Most people are affected by connected vehicles in some form or another. This may take the form of the user driving their car to the grocery store or to work, the cabs driving people home, the rental vehicle from the airport, a driver using the map function in the infotainment center, and buses being driven through the suburbs and city. Most of these vehicles being seen every day are connected and a very small portion of these are autonomous.
To accomplish this level of connectedness the auto manufacturers have used their ingenuity, but also have implemented applications coded from third parties for workflow assistance. There is no need to recreate the wheel for the fifth time, when there is a template and methodology in place. These applications have predominantly used the smartphone as the HMI (human machine interface). Overall this has worked well and improved the UX (user experience). Along the way, there have been a number of breaches with this method of connecting, which have been patched and remediated.
As the ratio of connected cars only continues to grow, the connectivity will also continue to be researched in an attempt to minimize the opportunity for any future breaches. There has been research done already on the infotainment connectivity security. As noted, there have been a number of breaches that have exploited vulnerabilities here. This indicates, while there has been research done, there is much more that should be researched and internalized by the manufacturers in order to decrease the risk. . The one glaring point continues to be the infotainment security.
There are different applications that function to link the user’s vehicle to their phone. One of these is Mirror Link, which was created by the Connected Car Consortium. This application represents the primary source for connecting the user’s smartphone to their vehicle’s infotainment system. This is visually manifested with the dash display. A portion of the vehicle manufacturers toggle this off. This option is implemented when the manufacturer elects to use another application due to certain variables or the manufacturer interprets the latest version of Mirror Link as a prototype.
Herein lies the issue. Even if this is disabled, this stall can be easily enabled. With the application enabled, the deviant then has the opportunity to access the vehicle through a linked smartphone. This may include the brakes, transmission, etc. With a quick search on YouTube, there are well over 80 recordings with Mirror Link.
There is another facet of vulnerabilities with connecting a smartphone with a connected vehicle. This may be the user’s phone and car, a rental vehicle, or a friend’s vehicle to use their infotainment system. These instances and more provide the opportunity for the user to incidentally, inadvertently, and accidentally share their private data. When the smartphone is connected to the infotainment system in the vehicle, this may retain the list of contacts from the phone and text messages. Any calls made from the phone while connected may be retrained by a log. Any locations keyed in for a map would still be in the car’s memory.
The data points may seem mundane and not worth the time to worry about, however in retrospect would a user want their trip history, including their home, recorded and in the hands of strangers and others who would rent the vehicle next? This is the same worry for the contract list with friends and work person’s private information being in a stranger’s control.
As for the first issue, the vendor has not seen this potential attack point as an issue and has refused to issue a patch. With regard to the second issue, there are a number of easily accomplished steps. With any vehicle, the user has connected that was leased, rented, being sold, being turned in, or traded in, delete the data from the infotainment system.
If the user finds himself/herself traveling and needs to charge their phone or other mobile device, the smartphone should not be plugged into the vehicle’s USB. This offers a bridge from the vehicle to the smartphone’s data. The adapter, which plugs into the lighter, would be used instead for charging purposes.
Mazloom, S., Rezaeirad, M., Hunter, A., and McCoy, D. (2016). A security analysis of an in vehicle infotainment and app platform. Retrieved from https://www.usenix.org/system/files/conference/woot16/woot16-paper-mazloom.pdf
Zorz, Z. (2016, September 9). The dangers of connecting phones to connected cars. Retrieved from https://www.helpnetsecurity.com/2016/09/09/danger-connecting-phones-cars/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!