help promote
usenix conference policies
A Security Analysis of an In-Vehicle Infotainment and App Platform
Sahar Mazloom, Mohammad Rezaeirad, and Aaron Hunter, George Mason University; Damon McCoy, New York University
There is an increasing trend in the automotive industry towards integrating trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. This integration is typically facilitated by a pair of apps, one that executes on the smartphone and the other executes on the IVI which is connected to the Vehicle’s Controller Area Network (CAN) bus. Throughout the evolution of these IVI and App platforms, there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?
In this paper, we focus on gaining insights into this question by performing a comprehensive security analysis on an IVI system that is included in at least one 2015 model vehicle from a major automotive manufacturer. This IVI system included vestigial support for the MirrorLink protocol which is intentionally disabled but can be enabled by updating a single configuration value after applying a publicly available firmware update that is securely signed by the manufacturer. Based on our analysis, we document and demonstrate insecurities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smartphone to send malicious messages on the vehicle’s internal network.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Sahar Mazloom and Mohammad Rezaeirad and Aaron Hunter and Damon McCoy},
title = {A Security Analysis of an {In-Vehicle} Infotainment and App Platform},
booktitle = {10th USENIX Workshop on Offensive Technologies (WOOT 16)},
year = {2016},
address = {Austin, TX},
url = {https://www.usenix.org/conference/woot16/workshop-program/presentation/mazloom},
publisher = {USENIX Association},
month = aug
}
connect with us