Talk Title:

Hardware Hacking a Car’s Head Unit & Uncovering a Vulnerable RTOS

Abstract:

Modern vehicles are becoming increasingly complex, with infotainment systems (IVIs) acting as critical components that bridge user interaction, vehicle control, and connectivity. In this talk, we dive into the hardware hacking techniques used to extract and reverse engineer the firmware of a 2024 model car’s head unit, which is not publicly available.

By leveraging Bus Pirate protocols and a logic analyzer, we dissect the boot process and runtime behavior of this infotainment system, uncovering its internal mechanisms. A proprietary RTOS was discovered, and through ARMv7 assembly reverse engineering, we are conducting an in-depth security analysis to identify potential vulnerabilities. Additionally, we analyze the IVI system interactions, input processing threads, and potential attack vectors within the vehicle’s communication infrastructure.

This ongoing research has already revealed fascinating insights into the system's internals, attack surfaces, and potential security flaws. Join us as we explore the intersection of hardware hacking, firmware reversing, and automotive security, shedding light on the risks hidden within modern vehicle technology. 🚗🔍💀

Speaker Bio:

Danilo Erazo is an Electronics and Computer Networks Engineer currently completing a master's degree in Cybersecurity. He is the founder of the company "Reverse Everything," where he carries out pentesting projects (Web, On-premise, Cloud, Mobile, IoT) and creates cybersecurity content. He also focuses on research in areas such as hardware hacking, radio frequency, and car hacking. Danilo has been a speaker at internationally recognized cybersecurity events such as DEFCON 32, Ekoparty 2024, Ekoparty 2023, Bsides Colombia 2024, and Nerdearla Chile 2024, where he presented security vulnerabilities discovered through reverse engineering techniques in routers and vehicles.

Danilo holds various practical cybersecurity and computer networks certifications, including OSWP, CEH, CBP, CCSP, CPAZ, CNSP, CAP, CPNA, CCNA, API Security for Connected Cars and Fleets, and Practical Junior IoT Tester (PJIT), among others. He is a collaborator of the DEFCON Car Hacking Village and the founder of the Car Hacking Village at Ekoparty. Finally, he is the founder and creator of Ecuador's most important cybersecurity conference, "PWN OR DIE."

You can visit the Danilo Erazo Blog and his company at: https://revers3everything.com