CarPlay at Risk: Unveiling Security Threats of Third-Party Infotainment Adapters

Modern vehicles offer extensive functionality through smartphone integration, enabling users to stream music, make calls, and access various applications. Some features, such as navigation, require a direct connection between the vehicle and the smartphone via Bluetooth or a USB cable. Android devices utilize Android Auto for this connection, while iOS devices rely on Apple CarPlay. For safety reasons, certain functions, such as playing live videos while driving, are deliberately restricted. However, aftermarket in-vehicle adapters have emerged that bypass these restrictions, enabling video playback on the in-vehicle infotainment (IVI) system. Notably, some adapters can establish CarPlay connections despite not running the iOS operating systems. To understand these mechanisms, we conducted a reverse engineering analysis of one such adapter to investigate how non-iOS devices exploit CarPlay compatibility. Additionally, we performed a differential analysis comparing this unauthorized connection with legitimate CarPlay connections between an iPhone and an IVI system. This paper examines the technical aspects of unauthorized device integration with CarPlay, identifies potential security threats, and proposes mitigation strategies to enhance the security of future CarPlay implementations.