Vulnerabilities / Threats

9/2/2016
09:00 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Researchers Uncover Car Infotainment Vulnerability

Should an automobile manufacturer have to release a patch for a feature that they never deployed? A newly discovered vulnerability in MirrorLink's infotainment software may force an answer.

A newly uncovered vulnerability in the MirrorLink infotainment software is forcing lots of hard questions about who's ultimately responsible for security in the automobile supply chain.

Damon McCoy, an assistant professor of computer science and engineering at NYU's Tandon School of Engineering, and a group of students at George Mason University found vulnerabilities in MirrorLink, a standard tool for connecting smartphones to in-vehicle infotainment (IVI) systems. Some carmakers disable MirrorLink because they use a different standard or because their version of MirrorLink is a prototype that can be activated later.

MirrorLink was created in 2011 and is overseen by the Car Connectivity Consortium (CCC), which represents 80% of the world's automakers. It's the first industry standard for smartphones-IVI connectivity; Apple has since deployed CarPlay and Google has Android Auto.

"Tuners," a segment of the OEM market that customizes automobiles, are able to activate MirrorLink, thanks to a helpful YouTube instructional video that's already logged more than 60,000 views, according to McCoy. Once active, MirrorLink then allows drivers to use the apps on their IVI -- the touchscreen, audio speakers, and the in-car microphone. "Drivers get improved functionality," McCoy says. "This is something tuners do all the time."

Unfortunately, this tuner activation of MirrorLink also renders the car vulnerable to access by third-parties, who could then mess with the software for the anti-lock braking system, for example, or other critical safety features. The vulnerability was detailed in a paper presented at last month's USENIX Workshop on Offensive Technologies in Austin, Texas. The research was funded by General Motors, the National Science Foundation, and the Department of Homeland Security.

So far, McCoy and his fellow researchers haven't publicly identified the carmaker or the OEM/tuner but are in contact with them. "We don't want to name and shame … it's likely a systemic problem," he said, since manufacturers normally sell to multiple OEMs.

Alan Ewing, president of the CCC, said the group has just begun its analysis of the vulnerability. "The question coming up as we go through the paper is whether this is a vulnerability of MirrorLink proper, or a bad implementation by an auto OEM that left open and stripped out security information that made the hack possible," Ewing says.

While emphasizing that CCC takes security extremely seriously, there is no patch planned for MirrorLink at present, he says.

"We're always about improving, so if there's something that needs fixing in the MirrorLink implementation, we'll close that gap," Ewing says. "But at the end of the day, if it avoids our certification, is implemented incorrectly, and exposes some bad code, we can't prevent that kind of misuse."

The vulnerability and the auto industry's complex supply chain muddy the issue of who's responsible for security or issuing a fix. "Does the manufacturer have to release a patch for a feature that they never deployed?" McCoy says. The answer isn't clear-cut.

One of the researchers' recommendations was for the auto industry to quarantine apps for cars in the same way that apps are confined or isolated with smartphones. "Ideally, the OEMs could build similar sandbox containment technology for these apps," McCoy says.

Regardless of the fix, there needs to be some sort of industry gatekeeper that leverages those further down the supply chain to build secure systems from the start and correct vulnerabilities as they're found, McCoy adds. "I don't know if that means the CCC needs to audit suppliers who use MirrorLink, just as Apple and Google audit suppliers to make sure they all conform to standards for security," he says. And if they find that one of them skips some of the security measures, they should say it doesn't confirm to the protocol.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4035
PUBLISHED: 2019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit client will download documents from the fake ICN website. IBM X...
CVE-2019-4052
PUBLISHED: 2019-03-22
IBM API Connect 2018.1 and 2018.4.1.2 apis can be leveraged by unauthenticated users to discover login ids of registered users. IBM X-Force ID: 156544.
CVE-2019-9648
PUBLISHED: 2019-03-22
An issue was discovered in the SFTP Server component in Core FTP 2.0 Build 674. A directory traversal vulnerability exists using the SIZE command along with a \..\..\ substring, allowing an attacker to enumerate file existence based on the returned information.
CVE-2019-9923
PUBLISHED: 2019-03-22
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.
CVE-2019-9924
PUBLISHED: 2019-03-22
rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.