Cybersecurity researchers have discovered several vulnerabilities in the infotainment systems of certain Skoda and Volkswagen car models. These vulnerabilities may allow hackers to track and access sensitive user data remotely.
PCAutomotive, a specialized automotive cybersecurity firm, recently disclosed 12 new security flaws affecting the latest model of the Skoda Superb III sedan at Black Hat Europe.
These vulnerabilities, primarily found in the MIB3 infotainment unit, could be exploited by malicious actors to inject malware into the vehicle and gain unauthorized access to various functions.
The affected vehicles include the Skoda Superb III (3V3) 2.0 TDI manufactured in 2022, but the issue potentially extends to other Skoda and Volkswagen models using similar infotainment systems.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
PCAutomotive estimates that over 1.4 million vehicles could be vulnerable, with the actual number potentially higher when considering aftermarket components.
Hackers Can Remotely Track Users
If successfully exploited, these vulnerabilities could allow attackers to:
- Obtain real-time GPS coordinates and speed data
- Record in-car conversations via the vehicle’s microphone
- Capture screenshots of the infotainment display
- Play arbitrary sounds in the car
- Access the vehicle owner’s phone contact database
Danila Parnishchev, head of security assessment at PCAutomotive, noted that an attacker could exploit these flaws within a 10-meter range without authentication, using only a Bluetooth connection to the car’s media unit.
Researchers also identified issues in the OBD interface of Skoda and Volkswagen cars, allowing potential attackers to bypass UDS authentication on the infotainment unit.
In a particularly alarming discovery, one vulnerability could potentially cause the vehicle’s engine and other components to shut off while the car is moving at high speed, although this requires physical access to the OBD port.
CVE ID | Title | Severity (CVSS 3.1) |
---|---|---|
CVE not assigned | SWD debug interface available on infotainment ECU | Not calculated |
CVE not assigned | Debug console on Power Controller Chip | Not calculated |
CVE-2023-28895 | Hard-coded password for access to power controller chip memory | 3.5 (Low) |
CVE-2023-28896 | Weak encoding for password in UDS services | 3.3 (Low) |
CVE-2023-28897 | Hard-coded password for UDS services | 4.0 (Medium) |
CVE-2023-28898 | Head Unit Denial-of-Service via Apple CarPlay service | 5.3 (Medium) |
CVE-2023-28899 | Denial of Service via ECU reset service | 4.7 (Medium) |
CVE-2023-28900 | Nickname disclosure on the backend automotive server | 5.3 (Medium) |
CVE-2023-28901 | Trip data disclosure on host fal-3a.prd.eu.dp.vwg-connect.com | 5.3 (Medium) |
Volkswagen, Skoda’s parent company, has reportedly patched the vulnerabilities after they were reported through their cybersecurity disclosure program.
Skoda spokesperson Tom Drechsler stated that the company is addressing the issues through “continuous improvement management” and assured that there was no danger to customer safety or vehicles at any time.
This incident highlights the growing importance of cybersecurity in modern vehicles as they become increasingly connected and reliant on complex electronic systems.
It serves as a reminder for automakers to prioritize robust security measures in their vehicle designs and for consumers to stay informed about potential risks associated with their connected cars.
As the automotive industry continues to evolve with more advanced technologies, the need for stringent cybersecurity protocols and regular security audits becomes ever more critical to ensure the safety and privacy of vehicle owners.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free