabling power-assisted braking and steering. Tesla's response included Linux 4.4.35, stricter AppArmor profiles, and ECU firmware code signing.
Important in-vehicle network components in the Tesla Model S, showing the CID, IC, Parrot, and Gateway arrangement. Figure from Nie, Liu, Du, 2017 (FREE-FALL: Hacking Tesla from Wireless to CAN Bus).
Gateway firmware structure (IDA view) showing the CAN message forwarding table used to inject arbitrary frames onto the powertrain bus. Figure from Nie, Liu, Du, 2017 (FREE-FALL: Hacking Tesla from Wireless to CAN Bus).
Exploiting Wi-Fi Stack on Tesla Model S
Keen Security Lab of Tencent, Keen Security Lab Blog 2020 [2]
A January 2020 blog post described two bugs in the Marvell 88W8688 Wi-Fi chip integrated into the Parrot module on the Tesla Model S. The chip runs ThreadX RTOS on an ARM9 Feroceon core, connected via SDIO. One bug was a heap overflow in the 802.11e WMM ADDTS action frame handler; the other was in the Linux mwifiex driver processing Wi-Fi events from the chip. An attacker within wireless range could chain both to gain code execution on the CID host Linux system. Both were disclosed to Tesla and Marvell before publication.
Architecture of the Parrot/Wi-Fi module on the Tesla Model S, showing the 88W8688 chip connecting via SDIO to the CID host Linux system. Figure from Tencent Keen Security Lab, 2020 (Exploiting Wi-Fi Stack on Tesla Model S).
TBONE, A Zero-Click Exploit for Tesla MCUs
Weinmann, Schmotzle (Comsecuris), 2020 [3]
Originally developed for the cancelled Pwn2Own 2020 event, TBONE achieves unauthenticated RCE over Wi-Fi without user interaction by exploiting Tesla vehicles' automatic connection to access points broadcasting the SSID "Tesla Service" with WPA2 credentials hardcoded in the firmware.
Two bugs in ConnMan 1.37 are chained. The first is a stack overflow in the DNS proxy uncompress() function: a strncpy() copies label data to a fixed 1025-byte buffer while advancing the destination pointer by the actual string length, allowing writes past the end. DNS compression pointers can steer the advance over the stack canary. The second is an information disclosure in the DHCP client: an unzeroed packet buffer leaks 4-byte chunks of uninitialized stack memory via crafted DHCP options, which, iterated across successive offers, yields a libc address and stack pointer sufficient to defeat ASLR and construct a ROP chain. The stage 2 payload disables iptables and, as demonstrated, opens the charge port. Tesla patched CVE-2021-26675 and CVE-2021-26676 in a subsequent OTA update.
The uncompress() function in ConnMan 1.37 showing the strncpy / pointer-advance pattern that causes the stack overflow when processing crafted DNS reply records. Figure from Weinmann and Schmotzle, 2020 (TBONE).
I Feel a Draft: Opening the Doors and Windows
Berard, Dehors (Synacktiv), Hexacon 2022 [4]
This Hexacon 2022 / Pwn2Own Vancouver 2022 entry targets the Tesla Model 3 via Wi-Fi. Like TBONE, entry relies on the "Tesla Service" auto-connect SSID. The Model 3 infotainment runs Linux 4.14 on an Intel Atom A3950 SoC; an internal Ethernet switch connects all major ECUs.
Two previously unknown ConnMan bugs are at the core. CVE-2022-32292 is an out-of-bounds byte swap in the WISPR captive portal HTTP client: ConnMan issues an HTTP GET to an attacker-controlled URL after connecting, and one specific byte is converted to null at one byte past an allocation boundary, corrupting heap metadata. CVE-2022-32293 is a double free in the same path, used to clean the heap state. Exploitation combined heap shaping, a libc pointer infoleak through DHCP hostname manipulation, and tcache poisoning for arbitrary write. The sandbox escape used a raw socket available to ConnMan that gave direct Ethernet access for CAN proxy injection to the Gateway. The fixes covered both ConnMan CVEs and two kernel issues, CVE-2022-42431 and CVE-2022-42430.
Model 3 ICE architecture (Ethernet network), showing the Infotainment, Wi-Fi/BT chip (BCM4359), Gateway, Connectivity card, and Autopilot interconnections. Figure from Berard and Dehors, 2022 (I Feel a Draft).
Unlocking the Drive
Berard, Dehors (Synacktiv), Pwn2Own Vancouver 2023 [5]
A three-stage chain against the Model 3 via Bluetooth Classic presented at Pwn2Own Vancouver 2023. Entry is the bsa_server process (BSA vendor Bluetooth stack), compiled without PIE and with debug symbols available from a related open-source project. The Bluetooth Imaging (BIP) profile, used to fetch phone cover art over OBEX, has a heap overflow triggered by a malformed image properties descriptor. Exploitation used heap spraying, a libc pointer infoleak via DHCP hostname manipulation, and ROP. A new Linux kernel LPE provided the sandbox escape; an RCE in the Security Gateway process gave CAN write access. Patches followed for all three components.
Exploit chain for the 2023 Pwn2Own entry: Bluetooth BIP heap overflow in bsa_server, kernel LPE, and Security Gateway RCE leading to CAN write. Figure from Berard and Dehors, 2023 (Unlocking the Drive).
0-Click RCE on the Tesla Infotainment Through Cellular Network
Berard, Dehors (Synacktiv), OffensiveCon 2024 [6]
Presented at OffensiveCon 2024 (Pwn2Own Automotive Tokyo 2024), this entry attacks the Tesla from the cellular network. The connectivity card is a Quectel modem bridging LTE to the internal Ethernet switch via VLAN.
The entry bug is a command injection in the ql_awd process (AT+QABFOTA="package","$(injected)") on the connectivity card, which should only be reachable internally. An iptables race condition at boot leaves the firewall absent roughly 25% of the time: the firewall service and QCMAP_ConnectionManager contend for the iptables lock, and if QCMAP_ConnectionManager wins, firewall exits without loading any rules. Synacktiv found a reliable remote trigger: the infotainment reboots the connectivity card after three consecutive internet probe failures, which an attacker-controlled base station can force by dropping the probe requests; NTP spoofing bypasses the reboot rate limit. With the firewall absent, the command injection is reachable from the base station. From the modem, the team pivoted to the infotainment over Ethernet and reached the same CAN path as prior entries.
Network architecture of the Tesla Model 3 showing the Ethernet switch, Connectivity card (LTE), Infotainment, Security Gateway (with CAN connections), and Autopilot. Figure from Berard and Dehors, 2024 (0-Click RCE Through Cellular Network).
BMW
Beemer, Open Thyself! - Security Vulnerabilities in BMW's ConnectedDrive
Spaar, heise online 2015 [7]
In January 2015, Dieter Spaar disclosed six vulnerabilities in BMW's ConnectedDrive telematics service, affecting approximately 2.2 million BMW, Mini, and Rolls Royce vehicles. After extracting the Combox telematics module firmware by desoldering its flash, Spaar found that all affected vehicles shared the same static symmetric keys for encrypting ConnectedDrive messages. Decrypting any ConnectedDrive message or forging new ones was therefore straightforward. The HTTP connection between car and backend carried no TLS, allowing an emulated GSM base station to intercept and substitute provisioning XML, activating Remote Services even on vehicles where the owner had disabled them. Replay attacks against door unlock succeeded because the protocol had no replay protection. BMW responded with an OTA configuration push enabling TLS for all ConnectedDrive traffic.
Attack flow for the BMW ConnectedDrive door unlock exploit: an SMS triggers the car to fetch a command over an unencrypted HTTP connection intercepted using an emulated GSM base station. Figure from Spaar, 2015 (Beemer, Open Thyself).
0-Days & Mitigations: Roadways to Exploit Connected BMW Cars
Cai, Wang, Zhang (Tencent Keen Security Lab), Black Hat USA 2019 [8]
An 18-month study of multiple BMW models documenting fourteen vulnerabilities across the NBT Head Unit, Telematic Communication Box, and Central Gateway.
The NBT splits across HU-Intel (QNX on x86, ConnectedDrive and multimedia) and HU-Jacinto (QNX on TI DRA44x, CAN). Three local attack paths into HU-Intel: a USB-to-Ethernet adapter that the QNX USB stack recognises and exposes as an unfiltered interface to internal services; a stack overflow in the navigation map update service (apnnavc) via an unbounded sprintf() on USB-supplied filenames; and a TOCTOU race in the diagnostic service allowing file swap between signature check and execution. Remotely, the unencrypted ConnectedDrive HTTP polling channel allowed a fake GSM base station to inject provisioning XML redirecting browser requests to attacker-controlled servers. Combined, these paths demonstrated code execution from the cellular network through to CAN injection via HU-Jacinto.
Architecture of the BMW NBT Head Unit, showing the Intel x86 HU-Intel and TI Jacinto HU-Jacinto processors, their QNET interconnect, and connections to the TCB and Central Gateway. Figure from Cai, Wang, Zhang, 2019 (0-Days and Mitigations).
Mercedes-Benz
Mercedes-Benz MBUX Security Research Report
Keen Security Lab of Tencent, 2020 [9]
A 91-page report covering the MBUX NTG6 platform found in the W177 A-Class, E-Class, GLE, GLS, and EQC. The head unit runs an Nvidia Parker SoC with a QNX hypervisor; a Renesas RH850 handles CAN. The T-Box uses a cellular baseband and a Renesas SH-2A MCU for CAN-D access.
The verified real-vehicle chain used the head-unit browser to reach code execution, then a kernel privilege escalation to gain root on the head unit. From there the researchers demonstrated persistence and body-function control such as ambient lighting, reading lights, and the sunshade. A separate bench/removal scenario reached the head unit over the internal CSB/MMB network and exploited HiQnet parser bugs. The report also analysed T-Box paths: the team did not find a cellular-network compromise, but on a debug-version T-Box they demonstrated SH-2A firmware downgrade and code-signing bypasses that enabled arbitrary CAN-D messages.
MBUX hardware architecture overview showing the Nvidia Parker SoC head unit, T-Box, and their CAN and Ethernet network topology. Figure from Tencent Keen Security Lab, 2020 (Mercedes-Benz MBUX Security Research Report).
Security Research on Mercedes-Benz: From Hardware to Car Control
Sky-Go Team, Qihoo 360, Black Hat USA 2020 [10]
This Black Hat USA 2020 paper covers a Mercedes-Benz E300L with the NTG 5.5 head unit and HERMES telematics control unit. After reading the HERMES NAND flash (desoldered BGA) and reconstructing the YaFFS filesystem, the team found client TLS certificates encrypted with a hardcoded AES key; decrypting the private key allowed authenticating to Mercedes-Benz backend servers as a vehicle. A server-side SSRF in a social plugins web application then exposed internal backend files. Together these allowed accessing backend services and demonstrating remote door unlock and engine start via the cloud. Mercedes-Benz deployed a full patch within weeks.
Volkswagen Group
The Connected Car: Ways to Get Unauthorized Access and Potential Implications
Keuper, Alkemade (Computest), 2018 [11]
This 2018 report covers the Harman MIB2 platform in the Volkswagen Golf GTE and Audi A3 e-tron. The MIB2 runs QNX 6.5.0 on an Nvidia Tegra T30. With its Wi-Fi hotspot active a port scan revealed Telnet, undocumented TCP services, and UPnP; the Telnet root password was a descrypt() hash with the 8-character maximum imposed by that algorithm, breakable by FPGA dictionary attack for under $100. A remotely exploitable bug in an undocumented service escalated from arbitrary file read to a root shell on the MMX unit. An internal 10.0.0.0/24 network with a default Telnet password led to the RCC unit (a second QNX processor for CAN), which communicated with a Renesas V850 CAN controller over SPI. V850 firmware updates from the RCC required no signature re-validation; the team outlined the path to arbitrary CAN injection via backdoored V850 firmware but stopped short of implementing it for IP reasons. The CAN gateway blocked access to safety-critical buses. Two additional entry vectors were documented: on the Audi the cellular (Audi connect) interface exposed a public IPv4 address reachable from the internet where the ISP permitted client-to-client traffic, and a USB-to-Ethernet dongle plugged into the head unit was recognised as an unfirewalled debug interface exposing the same internal services as Wi-Fi.
Attack chain from Computest 2018: Wi-Fi RCE on the MMX unit, through the RCC over Ethernet, to the Renesas V850 CAN controller and the gateway ECU. Figure from Keuper and Alkemade, 2018 (The Connected Car).
Back-connect to the Connected Car
Serdyuk, Kondikov (NavInfo Europe), Black Hat Europe 2022 [12]
This Black Hat Europe 2022 work covers the Volkswagen ID.3 (with the same architecture also present on ID.4 and ID.5, around 120,000 vehicles at disclosure). Two compute modules are in scope: ICAS3, the LG MEB ICAS3 infotainment built on a Qualcomm APQ8096AU running QNX 7 as host with Automotive Grade Linux as a QVM guest; and ICAS1, the gateway "brain" on a Renesas R-Car M3 R8A77960 running the L4RE Fiasco.OC microkernel with three EB Corbos Linux guest VMs (vm_java, vm_adaptive, vm_housekeeping), squashfs+dm-verity rootfs, and an OP-TEE TrustZone. ICAS1 also contains a PPC SPC58 RTOS that handles the actual CAN gateway.
Three CVEs were disclosed. CVE-2022-41557 is in the IVI guest's /usr/bin/swdlusb.sh USB software update script: a FAT32 USB drive containing swdl-entry.conf and swdl-pre-extra-exec.sh is executed as root with no signature check, giving guest AGL root from an inserted USB stick. CVE-2022-23778 is in the IVI host QNX MgrLog/MgrTsk service listening on 0.0.0.0:54323 and reachable from the AGL guest: the tcpSnifferWriteConfigFile command writes attacker-controlled arguments to a config file that tcpSnifferStart then passes to tcpdump, yielding root command execution on the QNX host, a VM escape from guest AGL. CVE-2022-23777 is in ICAS1's coredump-filter handling: with physical eMMC access an attacker plants files that cause /sbin/init.pre to copy coredump-filter into a writable dm-integrity partition where it can be replaced, used to extract per-VM dm-integrity keys from TrustZone, and then to execute arbitrary code in any of the three Corbos Linux VMs.
The chain achieved root on both AGL guest and QNX host of the IVI and inside the ICAS1 application VMs, with backdoor persistence. Demonstrated capabilities included microphone and camera access, GPS position and history, charging control, IVI and instrument-cluster display manipulation, and Bluetooth phonebook extraction. The team did not escape from the Corbos Linux VMs into the SPC58 gateway RTOS, so direct CAN injection was not achieved, and the entry vectors all require local access (USB port or removed-module eMMC).
Over the Air: Compromise of Modern Volkswagen Group Vehicles
Parnishchev, Ivachev (PCAutomotive), Black Hat Europe 2024 [13]
This Black Hat Europe 2024 work covers the MIB3 infotainment platform in Skoda and VW Group vehicles produced from 2021. MIB3 uses a Renesas R-Car M3 SoC running Yocto Linux 4.14.75 and a CARCOM FreeRTOS co-processor on a Cortex-R7.
Entry is a Bluetooth-triggered heap overflow in the picserver JPEG decoder in the phone contacts service: a crafted PBAP profile photo with a scanline that exceeds the 0x4000-byte allocation (libjpeg's 1/8 scaling can produce up to a 0x7fff-byte scanline) overflows the buffer. From the phone service the team exploited a missing access control check in MIB3's custom IPC mechanism to reach a shell injection primitive in the Networking service, then loaded an unsigned kernel module to obtain root. CARCOM code execution came from patching shared RAM, giving raw CAN3 frame access. Persistence was achieved via a secure-boot bypass in Preh's proprietary image-compression extension to the R-Car BL2 stage of ARM Trusted Firmware: each compressed boot image carries a PCCP header with its own size field, and BL2 uses that header size for LZ4 decompression while verifying the signature over a size taken from the certificate. Appending arbitrary content past the authenticated region therefore still passes secure boot. Concatenating extra CPIO records after the initrd's TRAILER!!! marker let them overwrite the init script that brings up dm-verity, persisting code execution across reboots. Demonstrated capabilities included real-time GPS and speed tracking, in-car microphone access, screen control, and DNS-tunnelled C2 over the embedded eSIM.
Vulnerability chaining diagram for the MIB3 exploit: Bluetooth heap overflow, IPC shell injection, kernel module LPE, CARCOM code execution, and secure boot bypass for persistence. Figure from Parnishchev and Ivachev, 2024 (Over the Air).
Nissan
Vulnerabilities in Nissan Infotainment Manufactured by Bosch
Smirnova, Motspan, Evdokimov (PCAutomotive), advisory 2025 [14]
PCAutomotive published this advisory in March 2025, disclosing ten CVEs affecting the infotainment ECU in the Nissan Leaf ZE1 (2020), manufactured by Bosch. The IVI runs Linux on an NXP i.MX 6 SoC; an RH850 co-processor handles CAN.
Three stack overflows in the HFP handler within libevo_stack.so (CVE-2025-32059, CVE-2025-32061, CVE-2025-32062) allow code execution from a paired Bluetooth device: the library copies custom +ANDROID AT command parameters into fixed stack buffers without bounds checking and has no stack canaries. From the i.MX 6, a stack overflow in the RH850 firmware's INC interface (CVE-2025-32058) gives code execution on the CAN co-processor and unrestricted CAN frame injection on all connected buses. An anti-theft bypass (CVE-2025-32056) exploits a fixed 32-entry seed-to-response lookup table in the startup challenge-response, allowing an IVI removed from its vehicle to bypass anti-theft. A TLS misconfiguration in the Redbend OTA service (CVE-2025-32057) combined with the NXP i.MX 6 boot ROM vulnerability (CVE-2017-7932) enables persistent root and arbitrary firmware delivery. The full chain starts with one-time Bluetooth pairing.
Vulnerability chaining diagram from the PCAutomotive Nissan advisory: Bluetooth RCE, RH850 stack overflow for CAN access, and persistent root via HAB secure boot bypass. Figure from PCAutomotive, 2025 (Nissan Bosch Advisory).
Multi-OEM Web APIs
Web Hackers vs. The Auto Industry
Sam Curry et al., samcurry.net 2023 [15]
A project targeting the telematics web APIs of more than a dozen automotive brands, applying conventional web application techniques (IDOR, broken access control, SSO misconfiguration, SQL injection) to the backend services owners use to lock, unlock, locate, and start vehicles remotely.
Findings spanned many brands. Kia, Honda, Infiniti, Nissan, and Acura APIs accepted only a VIN as authorisation for remote start and GPS commands. BMW and Rolls Royce had an SSO portal where a wildcard user query combined with an unauthenticated TOTP-generation endpoint gave full account takeover for any employee. Mercedes-Benz had a repair-shop registration portal writing to the same LDAP as employee SSO, giving access to internal GitHub, Jenkins, and Mattermost with RCE on several services. Ferrari's dealer CMS exposed an API key in client-side JavaScript granting access to all customer records. Spireon's global administration panel, accessible via SQL injection, allowed sending arbitrary telematics commands including starter disable to 15.5 million tracked vehicles.
Spireon global administration portal, accessible via an SQL injection bypass, allowing arbitrary telematics commands to 15.5 million vehicles. Figure from Curry et al., 2023 (Web Hackers vs. The Auto Industry).
The paper illustrates that the cloud API tier is often the weakest link in vehicle telematics; a backend compromise can be equivalent to a physical connection to every vehicle in a fleet.
Third-Party Telematics
Attacking Vehicle Fleet Management Systems
Pareja Veredas, Mehaboobe, DefCamp 2023 [16][17]
This DefCamp 2023 work covers aftermarket telematics control units (T-boxes, or TCUs) used in commercial fleet management, targeting two vendors: the SANY Hopechart HQT401 and a second undisclosed vendor. The HQT401 is an Android-based 4G/Wi-Fi/Bluetooth device factory-installed in SANY heavy equipment and sold as an aftermarket unit; the undisclosed vendor supplies a Linux-based TCU to fleet operators across the automotive and logistics sectors. The research began in 2020 as a side project and was conducted entirely black-box.
Both devices shared a common weakness: unauthenticated MQTT brokers with no access control, discoverable via Shodan and Censys. The HQT401 firmware, obtained by attaching a USB cable to an exposed debug port and pulling a root ADB shell, contained no binary stripping or signature enforcement. The MQTT channel used no authentication or encryption, exposing GPS telemetry, speed, RPM, fuel level, and CAN traffic from the entire connected fleet. The backend accepted CAN injection commands framed as standard MQTT messages, allowing any unauthenticated client to inject arbitrary frames. For the undisclosed vendor, the firmware was retrieved from a URL embedded in an MQTT OTA command, and reverse engineering revealed a privilege escalation path via a web interface buffer overflow and broken token validation, yielding root code execution without physical access to the device. That vendor's platform additionally exposed live video streams, engine immobilisation commands, and CAN read/write. Combined, the two deployments covered approximately 185,000 vehicles; as of the conference date neither vendor had shipped a complete patch.
HopeChart HQT401 T-box device, an Android-based fleet TCU. Figure from Pareja Veredas and Mehaboobe, 2023 ((Re)Playing With Your Keys).