Researchers Uncover Car Infotainment Vulnerability

  /     /     /  
Publicated : 22/11/2024   Category : security


Researchers Uncover Car Infotainment Vulnerability


Should an automobile manufacturer have to release a patch for a feature that they never deployed? A newly discovered vulnerability in MirrorLinks infotainment software may force an answer.



A newly uncovered vulnerability in the MirrorLink infotainment software is forcing lots of hard questions about whos ultimately responsible for security in the automobile supply chain.
Damon McCoy, an assistant professor of computer science and engineering at NYUs Tandon School of Engineering, and a group of students at George Mason University found vulnerabilities in MirrorLink, a standard tool for connecting smartphones to in-vehicle infotainment (IVI) systems. Some carmakers disable MirrorLink because they use a different standard or because their version of MirrorLink is a prototype that can be activated later.
MirrorLink was created in 2011 and is overseen by the Car Connectivity Consortium (CCC), which represents 80% of the worlds automakers. Its the first industry standard for smartphones-IVI connectivity; Apple has since deployed CarPlay and Google has
Android Auto
.
Tuners, a segment of the OEM market that customizes automobiles, are able to activate MirrorLink, thanks to a helpful YouTube instructional video thats already logged more than 60,000 views, according to McCoy. Once active, MirrorLink then allows drivers to use the apps on their IVI -- the touchscreen, audio speakers, and the in-car microphone. Drivers get improved functionality, McCoy says. This is something tuners do all the time.
Unfortunately, this tuner activation of MirrorLink also renders the car vulnerable to access by third-parties, who could then mess with the software for the anti-lock braking system, for example, or other critical safety features. The vulnerability was detailed in
a paper
presented at last months USENIX Workshop on Offensive Technologies in Austin, Texas. The research was funded by General Motors, the National Science Foundation, and the Department of Homeland Security.
So far, McCoy and his fellow researchers havent publicly identified the carmaker or the OEM/tuner but are in contact with them. We dont want to name and shame … its likely a systemic problem, he said, since manufacturers normally sell to multiple OEMs.
Alan Ewing, president of the CCC, said the group has just begun its analysis of the vulnerability. The question coming up as we go through the paper is whether this is a vulnerability of MirrorLink proper, or a bad implementation by an auto OEM that left open and stripped out security information that made the hack possible, Ewing says.
While emphasizing that CCC takes security extremely seriously, there is no patch planned for MirrorLink at present, he says.
Were always about improving, so if theres something that needs fixing in the MirrorLink implementation, well close that gap, Ewing says. But at the end of the day, if it avoids our certification, is implemented incorrectly, and exposes some bad code, we cant prevent that kind of misuse.
The vulnerability and the auto industrys complex supply chain muddy the issue of whos responsible for security or issuing a fix. Does the manufacturer have to release a patch for a feature that they never deployed? McCoy says. The answer isnt clear-cut.
One of the researchers recommendations was for the auto industry to quarantine apps for cars in the same way that apps are confined or isolated with smartphones. Ideally, the OEMs could build similar sandbox containment technology for these apps, McCoy says.
Regardless of the fix, there needs to be some sort of industry gatekeeper that leverages those further down the supply chain to build secure systems from the start and correct vulnerabilities as theyre found, McCoy adds. I dont know if that means the CCC needs to audit suppliers who use MirrorLink, just as Apple and Google audit suppliers to make sure they all conform to standards for security, he says. And if they find that one of them skips some of the security measures, they should say it doesnt confirm to the protocol.
Related Content:
Report: Criminals Now Hack, Start And Then Steal Vehicles
This Time, Miller & Valasek Hack The Jeep At Speed
Auto Industry ISAC Releases Best Practices For Connected Vehicle Cybersecurity
 

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Researchers Uncover Car Infotainment Vulnerability