In recent years, prominent automobile manufacturers such as Chrysler, Nissan, and Jeep have all had challenges with their vehicles being prone to car-hacking vulnerabilities.
Now, Volkswagen is also facing this type of cybersecurity threat. Researchers identified that the IVI (In-Vehicle Infotainment) systems present in some cars made by the manufacturer are susceptible to remote hacking. Furthermore, it can also expand to affecting other more critical car systems.
This vulnerability was initially revealed by Computest researchers Thijs Alkemade and Daan Keuper. They found the security flaw in the Golf GTE Volkswagen and the Audi3 Sportback e-tron.
Alkemade and Keuper outlined in a detailed report that in some circumstances, this vulnerability can allow hackers to control critical functions. These functions include turning the car microphone off and on, enlisting the microphone (onboard) to listen to the driver’s conversations, as well as gain access to the both the conversation history and the entire address book of the car.
Moreover, they also claim that hackers can track the vehicle through its navigation system.
Volkswagen’s Response & More About the Vulnerability
A spokesperson for Volkswagen confirmed that the affected cars were those that fitted with the Discover Pro infotainment system, as earlier mentioned.
The representative also went on to state that since mid-2017, they have since been in communication with Computest. In his statement, he confirmed that the manufacturer eliminated the vulnerability in May 2016. He also established that as of now, hackers cannot manipulate the steering or brakes, or access systems of the car.
The Computest researchers outlined that they could also leverage an uncertified vulnerability in Modular Infotainment Systems made by Harman in order to gain access to their IVI systems remotely through WiFi.
They were also able to access the system’s management software by exploiting an exposed port. As such, they outlined that it is possible to control the vehicles’ central screen, microphone and speakers—provisions attackers should not have access to.
A Serious Security Threat
Initially, the researchers only discovered that the vulnerability would allow them to read arbitrary files from disks. However, they eventually identified that the vulnerability permitted them added functions, including complete remote code execution.
Surprisingly, this was not all that the vulnerability could do. By using this vulnerability, these researchers also discovered that it allowed them access to the central processor of the multimedia applications unit of the IVI system.
This is the system responsible for functions such as multimedia decoding and screen compositing. Later, the researchers worked their way into controlling the car control unit and the radio.
In the report, they indicated that their next move would be sending arbitrary CAN messages (over the bus) as a way to ascertain if the vulnerability would breach any critical safety systems. However, due to the complexity of the task, the researchers decided to halt the process since it could potentially compromise the manufacturer’s property.
The OTA Problem
Computest availed their research work to Volkswagen in 2017. In April, Volkswagen responded to Computest confirming these vulnerabilities and further outlining that they had fixed these bugs in their latest software update performed on the infotainment system. This means that cars with this new system are not vulnerable.
Nonetheless, despite this fix by Volkswagen, the researchers indicated that they would no longer reveal any details of the bug. This is primarily since updates on the IVI systems cannot be performed over-the-air (OTA), meaning that cars already affected needed to visit their dealers to get a fix since they are still susceptible to hacker activity.
Naturally, as opposed to proactively requesting an update from the dealers, the system should be that consumers can get these updates pushed automatically over-the-air, just like smartphones.
This, according to Keuper, is the primary objective of their research—that these are some of the challenges that need fixing in future vehicles such as enabling automatic OTA updates. And although this is possible for future automobiles, the problem is that the already vulnerable cars (which are expected to last quite some time around) may never get security updates.
Vehicle security concerns, as well as the subsequent response from the manufacturers, dominated headlines in 2015 following an incident where researchers Chris Valasek and Charlie Miller famously hacked a Jeep Cherokee and took control of its steering, acceleration and braking systems.
Years later, the avenue for such attacks has unfortunately grown, mainly because of the popularity of infotainment systems plus other WiFi-enabled functions in vehicles.
The solution, as Keuper outlines, is for already affected vehicles to ensure they request and receive necessary security updates. What’s more, the car makers can also implement security measures as a way of tightening security, like incorporating third-party mechanisms to complement their security and quality assurance measures.