AppSec California 2020

Many of today’s automobiles leave the factory with secret passengers: prototype software features with undiscovered vulnerabilities, even if these features are disabled by the manufacturer, but still can be unlocked by clever hackers.

There is an increasing trend in the automotive industry towards integrating trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. But there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?

In this work, we focused on gaining insights into this question by performing the first comprehensive security analysis on one of the standardized protocols, called MirrorLink (similar to Apple CarPlay), that enables seamless connectivity between smartphones and the car infotainment systems.

In this talk, I will explain the steps we took to conduct this security analysis and will demonstrate the discovered vulnerabilities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smart phone to send malicious messages to the vehicle’s infotainment system and, consequently, to the car’s critical components.

As a proof of concept, we have created a demonstration malicious app that exploits vulnerabilities discovered in the implementation of MirrorLink on the IVI.

Given our findings, we have some recommendations on how the security of these IVI app platforms can be made more resilient to these types of attacks. Our hope is that, this analysis will help motivate and spur more secure designs and implementations of smartphone to IVI platforms.