Security Risks in Smartphone-Vehicle Interface

Security Risks in Smartphone-Vehicle Interface

This post is also available in: heעברית (Hebrew)

Many of today’s automobiles leave the factory with secret passengers: prototype software features that are disabled but can be unlocked by clever drivers.

In what is believed to be the first comprehensive security analysis of its kind, vulnerabilities were found in MirrorLink, a system of rules that allow vehicles to communicate with smartphones.

MirrorLink, created by the Connected Car Consortium, which represents 80% of the world’s automakers, is the first and leading industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems. However, some automakers disable it because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.

The security analysis was led by Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, and a group of students at George Mason University. McCoy and his colleagues found that MirrorLink is relatively easy to enable, and when unlocked can allow hackers to use a linked smartphone as a stepping stone to control safety-critical components such as the vehicle’s anti-lock braking system. McCoy explained that “tuners” — people or companies who customize automobiles — might be accidently helping hackers by unlocking insecure features.

“There are publically available instructions describing how to unlock MirrorLink. Just one of the several instructional videos on YouTube has gotten over 60,000 views”.

According to NYU School of Engineering website, the automaker and supplier declined to release a security patch — reflecting the fact that they never enabled MirrorLink. McCoy pointed out that this could leave drivers who enable MirrorLink out on a limb.

The authors hope their research, presented at the 10th USENIX Workshop on Offensive Technologies in Austin, Texas, will raise the issue of drivers unlocking potentially insecure features before IVI protocols such as MirrorLink are even more widely deployed.