AppSec California 2020, January 21-24 at the Annenberg Beach House, Santa Monica, CA
Back To Schedule
Friday, January 24 • 2:10pm - 3:00pm
Car Hacking: A Security Analysis of an In-Vehicle-Infotainment System and App Platform

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Many of today’s automobiles leave the factory with secret passengers: prototype software features with undiscovered vulnerabilities, even if these features are disabled by the manufacturer, but still can be unlocked by clever hackers.

There is an increasing trend in the automotive industry towards integrating trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. But there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?

In this work, we focused on gaining insights into this question by performing the first comprehensive security analysis on one of the standardized protocols, called MirrorLink (similar to Apple CarPlay), that enables seamless connectivity between smartphones and the car infotainment systems.

In this talk, I will explain the steps we took to conduct this security analysis and will demonstrate the discovered vulnerabilities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smart phone to send malicious messages to the vehicle’s infotainment system and, consequently, to the car’s critical components.

As a proof of concept, we have created a demonstration malicious app that exploits vulnerabilities discovered in the implementation of MirrorLink on the IVI.

Given our findings, we have some recommendations on how the security of these IVI app platforms can be made more resilient to these types of attacks. Our hope is that, this analysis will help motivate and spur more secure designs and implementations of smartphone to IVI platforms.

avatar for Sahar Mazloom

Sahar Mazloom

PhD Candidate and Security Researcher, George Mason University
Sahar Mazloom is a PhD candidate in Cryptography at George Mason University, and received her Master’s in Artificial Intelligence. Her current research focus is on the problem of computation on encrypted data, with focus on design and development of secure machine learning models... Read More →

Friday January 24, 2020 2:10pm - 3:00pm PST
Garden Terrace Room