CYBER NEWS

Cars Connected to Smartphones Prone to Hacks, Research on MirrorLink Says

mirrorlinkMirrorLink by Connected Car Consortium is the first industry standard for connecting smartphones to in-vehicle infotainment systems (IVI). A recent comprehensive research, titled ‘A Security Analysis of an In Vehicle Infotainment and App Platform’ and carried out by Damon McCoy, an assistant professor at the NYU Tandon School of Engineering and a group of students at George Mason University, disclosed vulnerabilities in MirrorLink.


Researchers Find Vulnerabilities in MirrorLink

The vulnerabilities could allow an attacker access to a vehicle through a smartphone. This could be done even when MirrorLink is disabled. The findings of the research were presented at the 10th USENIX Workshop on Offensive Technologies (WOOT ’16) in Austin, Texas.

The research itself is believed to be the first comprehensive empirical security analysis of a smartphone to modern IVI app protocol included in at least one 2015 model vehicle from a major automotive manufacturer.

This IVI system includes vestigial support for the MirrorLink protocol. Though this protocol is disabled by default, it can be enabled by changing a single configuration value after a publicly available firmware update that is securely signed by the manufacturer.

Some automakers choose to disable MirrorLink and use a different smartphone-to-IVI standard. However, the researchers found that MirrorLink is easy to enable. When it is unlocked, attacker could use a linked smartphone and take over components crucial to safety such as the vehicle’s anti-lock braking system. The worst part is that tuners, people or companies who customize automobiles, may inadvertently assist bad hackers by unlocking unsecure features.

Related: IoT Thermostat Hack Ends with Ransomware Infection

McCoy particularly said that tuners will root around for such prototypes and would actually unlock vulnerable systems. Furthermore, instructions on how to unlock MirrorLink can be found even on YouTube! One such instructional video has been viewed more than 60,000 times! Interestingly, the researchers themselves used such public information to unlock MirrorLink on a test vehicle they bought from eBay.

The automaker and supplier refused to release a security patch. As to why, they highlighted the fact that they never enabled MirrorLink in the first place. McCoy warns that this is bad news for drivers who enable MirrorLink.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...