A system of rules that allow vehicles to communicate with smartphones may be vulnerable to hacking, a new study suggests. Many of today’s automobiles leave the factory with secret passengers: prototype software features that are disabled but that can be unlocked by clever drivers, researchers said.
In what is believed to be the first comprehensive security analysis of its kind, researchers at New York University Tandon School of Engineering and George Mason University in the US found vulnerabilities in MirrorLink, a system of rules that allow vehicles to communicate with smartphones.
MirrorLink when unlocked can allow hackers to use a linked smartphone as a stepping stone to control safety-critical components such as the vehicle’s anti-lock braking system.
Damon McCoy, from the NYU Tandon School of Engineering, explained that “tuners” – people or companies which customise automobiles – might unwittingly enable hackers by unlocking insecure features.
“Tuners will root around for these kinds of prototypes, and if these systems are easy to unlock they will do it,” he said. “And there are publically available instructions describing how to unlock MirrorLink. Just one of several instructional videos on YouTube has gotten over 60,000 views,” McCoy added.
“The researchers used such publically available instructions to unlock MirrorLink on the in-vehicle infotainment system in a 2015 vehicle they purchased from eBay for their experiments,” said McCoy.
The automaker and supplier declined to release a security patch – reflecting the fact that they never enabled MirrorLink. McCoy pointed out that this could leave drivers who enable MirrorLink out on a limb.
MirrorLink is the connection protocol and allows the driver or passenger to control phone apps via the car’s dash and steering wheel controls. Created by the Connected Car Consortium, MirrorLink represents 80 per cent of the world’s automakers, is the first and leading industry standard for connecting smartphones to in-vehicle infotainment (IVI) systems.
However, some automakers disable it because they chose a different smartphone-to-IVI standard, or because the version of MirrorLink in their vehicles is a prototype that can be activated later.