In a security analysis report, Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, and a group of students at George Mason University found vulnerabilities in MirrorLink software that allows vehicles to communicate with smartphones.
McCoy and his colleagues found that MirrorLink is relatively easy to enable, and when unlocked can allow hackers to use a linked smartphone as a stepping stone to control safety-critical components such as the vehicle’s anti-lock braking system.
McCoy explained that “tuners” – people or companies who customize automobiles – might unwittingly enable hackers by unlocking insecure features.
“Tuners will root around for these kinds of prototypes, and if these systems are easy to unlock they will do it,” he said. “And there are publically available instructions describing how to unlock MirrorLink. Just one of several instructional videos on YouTube has gotten over 60,000 views.”
The researchers used such publically available instructions to unlock MirrorLink on the in-vehicle infotainment system in a 2015 vehicle they purchased from eBay for their experiments.
The automaker and supplier declined to release a security patch – reflecting the fact that they never enabled MirrorLink. McCoy pointed out that this could leave drivers who enable MirrorLink out on a limb.
“During our reverse engineering of these executables, we discovered a subroutine in AppMain.exe that enables Development Mode (DevMode). We found that
the password is included in plain-text (clear) in the executable and there is a static comparison for the password required to enable DevMode mode.”
“The current MirrorLink protocol does not include any secure device pairing method. However, given our threat model, neither of these defenses would impede an attacker who can compromise a driver’s smartphone that is likely already paired to the IVI and authorized hardware.
Thankfully, the dangers posed by an attacker that can only invoke API calls exposed by apps on the IVI are limited at this point to relatively benign attacks, such as streaming unwanted music over the IVI. The worst case might be altering navigation directions. Given that the attacks are not devastating, the lack of security in the MirrorLink protocol is not ideal, but might be acceptable at present, and can be improved in later versions before more critical APIs are added to apps.
The authors hope their research, presented at the 10th USENIX Workshop on Offensive Technologies (WOOT ’16) in Austin, Texas, will raise the issue of drivers unlocking potentially insecure features before IVI protocols such as MirrorLink are even more widely deployed.
A Security Analysis of an In-Vehicle Infotainment and App Platform, by lead co-authors Sahar Mazloom and Mohammad Rezaeirad along with Aaron Hunter and McCoy, is available at https://www.usenix.org/conference/woot16/workshop-program/presentation/mazloom. General Motors, the National Science Foundation, and the Department of Homeland Security provided funding.
MirrorLink, created by the Connected Car Consortium, represents 80 percent of the world’s automakers, is the first and leading industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems. However, some automakers disable it because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.