A Dutch cybersecurity company has revealed that cars from Audi and Volkswagen group can be hacked remotely due to a vulnerable infotainment system. Daan Keuper and Thijs Alkemade are the two security researchers with Computest who said that they have successfully tested their exploits on a Volkswagen Golf GTE and Audi A3 Sportback e-Tron model. The security researchers have even accessed the root account which gives access to the critical car data. The software and device were manufactured by Harman. Some of the post exploit shenanigans the researchers could do included being able to listen in to conversations taking place inside the car.
“Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history,” Computest researchers said.
“Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time,” researchers added.
Keuper and Alkemade also said that IVI system is indirectly connected to the car’s acceleration system and braking system but they have stopped investigating this area as it might be violating the Volkswagen’s intellectual property. The WiFi attack vector has allowed the remote access to the car’s IVI system. The researchers also found a vulnerability in the USB Debugging mode under the car’s dashboard.
“The vulnerability we initially identified should have been found during a proper security test,” researchers said. “During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them.”
Volkswagen has addressed the reported issues saying that the company worked with the research team to identify the flaws and will address the reported flaws.
“The open interface on the Golf GTE and Audi A3 was closed by an update to the infotainment software from production week 22/2016 onwards,” Volkswagen execs wrote in a letter sent to Computest, shared by the researchers.
The security researchers are still worried because the IVI system they hacked did not come with an over-the-air update system, meaning it couldn’t be mitigated with a software patch. Researchers made it very clear they don’t plan to reveal the exact services and ports they used to break into the VW Golf and Audi A3 models during their experiments.
Take your time to comment on this article.