Researchers Uncover Car Infotainment Vulnerability

A newly uncovered vulnerability in the MirrorLink infotainment software is forcing lots of hard questions about who's ultimately responsible for security in the automobile supply chain.

Damon McCoy, Assistant Professor of Computer Science and Engineering at NYU's Tandon School of Engineering, and a group of students at George Mason University found vulnerabilities in MirrorLink, a standard tool for connecting smartphones to in-vehicle infotainment (IVI) systems. Some carmakers disable the tool because they use a different standard or because their version of MirrorLink is a prototype that can be activated later.

MirrorLink was created in 2011 and is overseen by the Car Connectivity Consortium (CCC), which represents 80 percent of the world's automakers. It's the first industry standard for smartphones-IVI connectivity; Apple has since deployed CarPlay and Google has Android Auto.

"Tuners," a segment of the OEM market that customizes automobiles, are able to activate the tool, thanks to a helpful YouTube instructional video that's already logged more than 60,000 views, according to McCoy. Once active, it then allows drivers to use the apps on their IVI -- the touchscreen, audio speakers, and the in-car microphone. "Drivers get improved functionality," McCoy says. "This is something tuners do all the time."

Unfortunately, this tuner activation of MirrorLink also renders the car vulnerable to access by third-parties, who could then mess with the software for the anti-lock braking system, for example, or other critical safety features. The vulnerability was detailed in a paper presented at the USENIX Workshop on Offensive Technologies in Austin, Texas. The research was funded by General Motors, the National Science Foundation, and the Department of Homeland Security.

So far, McCoy and his fellow researchers haven't publicly identified the carmaker or the OEM/tuner but are in contact with them. "We don't want to name and shame...it's likely a systemic problem," he said, since manufacturers normally sell to multiple OEMs.

There is no patch planned for MirrorLink at present. One of the researchers' recommendations was for the auto industry to quarantine apps for cars in the same way that apps are confined or isolated with smartphones.

Regardless of the fix, there needs to be some sort of industry gatekeeper that leverages those further down the supply chain to build secure systems from the start and correct vulnerabilities as they're found.

NAFA Fleet Management Association
http://www.nafa.org/