Zingbox, the leading Internet of Things (IoT) device management and security provider, has new research that shows how a car’s driver can be subject to cybersecurity attacks through the car’s “infotainment” system, the embedded operating system powering the iPad-looking display on today’s modern cars.

Previous car hacking efforts focused on the car’s functionality — brakes, steering, and door locking mechanisms. The idea that a car could be infected with ransomware or other viruses was hypothetical until now.

Zingbox researcher Daniel Regalado, co-author of Gray Hat Hacking, and independent researchers Gerardo Iglesias and Ken Hsu broke into a car’s infotainment system and reverse-engineered its main components with one goal in mind: to determine if a car’s operating system could be infected with malware and prove that this Trojan could be controlled remotely through SMS messages. In this way, a driver’s personal data and safety could be compromised using the driver’s own cell phone.

An auto infotainment system depends on the IoT to operate. The fact that an infotainment system can be infected is important learning for the industry, suggesting the need for stepped-up IoT cybersecurity solutions similar to what is already available for IoT devices in healthcare, financial services, and manufacturing. This would protect drivers, especially the millions of car renters around the world.

A car’s infotainment system powers GPS navigation and music selection, makes and receives phone calls, reads SMS messages, and can manage firmware updates. A maliciously crafted USB device plugged into a vehicle can infect the infotainment system, something that could be done by a driver via social engineering tricks, such as a USB loaded with free music that entices a driver to plug in the infected USB drive.

Once paired with the driver’s phone, malware in the infotainment system leverages the phone’s SMS message service to access personal information such as contact lists. It can also intercept banking authentication pins, or even block incoming or outgoing calls. The same SMS service could then be used to take control of the infotainment system remotely and create distractions for the driver or put the system into an unusable state that requires repair from the manufacturer.