Researchers Alex Plaskett and McCaulay Hudson from NCC Group recently demonstrated how an attacker could use zero-day vulnerabilities in the Pioneer DMH-WT7600NEX infotainment system to deploy spyware, effectively transforming the system into a real-time surveillance device.
The Pioneer DMH-WT7600NEX, a $1,000 aftermarket infotainment unit, is a popular choice for updating older vehicle head units. But, as the researchers demonstrated, its connectivity features also make it a prime target for cyber intrusions. By chaining together three previously unknown vulnerabilities, they were able to access sensitive data such as browsing history, call logs, Wi-Fi credentials, and live GPS locations.
"You could just watch a driver, for example, driving down the street, and see their GPS location moving. Or if they were making a call, you could see who they made the call to," Hudson warned at the Insomnihack conference in Switzerland. The vulnerabilities have since been patched, but experts caution that many vehicles remain vulnerable due to a difficult update process.
Exploiting the IVI System
The attack begins with an exploit in the system’s telematics application, specifically its connection to third-party sports data provider Gracenote. By exploiting an improper certificate validation flaw (CVE-2024-23928, CVSS score 6.5), attackers can set up a rogue server impersonating Gracenote to intercept and manipulate data.
From there, a second vulnerability (CVE-2024-23929, CVSS score 7.3) allows attackers to inject arbitrary files by masquerading them as images used for displaying sports logos. This opens the door for a third exploit (CVE-2024-23930, CVSS score 4.3), which lets attackers crash the system and execute their malicious payload upon reboot.
"When you're in this position, one of the things that the infotainment system tries to do is download the images associated with teams, like their logo or stadium. But you can control the data within that image — it doesn't have to actually be an image. It can be any file, basically," Hudson explained.
Who’s at Risk?
Executing the attack requires physical access to the infotainment system, either via a personal hotspot or through a USB drive. While this may seem like a limitation, the researchers point out that there are plenty of realistic attack scenarios.
"Passengers in any vehicles that are for public use—like taxis, hired cars, etc.—or someone who's spying on their spouse would already have physical access," Hudson noted. Another potential risk is secondhand sales, where a compromised system could be passed on to unsuspecting buyers.
Updates Are Available, but Will Users Apply Them?
Pioneer has patched the vulnerabilities in firmware version 3.06, but the update process is far from user-friendly. Unlike some IVI systems that automatically prompt users to install updates, this model requires manual intervention.
"It's actually quite difficult to update this IVI," Plaskett explained. "You need to go to the website and download the firmware manually, put it on a USB stick, plug it into your IVI, and click the buttons necessary to install it. You can do it via the mobile app as well, but it means you have to have the mobile app installed. And if you don’t know there’s a security update, you might decide, ‘I’m not going to install that.’"
Complicating matters further, Pioneer’s patch notes for version 3.06 make no mention of security vulnerabilities, reducing the likelihood that drivers will recognize the urgency of the update. "There are probably quite a few people still out there in the world who have not applied this update," Plaskett warned.
The Growing Threat of Connected Vehicles
This latest demonstration underscores the risks associated with connected vehicle technology. While modern IVI systems offer convenience and entertainment, they also introduce new attack surfaces that could be exploited by malicious actors.
Security experts emphasize the need for manufacturers to take a more proactive approach in issuing security updates and educating users about potential risks. Until then, drivers who rely on aftermarket infotainment systems remain in a precarious position—one firmware update away from either security or surveillance.