In a study funded by GM, the NSF, and the US Department of Homeland Security, a team at NYU and George Mason University have reported vulnerabilities in MirrorLink that could allow a hacker access to a vehicle through a smartphone, even if MirrorLink is disabled. The team presented their findings at the 10th USENIX Workshop on Offensive Technologies (WOOT '16) in Austin, Texas.
The automotive industry is gravitating toward integrating trusted third-party apps with their In-Vehicle-Infotainment systems (IVI) via smartphones. This is typically facilitated by a pair of apps: one that executes on the smartphone and the other executes on the IVI which, in turn, is connected to the vehicle’s Controller Area Network (CAN) bus.
Throughout the evolution of these IVI and App platforms, there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?—Mazloom et al.
MirrorLink, created by the Connected Car Consortium, which represents 80% of the world’s automakers, is an industry standard specifying a protocol that facilitates the integration of a smartphone to an automotive infotainment system. However, some automakers disable it because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.
The researchers performed a comprehensive security analysis on an IVI system that is included in at least one 2015 model vehicle from a major automotive manufacturer. This IVI system included vestigial support for the MirrorLink protocol which is intentionally disabled but can be enabled by updating a single configuration value after applying a publicly available firmware update that is securely signed by the manufacturer.
Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, and his colleagues found that when MirrorLink was unlocked, it could allow hackers to use a linked smartphone as a stepping stone to control safety-critical components such as the vehicle’s anti-lock braking system. McCoy said that “tuners” might unwittingly enable hackers by unlocking insecure features.
Our analysis of the MirrorLink Protocol shows that few security features are specified at the application layer and that the designers of this protocol rely on the security of the link-layer protocol to protect the MirrorLink against attacks. The main security mechanism included in the specification is the Device Attestation Protocol (DAP) which is designed to prevent unauthorized hardware from accessing the IVI. The current MirrorLink protocol does not include any secure device pairing method. However, given our threat model, neither of these defenses would impede an attacker who can compromise a driver’s smartphone that is likely already paired to the IVI and authorized hardware.
Thankfully, the dangers posed by an attacker that can only invoke API calls exposed by apps on the IVI are limited at this point to relatively benign attacks, such as streaming unwanted music over the IVI. The worst case might be altering navigation directions. Given that the attacks are not devastating, the lack of security in the MirrorLink protocol is not ideal, but might be acceptable at present, and can be improved in later versions before more critical APIs are added to apps. The largest current threat is if an attacker can gain more unfettered access to the IVI and CAN controller. Such an attack could permit an attacker to send arbitrary messages over the vehicle’s CAN bus that could potentially effect safety critical systems.—Mazloom et al.
The automaker and supplier had declined to release a security patch—reflecting the fact that they never enabled MirrorLink. McCoy pointed out that this could leave drivers who enable MirrorLink out on a limb.
The authors hope their research will raise the issue of drivers unlocking potentially insecure features before IVI protocols such as MirrorLink are even more widely deployed.
Sahar Mazloom, Mohammad Rezaeirad, Aaron Hunter, and Damon McCoy (2016) “A Security Analysis of an In-Vehicle Infotainment and App Platform”