Security researchers have discovered multiple vulnerabilities in the infotainment units used in some Skoda cars. This vulnerability could allow a malicious attacker to remotely trigger certain controls and track the vehicle's location in real time.
PCAutomotive, a cybersecurity company specializing in the automotive sector, revealed 12 new security vulnerabilities affecting the latest model of the Skoda Superb III sedan this week at Black Hat Europe. This comes a year after the organization disclosed nine other vulnerabilities affecting the same model. Skoda is a car brand owned by German car giant Volkswagen.
Danila Parnyshev, head of security assessment at PCAutomotive, told TechCrunch that the vulnerabilities could be chained together and exploited by hackers to inject malware into vehicles. Parnyshev told TechCrunch that an attacker would need to connect to the Skoda Superb III's media unit via Bluetooth to exploit the flaw, but “the attack can be carried out within 10 meters without authentication.”
This vulnerability was discovered in a vehicle's MIB3 infotainment unit and could allow an attacker to achieve unrestricted code execution and execute malicious code every time the unit is started. According to PCAutomotive, this allows attackers to obtain live vehicle GPS coordinates and speed data, record conversations via the vehicle's microphone, take screenshots of the infotainment display, and play arbitrary sounds inside the vehicle. Possibly.
Palnyshev told TechCrunch that the flaw, which PCAutomotive verified in Superb III, allows an attacker to steal a car owner's phone contact database if car contact sync is enabled. He said it would also be possible.
“Typically, phones are encrypted, so you can't easily extract the contact database,” Parnyshev said. “For infotainment units, the contact database is stored in clear text.”
Palnyshev pointed out that he could not find a way to circumvent the limitations of the vehicle's network gateway for accessing safety-critical vehicle controls such as the steering wheel, brakes, and accelerator.
In a study shared with TechCrunch before being made public on Thursday, PCAutomotive found that vulnerable MIB3 units are used in multiple Volkswagen and Skoda models and, based on public sales data, that the vulnerable It pointed out that it estimates there may be more than 1.4 million vehicles in existence.
But Parnishev said the number of vulnerable vehicles could be even higher, given the aftermarket parts market. “If you go to eBay and search for the part number, you'll find it. And if the previous user didn't delete it, their contact database will still be there as well,” he explained.
PC Automotive said Volkswagen applied the patch after the vulnerability was reported through the company's cybersecurity disclosure program.
In an emailed statement to TechCrunch, Skoda spokesperson Tom Drexler said: “Reported infotainment system vulnerabilities have been addressed and continue to be eliminated through continuous improvement management throughout the lifecycle of our products. There has never been anything like this, now or ever.”