Flaws In VW And Audi Infotainment Systems Can Lead To Remote Pwnage Of Cars

Remember the Jeep hack were a security researcher pwned a Jeep remotely to the point they could control it, which in turn led to a recall to allow Chrysler to address the issue? Or the GM OnStar hack that allowed a security research to remote open the doors and start the engines of GM cars equipped with OnStar? Well, those were examples of the car industry not being on top of security of what are basically rolling computer systems. The thing is that those incidents happened years ago. Thus things should be better now. Right?

Actually, no they’re not based on this example brought to light by a Dutch research team looking into VW and Audi infotainment systems:

Researchers at Dutch firm Computest have disclosed multiple vulnerabilities in the infotainment system of some Volkswagen and Audi models, allowing them to remotely access the system and commandeer the microphone, navigation system, and speakers.

Whitehat hackers Daan Keuper and Thijs Alkemade found the flaws in early 2017 after probing Harman-made infotainment systems in a 2015 model VW Golf GTE and an Audi A3 Sportback e-tron. Both vehicles are made by Volkswagen Group.

And:

The researchers found a flaw in the VW’s in-vehicle infotainment (IVI) system that can be remotely exploited if the vehicle connects to an attacker’s Wi-Fi network.

Keuper told ZDNet that they subsequently found the vulnerability could be exploited over cellular networks too, allowing for a longer-range attack.

And:

Using the vulnerability, they were able to gain root access to the IVI system’s main processor, which runs Blackberry’s QNX operating system, and is responsible for navigation and multimedia decoding.

From there they were able to control the RCC or radio and car-control unit, which also runs on QNX, and is a potential avenue for sending malicious messages to the CAN (Controller Area Network) bus to manipulate vehicle controls such as the braking and steering system, as demonstrated in the Jeep hack.

This sounds insanely similar to the Jeep hack. The researchers stopped their work and informed VW who apparently confirmed the issues. Here’s where it gets murky. In the case of vehicles made after mid-2016, VW has implied that they have addressed these issues. But in vehicles made before that, it isn’t clear what has been done. Thus they may still be pwnable.

The full report is available [Warning: PDF]. But this does illustrate several fundamental flaws in how car companies approach security in their cars:

  1. Depending on the manufacturer, software upgrades may or may not be available for you. If they are available, they may cost you money as the number one reason for these updates is to install updated maps for the navigation system. And it isn’t clear if security issues are addressed in those updates.
  2. If you can get updates for your car, some are done “over the air” and some require you or your dealer to physically update the infotainment system. The latter is something that people who actually care about this sort of thing outsource to their dealer, or someone like me. Which means that it is possible for you to be rolling around with a pwnable car if you don’t do these updates.
  3. Car companies for the most part don’t really invest the time and effort to look for security issues and proactively address them. Nor do they have bug bounty programs like the Microsoft’s and Google’s of the world to encourage hackers to report security issues. And if they did, the mechanisms to report these issues may not exist. The only exceptions to this that I am aware of are GM and Tesla.

In short, all car companies need to step up their game when it comes to the security of their in car infotainment systems. Because it is clear that we are now approaching a place where something like this scene from the movie The Fate Of The Furious isn’t just fiction anymore:

Advertisements

One Response to “Flaws In VW And Audi Infotainment Systems Can Lead To Remote Pwnage Of Cars”

  1. […] highlights something that I have been saying for a while now. Car makers really need to up their game when it comes to the security of the cars that they make […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: