A Dutch cyber-security firm has discovered that in-vehicle infotainment (IVI) systems deployed with some car models from the Volkswagen Group are vulnerable to remote hacking.
Daan Keuper and Thijs Alkemade, security researchers with Computest, said they successfully tested their findings and exploit chains on Volkswagen Golf GTE and Audi A3 Sportback e-tron models (Audi is a brand part of the Volkswagen Group).
The two researchers said used a car's WiFi connection to exploit an exposed port and gain access to the car's IVI, manufactured by electronics vendor Harman.
Researchers also gained access to the IVI system's root account, which they say allowed them access to other car data.
"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history," Computest researchers said.
"Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time," researchers added.
Keuper and Alkemade say the IVI system is also indirectly connected to the car's acceleration and braking system, but they stopped investigating the possibility of interacting with those systems fearing they might breach Volkswagen's intellectual property.
All in all, besides the WiFi attack vector that allowed remote access to a car's IVI, researchers also found other flaws that could be exploited via USB debugging ports located under the car dashboard.
Researchers found all these flaws in July 2017, and they reported all the issues to Volkswagen, even participating in meetings with the car maker.
"The vulnerability we initially identified should have been found during a proper security test," researchers said. "During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them."
But despite the car maker's error in deploying an untested system within its cars, Volkswagen worked with the research team to address the reported flaws.
"The open interface on the Golf GTE and Audi A3 was closed by an update to the infotainment software from production week 22/2016 onwards," Volkswagen execs wrote in a letter sent to Computest, shared by the researchers.
But albeit Volkswagen closing the vulnerability in current infotainment systems, researchers are still worried. This is because the IVI system they hacked did not come with an over-the-air update system, meaning it couldn't be updated with a software patch from afar.
Furthermore, in their conversations with Volkswagen, researchers say the car maker alluded to having fixed the IVI flaws in infotainment systems still in production, but without telling researchers how they planned to deal with cars already sold to customers.
Bleeping Computer has sent a formal request for comment today to the Volkswagen Group asking for information on the car models that are an IVI system affected by the flaws discovered by the Computest team. Further, we've also asked for instructions on behalf of owners of vulnerable cars and how customers should proceed with updating their systems. We will update the article when Volkswagen responds.
For their part, researchers made it very clear they don't plan to reveal the exact services and ports they used to break into the VW Golf and Audi A3 models during their experiments.
"When writing this paper, we decided to not provide a full disclosure of our findings. We describe the process we followed, our attack strategy and the system internals, but not the full details on the remote exploitable vulnerability as we would consider that being irresponsible," Computest researcher wrote in a technical paper.
"This might disappoint some readers, but we are fully committed to a responsible disclosure policy and are not willing to compromise on that.
"We think that giving full disclosure could put people at risk, while not adding much to this paper."
In August 2016, Volkswagen fixed another major security flaw in its keyfob system that affected almost all models sold in the past 20 years.