Cars and IoT devices have various cybersecurity attack surfaces, including mobile apps, radio signals, cloud servers, and physical access. As technology advances, these devices are increasingly connected, providing convenience while also expanding the potential attack vectors for malicious actors. This talk will explore security concerns in cars and IoT devices from an attacker's perspective, using real-world examples to illustrate potential vulnerabilities.

With the rapid development of smart car technology, seamless connectivity between vehicles and various smart devices has become a major highlight in enhancing the driving experience. However, this also presents significant challenges to Bluetooth security. As the primary communication protocol between smart cars and devices such as smartphones, headphones, and entertainment systems, Bluetooth is vulnerable to hacker attacks, potentially leading to personal data leaks or remote control of vehicle systems. Therefore, strengthening the security of Bluetooth communication has become a critical issue in ensuring the safety of smart vehicles.

In this session, we will examine several recent Bluetooth vulnerabilities related to the automotive industry. We will begin by discussing implementation flaws in Bluetooth for several charging stations in 2024 as an entry point. Then, we will cover the Tesla combination attack in 2023, which resulted from implementation errors in a vendor SDK. Following that, we will explore vulnerabilities caused by implementation flaws in the Linux Bluetooth subsystem and undefined behaviors in the Bluetooth specification. Finally, we will conclude with key considerations for Bluetooth development and mitigation measures.

This study reveals that Apple CarPlay dongles/adapters manufactured by large-scale OEM vendors in the market pose numerous security risks. Devices that are intended to provide convenience for users can potentially become entry points for hackers. This presentation will share the research motivation and process, explore methods for securely implementing IoT devices, and discuss ways to reduce the attack surface.

In recent years, the GenAI wave has swept across a wide range of industries, and the automotive sector is no exception. Whether it’s improving customer experience, enhancing driving safety, or detecting road hazards, many manufacturers are exploring ways to use LLMs or GenAI to boost product value. One major automotive chip maker—Qualcomm—painted a compelling vision at its Tech Day in October 2024 for integrating GenAI and other next-generation service models into future automotive platforms.

However, bringing GenAI—cultivated on large GPU clusters in the cloud—down to on-premises or even in-vehicle systems is no simple task, and it comes with a variety of new security risks. This presentation will be divided into two main parts. In the first part, we will discuss the architecture and solutions available for practically deploying GenAI into vehicles. In the second part, we will analyze the security risks of each approach, including functionalities that have already been shown to pose concerns, as well as a forward-looking security assessment for large-scale adoption of this technology. Finally, we will provide relevant security recommendations.