Recent studies have shown that an always present but generally ignored component in almost every vehicle can leave the user vulnerable to hacking attacks.
Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, along with a few students from George Mason University, conducted what is believed to be the first comprehensive security analysis of its kind. They found that MirrorLink, a system with rules that allow vehicles to connect to smartphones, contained an easily accessible liability.
Connected Car Consortium, MirrorLink “is the first and leading industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems.” McCoy and his colleges found that enabling MirrorLink is relatively simple, and when unlocked, hackers can use a linked smartphone to bypass control safety-critical components of the car such as the anti-lock braking sequence. “McCoy explained that “tuners” — people or companies who customize automobiles — might unwittingly enable hackers by unlocking insecure features.”
“Tuners will root around for these kinds of prototypes, and if these systems are easy to unlock they will do it,” he said. “And there are publically available instructions describing how to unlock MirrorLink. Just one of several instructional videos on YouTube has gotten over 60,000 views.”
Surprisingly, automaker and supplier declined to release a security patch, leading driver’s who have enabled MirrorLink in a compromising position. McCoy and his colleges hope that their findings, presented at the 10th USENIX Workshop on Offensive Technologies (WOOT ’16) in Austin, Texas, will raise awareness of this problem, urging companies to fix and secure this liability before it grows more in popularity.