Skip to main content
USENIX
  • Conferences
  • Students
Sign in
  • Home
  • Attend
    • Registration Information
    • Registration Discounts
    • Venue, Hotel, and Travel
    • Students and Grants
    • Co-located Workshops
  • Program
    • Workshop Program
  • Sponsorship
  • Participate
    • Instructions for Authors and Speakers
    • Call for Papers
  • About
    • Workshop Organizers
    • Questions
    • Services
    • Past Workshops
  • Home
  • Attend
  • Program
  • Sponsorship
  • Participate
  • About

help promote

WOOT '16 button

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home » A Security Analysis of an In-Vehicle Infotainment and App Platform
Tweet

connect with us

A Security Analysis of an In-Vehicle Infotainment and App Platform

Authors: 

Sahar Mazloom, Mohammad Rezaeirad, and Aaron Hunter, George Mason University; Damon McCoy, New York University

Abstract: 

There is an increasing trend in the automotive industry towards integrating trusted third-party apps with In-Vehicle-Infotainment systems (IVI) via smartphones. This integration is typically facilitated by a pair of apps, one that executes on the smartphone and the other executes on the IVI which is connected to the Vehicle’s Controller Area Network (CAN) bus. Throughout the evolution of these IVI and App platforms, there has been little public analysis of the security of these protocols and the frameworks that implement these apps on the IVI. This raises the question: to what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?

In this paper, we focus on gaining insights into this question by performing a comprehensive security analysis on an IVI system that is included in at least one 2015 model vehicle from a major automotive manufacturer. This IVI system included vestigial support for the MirrorLink protocol which is intentionally disabled but can be enabled by updating a single configuration value after applying a publicly available firmware update that is securely signed by the manufacturer. Based on our analysis, we document and demonstrate insecurities in the MirrorLink protocol and IVI implementation that could potentially enable an attacker with control of a driver’s smartphone to send malicious messages on the vehicle’s internal network.

Sahar Mazloom, George Mason University

Mohammad Rezaeirad, George Mason University

Aaron Hunter, George Mason University

Damon McCoy, New York University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {198492,
author = {Sahar Mazloom and Mohammad Rezaeirad and Aaron Hunter and Damon McCoy},
title = {A Security Analysis of an {In-Vehicle} Infotainment and App Platform},
booktitle = {10th USENIX Workshop on Offensive Technologies (WOOT 16)},
year = {2016},
address = {Austin, TX},
url = {https://www.usenix.org/conference/woot16/workshop-program/presentation/mazloom},
publisher = {USENIX Association},
month = aug,
}
Download
Mazloom PDF
View the slides
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Contact Us