It is commonplace for car makers to allow the integration of trusted third-party apps with the IVI systems via smartphones, typically through a pair of apps, one that executes on the smartphone and one that executes on the IVI itself connected to the vehicle’s CAN bus.
“To what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?” Asked themselves the researchers led by Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering.
The researchers focused their efforts on an IVI system that is included in at least one 2015 model vehicle from a major automotive manufacturer and found that vestigial support for the MirrorLink protocol could easily be enabled based on publicly available information. They then developed a proof of concept malicious smartphone app and were able to exploit heap overflow vulnerabilities discovered in the implementation of MirrorLink on the IVI.
These vulnerabilities, they claim, can allow attackers to gain control flow of a privileged process executing on the IVI and their view is that the same vulnerabilities could certainly be exploited by an attacker with control of a driver’s smartphone, to send malicious messages on the vehicle’s internal CAN bus.
Currently MirrorLink is not enabled by default and requires a physical USB connection, the researchers wrote, which would require some preparation before a hack.
But the IVI hardware include an 802.11 adapter and it is possible that in the future, MirrorLink would support WiFi as an alternate link-layer protocol. If a WiFi link became part of the standard, it would expand the attack surface for remote attackers, within a few 100 feet of the target vehicle, or those who can gain control of an 802.11 enabled device close to the vehicle, they fear.
This comes in a context when automotive manufacturers plan to open up their IVI app platforms to a larger pool of app developers.
The findings were first disclosed privately, to the concerned car manufacturer, while critical details of the hack were left out of the delayed publication. No name dropping in the publication, since MirrorLink has been widely adopted by car manufacturers and the vulnerabilities revealed in the paper represent a systemic problem that likely affects many manufacturers and suppliers of app enabled IVI platforms.
Access the full paper at https://www.usenix.org/system/files/conference/woot16/woot16-paper-mazloom.pdf
Visit New York University at www.nyu.edu