In-brief: Researchers from George Mason University and New York University are warning that the software used to link smart phones to in-vehicle “infotainment” (IVI) systems could make cars vulnerable to remote attack.

Researchers from George Mason University and New York University are warning that the software used to link smart phones to in-vehicle “infotainment” (IVI) systems could make cars vulnerable to remote attack.

The researchers presented their research (PDF) at the annual Usenix WOOT Conference in Austin, Texas in early August. According to the researchers, current IVI implementations that use software by the vendor MirrorLink contain vulnerabilities that could allow an attacker with control of a driver’s smart phone to send malicious messages to the vehicle’s infotainment system and, potentially, to the car’s critical in-vehicle network.

The paper, “A Security Analysis of an In Vehicle Infotainment and App Platform” was written by Sahar Mazloom, Mohammad Rezaeirad and Aaron Hunter of George Mason University and Damon McCoy of New York University. Their research raises more question about the security and integrity of third-party and OEM (original equipment manufacturer) components that account for much of what goes into modern vehicles, the researchers said.

MirrorLink is a common vendor-neutral platform connecting smartphones to in-vehicle infotainment (IVI) systems, the researchers say in their paper. Its use has grown alongside competing platforms like Android Auto and Apple’s CarPlay as vehicle makers have turned away from proprietary platforms for IVI such as Entune (Toyota), ConnectedDrive (BMW) and AppLink (Ford).

Earlier generations of IVI technology were strictly “closed ecosystems” open only to third-party developers who have trusted relationships with the IVI manufacturer. Today, many car makers – eyeing the success of Apple’s AppStore and Google Play – are looking to open the IVI ecoystem to a wider range of application publishers.

Despite that, little research has explored the vulnerabilities of the software, or of IVI systems, which often have access to the controller area network (or CAN bus) that also directs critical systems like braking, steering and acceleration, the researchers say. In the case of the MirrorLink software, the integration between the vehicle’s IVI and the driver or passenger’s smart- phone is facilitated by a pair of applications – one on the smart phone and a companion application on the in-vehicle infotainment system.

The researchers analyzed a MirrorLink IVI from a 2015 model along with its corresponding smart phone application and MirrorLink’s communication protocol, discovering a number of flaws. Among other things: the application software used by MirrorLink contained a number of programming vulnerabilities. An attacker who could compromise a user’s smart phone could manipulate the IVI unit and, in a worse case scenario, manipulate navigation instructions.

Not terrible. But the research also revealed a host of sketchy implementations that could pose larger problems down the road. For example, the researchers discovered that the MirrorLink client enabled on an IVI is “written in a memory unsafe language, C++, and executed with administrator privileges on the bare-metal WinCE OS.”

An attacker who could access the IVI via a compromised smart phone could potentially leverage heap overflow vulnerabilities identified by the researchers to gain control flow of the MirrorLink client. From there, the researchers suggest, an attacker could leverage control over the IVI application to speak directly to the CAN controller and send arbitrary and potentially malicious messages on the vehicle’s CAN bus.

“This all points to the possibility that an attacker able to discover one of these vulnerabilities can craft an exploit to send out CAN malicious message,” the researchers concluded.

Concern about the security and privacy risks of connected cars is growing. The FTC this week warned rental car customers to refrain from syncing their smart phones or computers to in-vehicle infotainment systems out of concern that sensitive data will be left behind on the in-vehicle system and exposed to others.

Security researchers have also highlighted how the increasing adoption of in-vehicle Internet hot spots and insecure links between in-vehicle entertainment systems and critical vehicle subsystems created the possibility of cyber-kinetic attacks aimed at vulnerable cars.

In 2015, researchers Charlie Miller and Chris Valasek used vulnerabilities in an in vehicle infotainment system by Harmon to launch a remote, wireless attack on the CAN bus of a 2014 Jeep Cherokee. In August, the pair demonstrated a new round of attacks on vehicle CAN busses, including unintended acceleration, braking and steering.

You can read more over at Dark Reading: Researchers Uncover Car Infotainment Vulnerability