It is commonplace for car makers to allow the integration of trusted third-party apps with the IVI systems via smartphones, typically through a pair of apps, one that executes on the smartphone and one that executes on the IVI itself connected to the vehicle’s CAN bus.
"To what extent are these apps, protocols and underlining IVI implementations vulnerable to an attacker who might gain control of a driver’s smartphone?" Asked themselves the researchers led by Damon McCoy, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering.
The researchers focused their efforts on an IVI system that is included in at least one 2015 model vehicle from a major automotive manufacturer and found that vestigial support for the MirrorLink protocol could easily be enabled based on publicly available information. They then developed a proof of concept malicious smartphone app and were able to exploit heap overflow vulnerabilities discovered in the implementation of MirrorLink on the IVI.
These vulnerabilities, they claim, can allow attackers to gain control flow of a privileged process executing on the IVI and their view is that the same vulnerabilities could certainly be exploited by an attacker with control of a driver’s smartphone, to send malicious messages on the vehicle's internal CAN bus.