Market Overview

Zingbox Identifies New Cybersecurity Threat for Cars and Drivers at DefCon 26


Research From Leading IoT Security Provider Shows the First-Ever
SMS-Commanded Malware Infection to a Car's ‘Infotainment' System,
Putting Drivers' Personal Data and Safety At Risk

the leading Internet of Things (IoT) device management and security
provider, today announced new research that shows how a car's driver can
be subject to cybersecurity attacks through the car's "infotainment"
system, the embedded operating system powering the iPad-looking display
on today's modern cars. Daniel Regalado, Zingbox principal security
researcher, will describe how he and his colleagues infected a car's
infotainment system with malware, making it possible to exfiltrate the
driver's personal information via SMS messages, at the DefCon 26 Car
Hacking Village in Las Vegas on August 10, 2018. These research findings
could have important implications for rental car drivers and the $28B
U.S. rental car market, according to Regalado.

Previous car hacking efforts focused on the car's functionality –
brakes, steering and door locking mechanisms. The idea that a car could
be infected with ransomware or other viruses was hypothetical until now.
Zingbox researcher Regalado, co-author of Gray Hat Hacking, and
independent researchers Gerardo Iglesias and Ken Hsu broke into a car's
infotainment system and reverse-engineered its main components with one
goal in mind: to determine if a car's operating system could be infected
with malware and prove that this Trojan could be controlled remotely
through SMS messages. In this way, a driver's personal data and safety
could be compromised using the driver's own cell phone.

"In order to provide real-time security to all IoT
devices, Daniel Regalado and others on Zingbox's research team
continuously push the boundaries of IoT vulnerability research," said Xu
Zou, Zingbox CEO and co-founder. "We're glad to share our latest
findings with the broader security community and raise the awareness of
the impact of IoT device vulnerabilities."

An auto infotainment system depends on the Internet of Things (IoT) to
operate. The fact that an infotainment system can be infected is
important learning for the industry, suggesting the need for stepped-up
IoT cybersecurity solutions similar to what is already available for IoT
devices in healthcare, financial services and manufacturing. This would
protect drivers, especially the millions of car renters around the world.

"The fact that we can infect a car's infotainment system and expose
private data sheds light on an important vulnerability for manufacturers
going forward," said Regalado. He has also recently hacked a
Telepresence Robot, an IV pump and other medical devices.

A car's infotainment system powers GPS navigation and music selection,
makes and receives phone calls, reads SMS messages, and can manage
firmware updates. A maliciously crafted USB device plugged into a
vehicle can infect the infotainment system, something that could be done
by a driver via social engineering tricks, such as a USB loaded with
free music that entices a driver to plug in the infected USB drive. Once
paired with the driver's phone, malware in the infotainment system
leverages the phone's SMS message service to access personal information
such as contact lists. It can also intercept banking authentication
pins, or even block incoming or outgoing calls. The same SMS service
could then be used to take control of the infotainment system remotely
and create distractions for the driver or put the system into an
unusable state that requires repair from the manufacturer.

About Zingbox

Zingbox is the leading provider of an Internet of Things (IoT) analytics
platform for device management and security. Named a Cool Vendor in IoT
Security by Gartner and recipient of the Stevie Award for Most
Innovative Company, Zingbox helps organizations realize the full
potential of their IoT devices, delivering a new standard for
uninterrupted service, operational efficiency and security for the
entire IoT environment. The company's AI machine learning platform uses
the first real-time deep behavioral learning technology for IoT devices.
For more information, please visit

View Comments and Join the Discussion!