In-Vehicle Infotainment (IVI) is an integrated in-vehicle information processing system that uses a dedicated in-vehicle central processor, based on the body bus system and Internet services. IVI can realize a series of applications including three-dimensional navigation, real-time traffic conditions, IPTV, assisted driving, fault detection, vehicle information, body control, mobile office, wireless communication, online entertainment functions and TSP services, which greatly improves the level of vehicle electrification, networking and intelligence.
What is in-vehicle infotainment?
More and more end consumers want to be fully connected to their "digital ecosystem" experience. The "smart cockpit" is the core of the in-vehicle infotainment system, which is becoming a key differentiating advantage for OEMs and their car brands.
In-vehicle infotainment (IVI) is a combination of vehicle systems used to provide audio/video interfaces and control elements to vehicle passengers - touch screen displays, button panels, voice commands, etc.
The following is a snapshot of the components or modules that make up the "smart cockpit":
User interface: What the driver and passengers see and interact with on the screen by touch or knobs and dials.
Head unit: Includes the display, housing, circuit boards, CD/DVD player, radio, and multiple processors (collectively referred to as the vehicle's head unit). It is also the interface for all physical inputs to the vehicle, such as the sound system and/or external cameras.
Operating System (OS): As the heart of the infotainment system, the OS controls access to the processor, memory, storage, and display in the head unit.
Application Framework Module: Manages everything from the Spotify app to navigation and interactions with the system, such as text-to-speech and voice commands. It controls all app functionality and which apps can appear in the head unit.
Mobile Integration: Enables the vehicle to connect to a wide range of smartphones and devices. Supports Wi-Fi, Bluetooth, and plug-and-play programs such as Google Play's Mirror Link, Apple CarPlay, and Android Auto to import modified versions of your phone's media and apps to the screen.
Automotive Platform: The software bridge between the application framework and the OS, supporting multimedia, video, navigation, audio, radio, acoustics, software updates, cloud services, and more.
According to a recent analyst report by industry research firm Frost & Sullivan, by 2025, the “connected car” will make up nearly 86% of the global automotive market. In the same year, the IVI market is expected to reach $42.7 billion. However, IVI systems themselves, as well as third-party applications, also create many vulnerability threat points for cybercriminals. OEMs and Tier 1 suppliers of IVI systems in the automotive industry must work hard to ensure that the embedded code in these systems meets safety and security-critical standards. Doing so can help avoid recall costs and impact on business reputation.
Cyberattacks pose serious risks to in-vehicle infotainment systems
In-vehicle infotainment systems have come a long way in just a few years, and are expected to develop further rapidly as emerging technologies such as AI, ML, and AR enter the automotive field and become standard integrations in these embedded “digital cockpit” systems. While IVI systems are currently used to provide information and entertainment, they will soon play a larger role as the main communication component for all functions within the vehicle. Users can see more information through AR and 3D navigation and alerts, interactive traffic and hazard warnings, and communication with other vehicles on the road.
As IVI systems add more features and connectivity every year, developers managing over-the-air software updates must account for the myriad attack surfaces and potential vulnerabilities of the in-vehicle network.
Because IVI systems connect to the internet and run operating systems using Android, RTOS, Linux, QNX, and Windows Embedded Automotive, as well as USB connections, Bluetooth, and Wi-Fi, there are many ways for hackers to find these entry points and exploit vulnerabilities in the code, which can impact user privacy and security.
Up to 90% of software security issues are caused by coding errors. That’s why it’s important to ensure that glitches don’t happen. However, code quality is still not as good as it should be for many IVI systems, resulting in glitchy and cumbersome IVIs in new cars. Developers looking to improve code quality and in-vehicle infotainment cybersecurity should use coding standards and static analysis tools as part of cybersecurity and quality-first best practices.
Importance of Coding Standards for In-Vehicle Infotainment Systems
It can be said that a connected vehicle is a computer on four wheels that connects to the internet through its IVI system. Since the IVI system is part of the in-vehicle network, it can create many vulnerable threat points for hackers, who may be able to take control of the driver's smartphone and access personal data, manipulate vehicle safety-critical system functions, or create system update programs. Therefore, IVI system development practices must adhere to coding standards and guidelines.
Two other recent initiatives that are expected to benefit IVI systems are the ISO/SAE 21434 standard and the United Nations Economic Commission for Europe (UNECE) WP.29 regulation. These standards complement each other and prepare the automotive industry to ensure the security of the new generation of connected cars.
The ISO/SAE 21434 standard builds on its predecessor, ISO 26262, which does not cover software development or subsystems. ISO/SAE 21434 focuses on the cybersecurity risks inherent in the design and development of automotive electronics. The automotive software security standard provides a structured process to ensure that cybersecurity considerations are incorporated throughout the lifecycle of automotive products.
Unlike ISO/SAE 21434, the WP.29 regulation holds OEMs responsible for managing cybersecurity risks throughout the supply chain.
How IVI Cybersecurity Vulnerabilities Impact
OEMs and their Tier 1 suppliers need to take steps to avoid the negative impact of vulnerabilities in their IVI embedded software, as attacks can threaten the privacy and safety of drivers and their passengers. Cybersecurity incidents can be costly and time-consuming, and can result in vehicle recalls, ultimately impacting profits, reputational losses, and organizational productivity.
Software glitches in IVI systems frequently result in recalls. A recent MSN survey of the least reliable family cars found that the latest generation of vehicles topped the list, with 57% experiencing glitches, with 33% of vehicles affected by IVI issues.
Software glitches in infotainment systems can result in recalls due to safety and security issues. For example, a glitch could allow a driver to browse the internet and watch TV while driving. A software glitch could also cause a car screen to go dark in cold weather.
Even if the glitch is not immediately apparent, malicious actors could exploit this type of vulnerability in the software to shut down critical features that impact safety and security.
Ensuring that the code in your IVI system meets the necessary standards and compliance requirements can help avoid recall costs and impacts on business reputation and profitability.
Why SAST is critical for in-vehicle infotainment system software code
The Static Application Security Testing (SAST) software testing methodology examines and analyzes the coding and design conditions of application source code, bytecode, and binary files to discover security vulnerabilities in IVI system software. The working mechanism behind SAST is a static analysis tool that checks for design and coding flaws.
Ideal for enterprise DevOps and DevSecOps, Klocwork is the industry-leading static analysis and SAST tool for source code designed in C, C++, C#, Java, JavaScript, Python, and Kotlin. In addition, 9 out of the 10 top automotive component manufacturers rely on Perforce static analysis tools to help ensure the security and compliance of their automotive software.
