You may not be aware of it, but when new cars leave the factory, it sometimes come equipped with prototype software features that are disabled. When it comes to these features, it turns out ordinary techies may be able to unlock them.
This weakness may leave connected cars susceptible to hacks if someone accesses your smartphone.
Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, and a group of students at George Mason University recently conducted a comprehensive security analysis and discovered vulnerabilities in MirrorLink, a system of rules that allows vehicles to communicate with smartphones.
The system, which was created by the Connected Car Consortium, an organization representing 80% of the world’s automakers, is the first industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems. The problem with this is that some automakers disable its features because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.
What McCoy and the team found was that MirrorLink is pretty simple to enable, and once unlocked, it can allow hackers to use a linked smartphone as a stepping stone to control safety-critical components such as the vehicle’s anti-lock braking system. According to McCoy, “tuners” — people or companies who customize automobiles — might actually be providing hackers with more abilities, gained by unlocking these insecure features.
“Tuners will root around for these kinds of prototypes, and if these systems are easy to unlock they will do it,” said McCoy. “And there are publically available instructions describing how to unlock MirrorLink. Just one of several instructional videos on YouTube has gotten over 60,000 views.”
To unlock MirrorLink on the in-vehicle infotainment system in a 2015 vehicle they purchased from eBay for their experiments., the researchers simply referred to instructions that are available to the public.
The automaker and supplier declined to release a security patch and stated that they never enabled MirrorLink, but McCoy points out that this could leave drivers who enable MirrorLink out on a limb.
Story via NYU.