Infotainment system hacks show ongoing gap in edge security for autos
The automotive industry wants to appeal to customers by following the lead of the mobile industry and embedding third-party apps with infotainment systems. However, critical, undetected security vulnerabilities in top-selling Ford and Volkswagen vehicles on the European market are the latest example of how infotainment systems turn vehicles into easy targets for cyberattacks.
These vulnerabilities are jeopardizing user data and safety, reveals an investigation carried out by Which?, in partnership with security experts and pen testing consultant Context Information Security.
A deep dive into the computer systems and on-board tech features in the Ford Focus Titanium Automatic 1.0L petrol and a Volkswagen Polo SEL TSI Manual 1.0L petrol points out that lax security and lack of proper regulation go hand in hand, leaving the vehicles with open ports and exposed to attacks.
A vulnerability in the traction control system, for example, made it easy to gain unauthorized access to the infotainment unit in the Volkswagen Polo, which stores the driver’s personal and phone data. Lifting the company badge on the front of the car revealed easy access to the front radar module, which could also expose the collision-warning system to exploits, the report stated.
By collecting information about the tire pressure monitoring system on the Ford Focus, which gives an ID to each tire, researchers could have easily replicated an attack where a hacker would manipulate the system to display false information. A closer look at the code revealed Wi-Fi details and a general password for the computer systems on the production line at the plant in Detroit.
Mobile apps for owners also at issue
It isn’t just the car’s electronic systems that are vulnerable. Apps built by manufacturers for the owners which are supposed to offer conveniences like using a mobile device to lock and unlock a car, or make car payments, are another source of concern. As the report states, connected cars collect a lot of information about users, but by not being developed with security from the design stage, it’s not clear who has ownership of the data, who uses it and who gains access to it, according to the report’s authors.
Ford’s mobility app with connected services, Ford Pass, collects and shares information about GPS location, fuel consumption, lights, and driving behavior. According to the privacy policy it shares information with “authorized dealers and our affiliates.”
The story is similar with Volkswagen’s app which requests permission to “confidential information” in the calendar and USB storage, and claims in its privacy policy to share data with third parties when “necessary for the purpose of performing a contractual obligation.”
Ford refused to review the technical report and to provide a public statement on the glitches in the infotainment system. Volkswagen, on the other hand, accepted to review the report.
“Customer data is used for valued connected services, such as live traffic, in accordance with published policy,” Ford responded when contacted by the research team. “In Europe, connected vehicle data, for example location and driver behavior data, may only be shared with authorized dealers where we have communicated this clearly to our customers and have an appropriate legal basis in place, such as customer consent. Where we rely on customer consent, the customer has the right to withdraw that consent at any time.”
Volkswagen replied that the infotainment system is in a “separate domain of the vehicle and it is not possible to influence other critical control units unnoticed.” The company says it asks for customer consent to process data.
Which? warns that the lack of scrutiny of vital computer systems used in cars could lead to life-threatening security vulnerabilities. Several international entities are already drafting regulations that might be introduced next year.
One problem users might overlook is that their data remains stored in the car’s infotainment system if they don’t delete it. Therefore, if they end up selling the car, they are unknowingly sharing their private information with the new owner. Users can find themselves in the same situation if they rent a car and connect their device to the system. It is very important to delete information and revoke access to prevent their data from being compromised.
MirrorLink protocol exploits for unauthorized access control
The new report shows how little progress has been made from earlier research.
“Modern vehicles are not just mechanical devices anymore. They consist of dozens of small electronic components that communicate via a shared network inside of the car,” said Sahar Mazloom, security researcher in a presentation about car hacking.
Mazloom was presenting updated findings from a research paper on which she was lead co-author with a group of researchers from George Mason University and New York University. The team tested the security capabilities in In-Vehicle-Infotainment (IVI) systems integrated with a vehicle in 2015, which supported the MirrorLink protocol.
MirrorLink “was standardized by Car Connectivity Consortium to generate a global standardization or smartphone integration into the head unit. As the name implies, applications were running smoothly on the smartphone and the display was mirrored on the IVI screen for a seamless integration,” Mazloom said in her February 2020 presentation at the AppSec CA conference.
The research points out the vulnerabilities in this protocol that would allow a hacker to gain full control over the user’s smartphone to compromise the internal network.
After buying the infotainment system on eBay, the group developed a “malicious app that exploits heap overflow vulnerabilities discovered in the implementation of MirrorLink on the IVI” which hackers can exploit “to gain control flow of a privileged process executing on the IVI.”
The upshot of the study’s findings: A car has multiple control systems that are themselves vulnerable and are interconnected and now companies are external openings through USB, Bluetooth and WiFi networks.
“We are opening up attack surface [and] helping attackers by adding more features and not caring about their security,” said Mazloom.
It’s not just industry-specific protocols that present a risk. Apart from MirrorLink, car infotainment systems have been integrated with several other protocols, including Apple CarPlay and Android Auto, ignoring issues associated with third-party integrations.
In a recent book titled “Hacking Connected Cars: Tactics, Techniques, and Procedures,” Alissa Knight leverages her expertise in risk management and penetration testing of IoT devices and connected cars to discuss a number of hacking techniques used against connected vehicles. Knight provides specific examples of how vulnerabilities in wireless networking, Bluetooth, and GSM can be exploited to compromise connected cars, as well as guidelines and recommendations for vendors to boost vehicle security without jeopardizing innovation.
Comments