From Convenience to Consequences: Vehicle-Level Cybersecurity Impact of Engineering Functions
The In-Vehicle Infotainment (IVI) system is increasingly becoming the core interaction and computing platform in connected vehicles, and is deeply coupled with in-vehicle networks through vehicle signal services, diagnostic channels, and gateway policies. Engineering/Factory Mode, designed for R&D debugging, manufacturing validation, and after-sales servicing, typically provides highly privileged capabilities such as debug toggles, logging/diagnostics, configuration writing, OTA-related operations, and vehicle integration testing. If Engineering/Factory Mode remains accessible in production builds via hidden entry points, weak authentication, or unclear authorization boundaries, attackers may obtain elevated privileges at low cost and expand their reach to vehicle control functions, resulting in vehicle-level cybersecurity risks. In this work, we conduct a security assessment of Engineering/Factory components on production IVI systems, summarize common entry-path categories and weaknesses, and evaluate the reachable control boundaries after privilege escalation from the perspective of coupling between engineering utilities and vehicle control services/middleware. We finally provide practical hardening recommendations for production deployments to reduce vehicle-level risks introduced by engineering functions while preserving serviceability and operational efficiency.
Presented at Security Fest 2026.
Speaker: Yuqiao NingAbout Yuqiao Ning
Yuqiao Ning is the Technical Director of CATARC Intelligent and Connected Technology Co., Ltd. He has extensive experience in computer systems and software security research. In his current role, he is primarily responsible for pioneering research in automotive penetration technology and the development of automated detection tools. His work focuses on analyzing security risks within automotive open-source software, with a particular emphasis on understanding the critical intersection of automotive security vulnerabilities and functional safety. He has played a pivotal role in organizing numerous automotive information security attack and defense challenges, contributing significantly to the advancement of safer and more secure automotive technologies. Furthermore, he has played an instrumental role in shaping national automotive information security standards, contributing to the drafting of several key national standards.
