In-Vehicle Infotainment Systems Cybersecurity
December 20, 2023

Cybersecurity Considerations for In-Vehicle Infotainment Systems

Security & Compliance
Static Analysis

The focus of today’s new-car buyer centers more on the “Digital Cockpit ecosystem experience” and less on the traditional features, such as horsepower and fuel economy. The automotive industry has made it a priority to deliver that experience with fully connected in-vehicle infotainment (IVI) systems of touchscreen displays, voice commands, and integrated information and entertainment functions.

Back to top

What are In-Vehicle Infotainment Systems?

Increasingly, the end-consumer expects to be able to connect fully to their “digital ecosystem” experience. The “Smart Cockpit” is central in an in-vehicle infotainment system and is becoming a key differentiator for OEMs and their car brands.

In-vehicle infotainment (IVI) is a combination of vehicle systems deployed to deliver audio/video interfaces and control elements to a vehicle’s occupants — touchscreen displays, button panels, voice commands, and more.

Here’s a snapshot of the components or modules that comprise a “Smart Cockpit”:

  1. User Interface: What drivers and passengers see and interact with on the screen, either by touch or with knobs and dials.
  2. Head Unit: Includes the display, housing, circuit board, CD/DVD player, radio, and multiple processors — collectively called the vehicle’s head unit. It’s also the interface with all the vehicle’s physical inputs, such as the sound system and/or external cameras.
  3. Operating System (OS): The core of the infotainment system, the OS controls access to the processor, memory, storage, and the display — in the head unit.
  4. Application Framework Module: Manages everything from the Spotify app to navigation and interactions with the system, such as text-to-speech and voice commands. It controls all application functions and which apps can appear in the head unit.
  5. Mobile Integration: Enables the vehicle to connect with various smartphones and devices. Supports Wi-Fi, Bluetooth, and plug-and-play programs, such as Google Play’s Mirror Link, Apple CarPlay and Android Auto, which imports to the screen a modified version of the phone’s media and apps.
  6. Car Platforms: The software bridge between the application framework and the OS to support multimedia, video, navigation, audio, radio, acoustics, software updates, cloud services, and more.

According to a recent analysis by industry research firm Frost & Sullivan, “connected vehicles” will constitute nearly 86% of the global automotive market by 2025. In the same year, the IVI market is projected to reach $42.7 billion.

But it’s also the case that the IVI systems themselves along with third-party apps create numerous vulnerability threat points for cybercriminals. OEMs and Tier 1 suppliers of IVI systems to the automotive industry must work to ensure that the embedded code within those systems adheres to safety- and security-critical standards. Doing so helps avoid costs of a recall and impacts on business reputation.

📘 Related Resource: Key Safety and Cybersecurity Considerations for In-Vehicle Infotainment Systems [White Paper]
Back to top

Cyberattacks Pose Severe Risks to In-Vehicle Infotainment

In-vehicle infotainment systems have evolved considerably in just a few short years, and are expected to evolve further still, at a rapid pace, as emerging technologies such as AI, ML, and AR enter the automotive space to become standard integrations in these embedded "Digital Cockpit" systems. While IVI systems are currently made to inform and entertain, they could soon play a larger role as the main communications piece for all functions within the vehicle. Users may see more in the way of AR and 3D navigation and alerts, interactive traffic and hazard warnings, and communication with other vehicles on the road. 

With so many more features and connectivity added to IVI systems every year, developers managing over-the-air software updates must account for the myriad attack surfaces and potential vulnerabilities of the in-vehicle network. 

Because IVI systems are connected to the internet and run operating systems using Android, RTOS, Linux, QNX, and Windows Embedded Automotive — as well as USB connections, Bluetooth, and Wi-Fi — there are many ways hackers can find these entry points and exploit vulnerabilities in the code, which could affect user privacy and safety. 

Up to 90% of software security problems are caused by coding errors. That's why it's important to ensure there is no situation where failure could occur. Yet code quality is still not where is should be in many IVI systems, leading to new vehicles having glitchy and cumbersome IVI. Developers wanting to improve code quality and in-vehicle infotainment cybersecurity should use coding standards and static analysis tools as part of cybersecurity and quality-first best practices. 

📘 Related Resource: Watch On-Demand Video: "Ensuring Quality First for Automotive In-Vehicle Infotainment Systems"

The Importance of Coding Standards for In-Vehicle Infotainment Systems

It can be said that connected vehicles are four-wheeled computers linked to the internet through their IVI system. And since an IVI system is part of an intra-vehicle network, it can create many vulnerable threat points for hackers who might be able to gain control of a driver’s smartphone and access personal data, manipulate vehicle safety-critical system functions, or fabricate system-update programs. So, it’s essential that IVI systems-development practices adhere to coding standards and guidelines.

Two more recent initiatives that are expected to benefit IVI systems are the ISO/SAE 21434 standard and the United Nations Economic Commission for Europe (UNECE) WP.29 regulation. These standards complement each other as both prepare the automotive industry for securing a new generation of connected vehicles.

The ISO/SAE 21434 standard builds on its predecessor, ISO 26262, which doesn’t cover software development or subsystems. ISO/SAE 21434 focuses on the cybersecurity risks inherent in the design and development of car electronics. The automotive software security standard provides a structured process to ensure that cybersecurity considerations are incorporated into automotive products throughout their lifetime.

Unlike ISO/SAE 21434, the WP.29 regulation places the onus on OEMs to manage cybersecurity risks along the entire supply chain.

Back to top

How IVI Cybersecurity Vulnerabilities Impact OEMs

OEMs and their first-tier suppliers need to take steps to avoid the negative impacts of a vulnerability in their IVI embedded software as an attack can threaten the privacy and safety of drivers and their passengers. A cybersecurity incident can be incredibly costly and time-consuming and can lead to vehicle recalls that ultimately impact the bottom line, loss of reputation, and organizational productivity.

Recalls often happen due to software glitches in IVI systems. In a recent survey on the most unreliable family cars, one latest-generation vehicle topped the list with 57% of vehicles suffering from glitches — and IVI issues affected 33% of these cars. 

Software glitches in infotainment systems can cause recalls due to issues of both safety and security. For example, a glitch could allow drivers to browse the internet and watch TV while driving. Software glitches could also cause car screen display-blackouts in cold weather. 

Even if a glitch is not apparent right away, a malicious actor could potentially exploit this type of bug in the software and shut down key functionalities that impact both safety and security. 

Ensuring that the code in IVI systems meet necessary standards and compliance requirements helps avoid costs of a recall and impacts on business reputation and profitability. 

Back to top

Why SAST Is Essential for In-Vehicle Infotainment Systems Software Code

The static application security testing (SAST) software-testing methodology inspects and analyzes application source code, byte code, and binaries for coding and design conditions to uncover security vulnerabilities in IVI systems software. The working mechanism behind SAST is a static analysis tool that checks for design and coding flaws.

Ideal for enterprise DevOps and DevSecOps, Klocwork is an industry-leading static analysis and SAST tool for C, C++, C#, Java, JavaScript, Python, and Kotlin-designed source code. What’s more, 9-out-of-10 of the top automotive parts manufacturers rely on Perforce static analysis tools to help ensure the security, safety, and compliance of their automotive software.

See for yourself how Klocwork helps ensure the quality of your embedded software. Request your free 7-day trial today.

➡️ sign Up For Your Free Trial

Back to top