Vulnerabilities / Threats

9/2/2016
09:00 AM
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Researchers Uncover Car Infotainment Vulnerability

Should an automobile manufacturer have to release a patch for a feature that they never deployed? A newly discovered vulnerability in MirrorLink's infotainment software may force an answer.

A newly uncovered vulnerability in the MirrorLink infotainment software is forcing lots of hard questions about who's ultimately responsible for security in the automobile supply chain.

Damon McCoy, an assistant professor of computer science and engineering at NYU's Tandon School of Engineering, and a group of students at George Mason University found vulnerabilities in MirrorLink, a standard tool for connecting smartphones to in-vehicle infotainment (IVI) systems. Some carmakers disable MirrorLink because they use a different standard or because their version of MirrorLink is a prototype that can be activated later.

MirrorLink was created in 2011 and is overseen by the Car Connectivity Consortium (CCC), which represents 80% of the world's automakers. It's the first industry standard for smartphones-IVI connectivity; Apple has since deployed CarPlay and Google has Android Auto.

"Tuners," a segment of the OEM market that customizes automobiles, are able to activate MirrorLink, thanks to a helpful YouTube instructional video that's already logged more than 60,000 views, according to McCoy. Once active, MirrorLink then allows drivers to use the apps on their IVI -- the touchscreen, audio speakers, and the in-car microphone. "Drivers get improved functionality," McCoy says. "This is something tuners do all the time."

Unfortunately, this tuner activation of MirrorLink also renders the car vulnerable to access by third-parties, who could then mess with the software for the anti-lock braking system, for example, or other critical safety features. The vulnerability was detailed in a paper presented at last month's USENIX Workshop on Offensive Technologies in Austin, Texas. The research was funded by General Motors, the National Science Foundation, and the Department of Homeland Security.

So far, McCoy and his fellow researchers haven't publicly identified the carmaker or the OEM/tuner but are in contact with them. "We don't want to name and shame … it's likely a systemic problem," he said, since manufacturers normally sell to multiple OEMs.

Alan Ewing, president of the CCC, said the group has just begun its analysis of the vulnerability. "The question coming up as we go through the paper is whether this is a vulnerability of MirrorLink proper, or a bad implementation by an auto OEM that left open and stripped out security information that made the hack possible," Ewing says.

While emphasizing that CCC takes security extremely seriously, there is no patch planned for MirrorLink at present, he says.

"We're always about improving, so if there's something that needs fixing in the MirrorLink implementation, we'll close that gap," Ewing says. "But at the end of the day, if it avoids our certification, is implemented incorrectly, and exposes some bad code, we can't prevent that kind of misuse."

The vulnerability and the auto industry's complex supply chain muddy the issue of who's responsible for security or issuing a fix. "Does the manufacturer have to release a patch for a feature that they never deployed?" McCoy says. The answer isn't clear-cut.

One of the researchers' recommendations was for the auto industry to quarantine apps for cars in the same way that apps are confined or isolated with smartphones. "Ideally, the OEMs could build similar sandbox containment technology for these apps," McCoy says.

Regardless of the fix, there needs to be some sort of industry gatekeeper that leverages those further down the supply chain to build secure systems from the start and correct vulnerabilities as they're found, McCoy adds. "I don't know if that means the CCC needs to audit suppliers who use MirrorLink, just as Apple and Google audit suppliers to make sure they all conform to standards for security," he says. And if they find that one of them skips some of the security measures, they should say it doesn't confirm to the protocol.

Related Content:

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.