Vulnerabilities in Skoda & Volkswagen Cars Let Hackers Remotely Track Users


Cybersecurity researchers have discovered several vulnerabilities in the infotainment systems of certain Skoda and Volkswagen car models. These vulnerabilities may allow hackers to track and access sensitive user data remotely.

PCAutomotive, a specialized automotive cybersecurity firm, recently disclosed 12 new security flaws affecting the latest model of the Skoda Superb III sedan at Black Hat Europe.

These vulnerabilities, primarily found in the MIB3 infotainment unit, could be exploited by malicious actors to inject malware into the vehicle and gain unauthorized access to various functions.

MIB3 infotainment unit
MIB3 infotainment unit

The affected vehicles include the Skoda Superb III (3V3) 2.0 TDI manufactured in 2022, but the issue potentially extends to other Skoda and Volkswagen models using similar infotainment systems.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

PCAutomotive estimates that over 1.4 million vehicles could be vulnerable, with the actual number potentially higher when considering aftermarket components.

Hackers Can Remotely Track Users

If successfully exploited, these vulnerabilities could allow attackers to:

  1. Obtain real-time GPS coordinates and speed data
  2. Record in-car conversations via the vehicle’s microphone
  3. Capture screenshots of the infotainment display
  4. Play arbitrary sounds in the car
  5. Access the vehicle owner’s phone contact database

Danila Parnishchev, head of security assessment at PCAutomotive, noted that an attacker could exploit these flaws within a 10-meter range without authentication, using only a Bluetooth connection to the car’s media unit.

Researchers also identified issues in the OBD interface of Skoda and Volkswagen cars, allowing potential attackers to bypass UDS authentication on the infotainment unit.

In a particularly alarming discovery, one vulnerability could potentially cause the vehicle’s engine and other components to shut off while the car is moving at high speed, although this requires physical access to the OBD port.

CVE ID Title Severity (CVSS 3.1)
CVE not assigned SWD debug interface available on infotainment ECU Not calculated
CVE not assigned Debug console on Power Controller Chip Not calculated
CVE-2023-28895 Hard-coded password for access to power controller chip memory 3.5 (Low)
CVE-2023-28896 Weak encoding for password in UDS services 3.3 (Low)
CVE-2023-28897 Hard-coded password for UDS services 4.0 (Medium)
CVE-2023-28898 Head Unit Denial-of-Service via Apple CarPlay service 5.3 (Medium)
CVE-2023-28899 Denial of Service via ECU reset service 4.7 (Medium)
CVE-2023-28900 Nickname disclosure on the backend automotive server 5.3 (Medium)
CVE-2023-28901 Trip data disclosure on host fal-3a.prd.eu.dp.vwg-connect.com 5.3 (Medium)

Volkswagen, Skoda’s parent company, has reportedly patched the vulnerabilities after they were reported through their cybersecurity disclosure program.

Skoda spokesperson Tom Drechsler stated that the company is addressing the issues through “continuous improvement management” and assured that there was no danger to customer safety or vehicles at any time.

This incident highlights the growing importance of cybersecurity in modern vehicles as they become increasingly connected and reliant on complex electronic systems.

It serves as a reminder for automakers to prioritize robust security measures in their vehicle designs and for consumers to stay informed about potential risks associated with their connected cars.

As the automotive industry continues to evolve with more advanced technologies, the need for stringent cybersecurity protocols and regular security audits becomes ever more critical to ensure the safety and privacy of vehicle owners.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link