Researchers say they can hijack a communication from a smartphone to a vehicle information system and potentially take control of a car’s systems such as brakes and steering.
In a paper presented at last month’s WOOT 16 USENIX conference, researchers Sahar Mazloom, Mohammad Rezaeirad, and Aaron Hunter from George Mason University, and Damon McCoy from New York University discussed the common integration of trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. They said there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. For their analysis they wondered what if an attacker gained access to someone’s smartphone.
The vulnerabilities they cite involve MirrorLink, a standard tool for connecting smartphones to in-vehicle infotainment (IVI) systems. It was created in 2011 and is overseen by the Car Connectivity Consortium (CCC). The team was able to document and demonstrate insecurities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smartphone to send malicious messages on the vehicle’s internal network, according to the abstract.
Alan Ewing, president of the CCC, told Dark Reading the group has just begun its analysis. “The question coming up as we go through the paper is whether this is a vulnerability of MirrorLink proper, or a bad implementation by an auto OEM that left open and stripped out security information that made the hack possible,” Ewing says.