Would a CD drive on a driverless car pose a security risk?

Not on a well-designed car

The CD player is part of the media system. It's likely that the media system has a number of security vulnerabilities, and a malicious CD can probably take control of the media system. It would be difficult to fix this without either greatly increasing the cost, or restricting the functionality of this.

The car control systems - the CAN bus - should be strongly separated from the media systems. In previous attacks, like Jeep hacking, attackers have been able to break across from the media system to the CAN bus. However, this represents poor design and implementation. The two systems should be kept separate - or at least, have a highly restricted interface - and it is possible to do that at reasonable cost.

Whether any future driverless cars will be well designed remains to be seen.


Yes, it would.

Researchers from UC San Diego actually implemented an attack through this vector:

“We found a flaw in a CD player in our car,” he said. “You could pick a song and code it in a way that if you played on your PC it’ll play fine, but if you play it in your car, it’ll take it over.”

http://www.sandiegouniontribune.com/news/education/sdut-ucsd-professor-cyber-hacking-2015aug28-story.html

Most probably this is through a memory corruption vulnerability in the meta information tags in the audio file. Through this they were probably able to direct commands to the CAN system that regulates the car.

But you don't even need a CD; in the worst case it can happen remotely through mobile networks


Never mind the CD player, your tires are conspiring against you

"Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study"

We also found out that current implementations do not appear to follow basic security practices. Messages are not authenticated and the vehicle ECU also does not appear to use input validation. We were able to inject spoofed messages and illuminate the low tire pressure warning lights on a car traveling at highway speeds from another nearby car, and managed to disable the TPMS ECU by leveraging packet spoofing to repeatedly turn on and off warning lights.