Security researchers discovered multiple vulnerabilities in Volkswagen and Audi vehicles that open them up to remote hacking. The flaws in the Volkswagen Group’s Harman-manufactured in-vehicle infotainment (IVI) system could allow an attacker to remotely access the microphone, speakers, and navigation system. Put another way, an attacker could turn the microphone on or off, eavesdrop on conversations, and track a car in real time.
After testing on an Audi A3 Sportback e-tron and the Volkswagen Golf GTE, Daan Keuper and Thijs Alkemade, security researchers from the Dutch firm Computest, found that the flaws in the IVI system, referred to as the modular infotainment platform (MIB), could be remotely exploited via the internet.
An attacker could use the car’s Wi-Fi connection to remotely exploit an exposed port and ultimately gain access to the vehicle’s infotainment system. In a press release, the researchers warned:
Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history. Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been and to follow the car live wherever it is at any given time.
Their research paper (pdf) states:
We can remotely compromise the MIB IVI system and from there send arbitrary CAN messages on the IVI CAN bus. As a result, we can control the central screen, speakers, and microphone. This is a level of access that no attacker should be able to achieve.
They had managed remote code execution via the internet, could control RCC, and could send arbitrary CAN messages. The next step would have been to attempt to actually control the car’s safety critical components — things dealing with the vehicle’s braking and acceleration system.
Computest said, “After careful consideration, we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law.”
The researchers reported the flaws to Volkswagen’s external lawyer in July 2017 because the company had no responsible disclosure policy on its website. They met with Volkswagen in August 2017.
During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them. However, in their feedback for this paper Volkswagen stated that they already knew about this vulnerability.
After looking into the vulnerabilities, Volkswagen told the researchers in October 2017 that it was “not going to publish a public statement.” Instead, VW said it was willing to review the researchers’ paper and check the facts. That review was completed in February 2018.
In April 2018, right before the paper was released to the public, Volkswagen provided us with a letter that confirms the vulnerabilities and mentions that they have been fixed in a software update to the infotainment system. This means that cars produced since this update are not affected by the vulnerabilities we found.
The researchers noted, “Based on our experience, it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack.”
I encourage you to read their research paper, which delves into their attack strategy and technical system details, but it does not fully disclose the details of the remotely exploitable vulnerability because that, they believe, would be “irresponsible.”
The researchers said they want to protect future cars but ask, “What about the cars of today or cars that were shipped last week? They often don’t have the required capabilities (such as over-the-air updates) but will be on our roads for the next fifteen years. We believe they currently pose the real threat to their owners, having drive-by-wire technology in cars that are internet-connected without any way to reliably update the entire fleet at once.”
The hacked car models were from 2015, so if you have an Audi or Volkswagen, then contact to your dealer and ask about a software update.