Volkswagen has been found prone to car-hacking vulnerabilities, a detailed Computest report recently revealed. Researchers unearthed that the IVI systems (In-Vehicle Infotainment) in some Volkswagen models are vulnerable to remote hacking. These vulnerabilities could also lead to the compromise of other critical car systems.
Technical Details about the Research
More particularly, researchers Thijs Alkemade and Daan Keuper discovered the vulnerability in Golf GTE Volkswagen and the Audi3 Sportback e-tron. The flaw could allow hackers to take control over critical functions in some cases. The functions include turning the car’s microphone on and off, enlisting the microphone to listen to the driver’s conversations, and obtaining access to the conversation history and the address book of the automobile. On top of that, the researchers said that attackers could also track the car via its navigation system.
An increasing number of cars feature an internet connection, and some cars even have two cellular connections at once, the researchers wrote. This connection can for example be used by the IVI system to obtain information, such as maps data, or to offer functionalities like an internet browser or a Wi-Fi hotspot or to give owners the ability to control some features via a mobile app.
For their report, the researchers specifically focused on attack vectors that could be triggered via the internet and without user interaction. The goal that inspired the research was to see whether the driving behavior or other critical safety components in the car could be influenced. In other words, the researchers wanted to gain access to the high-speed CAN bus, which connects components like the brakes, steering wheel and the engine.
The research started with a Volkswagen Golf GTE, from 2015, with the Car-Net app:
This car has a IVI system manufactured by Harman, referred to as the modular infotainment platform (MIB). Our model was equipped with the newer version (version 2) of this platform, which had several improvements from the previous version (such as Apple CarPlay). Important to note is that our model did not have a separate SIM card tray. We assumed that the cellular connection used an embedded SIM, inside the IVI system, but this assumption would later turn out to be invalid.
We can remotely compromise the MIB IVI system and from there send arbitrary CAN messages on the IVI CAN bus. As a result, we can control the central screen, speakers, and microphone. This is a level of access that no attacker should be able to achieve.
The next step of the research would have been to attempt to take control over the car’s safety critical components, such as the vehicle’s braking and acceleration system.
However, after careful consideration, the two researchers decided to discontinue their at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law.
Volkswagen’s Response to the Vulnerability Disclosure
Since Volkswagen didn’t have a responsible disclosure policy featured on its website, the researchers reported the flaws to Volkswagen’s external lawyer in July 2017. An actual meeting with the company also occurred the next month, August.
This is what the researchers said in a statement:
During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them. However, in their feedback for this paper Volkswagen stated that they already knew about this vulnerability.
Volkswagen looked into the flaws, and said that it was not going to publish a public statement but would rather review the research to check their statements. The company did review the research paper, and the review itself was completed in February, 2018. “In April 2018, right before the paper was released to the public, Volkswagen provided us with a letter that confirms the vulnerabilities and mentions that they have been fixed in a software update to the infotainment system. This means that cars produced since this update are not affected by the vulnerabilities we found,” the researchers concluded.
Finally, it should once again be noted that the hacked car models were from 2015. If you by any chance own an Audi or Volkswagen from that year, you should contact your car dealer to receive information about the software update.