MirrorLink by Connected Car Consortium is the first industry standard for connecting smartphones to in-vehicle infotainment systems (IVI). A recent comprehensive research, titled ‘A Security Analysis of an In Vehicle Infotainment and App Platform’ and carried out by Damon McCoy, an assistant professor at the NYU Tandon School of Engineering and a group of students at George Mason University, disclosed vulnerabilities in MirrorLink.
Researchers Find Vulnerabilities in MirrorLink
The vulnerabilities could allow an attacker access to a vehicle through a smartphone. This could be done even when MirrorLink is disabled. The findings of the research were presented at the 10th USENIX Workshop on Offensive Technologies (WOOT ’16) in Austin, Texas.
The research itself is believed to be the first comprehensive empirical security analysis of a smartphone to modern IVI app protocol included in at least one 2015 model vehicle from a major automotive manufacturer.
This IVI system includes vestigial support for the MirrorLink protocol. Though this protocol is disabled by default, it can be enabled by changing a single configuration value after a publicly available firmware update that is securely signed by the manufacturer.
Some automakers choose to disable MirrorLink and use a different smartphone-to-IVI standard. However, the researchers found that MirrorLink is easy to enable. When it is unlocked, attacker could use a linked smartphone and take over components crucial to safety such as the vehicle’s anti-lock braking system. The worst part is that tuners, people or companies who customize automobiles, may inadvertently assist bad hackers by unlocking unsecure features.
McCoy particularly said that tuners will root around for such prototypes and would actually unlock vulnerable systems. Furthermore, instructions on how to unlock MirrorLink can be found even on YouTube! One such instructional video has been viewed more than 60,000 times! Interestingly, the researchers themselves used such public information to unlock MirrorLink on a test vehicle they bought from eBay.
The automaker and supplier refused to release a security patch. As to why, they highlighted the fact that they never enabled MirrorLink in the first place. McCoy warns that this is bad news for drivers who enable MirrorLink.