Remember the Jeep hack were a security researcher pwned a Jeep remotely to the point they could control it, which in turn led to a recall to allow Chrysler to address the issue? Or the GM OnStar hack that allowed a security research to remote open the doors and start the engines of GM cars equipped with OnStar? Well, those were examples of the car industry not being on top of security of what are basically rolling computer systems. The thing is that those incidents happened years ago. Thus things should be better now. Right?
Actually, no they’re not based on this example brought to light by a Dutch research team looking into VW and Audi infotainment systems:
Researchers at Dutch firm Computest have disclosed multiple vulnerabilities in the infotainment system of some Volkswagen and Audi models, allowing them to remotely access the system and commandeer the microphone, navigation system, and speakers.
Whitehat hackers Daan Keuper and Thijs Alkemade found the flaws in early 2017 after probing Harman-made infotainment systems in a 2015 model VW Golf GTE and an Audi A3 Sportback e-tron. Both vehicles are made by Volkswagen Group.
And:
The researchers found a flaw in the VW’s in-vehicle infotainment (IVI) system that can be remotely exploited if the vehicle connects to an attacker’s Wi-Fi network.
Keuper told ZDNet that they subsequently found the vulnerability could be exploited over cellular networks too, allowing for a longer-range attack.
And:
Using the vulnerability, they were able to gain root access to the IVI system’s main processor, which runs Blackberry’s QNX operating system, and is responsible for navigation and multimedia decoding.
From there they were able to control the RCC or radio and car-control unit, which also runs on QNX, and is a potential avenue for sending malicious messages to the CAN (Controller Area Network) bus to manipulate vehicle controls such as the braking and steering system, as demonstrated in the Jeep hack.
This sounds insanely similar to the Jeep hack. The researchers stopped their work and informed VW who apparently confirmed the issues. Here’s where it gets murky. In the case of vehicles made after mid-2016, VW has implied that they have addressed these issues. But in vehicles made before that, it isn’t clear what has been done. Thus they may still be pwnable.
The full report is available [Warning: PDF]. But this does illustrate several fundamental flaws in how car companies approach security in their cars:
Depending on the manufacturer, software upgrades may or may not be available for you. If they are available, they may cost you money as the number one reason for these updates is to install updated maps for the navigation system. And it isn’t clear if security issues are addressed in those updates.
If you can get updates for your car, some are done “over the air” and some require you or your dealer to physically update the infotainment system. The latter is something that people who actually care about this sort of thing outsource to their dealer, or someone like me. Which means that it is possible for you to be rolling around with a pwnable car if you don’t do these updates.
Car companies for the most part don’t really invest the time and effort to look for security issues and proactively address them. Nor do they have bug bounty programs like the Microsoft’s and Google’s of the world to encourage hackers to report security issues. And if they did, the mechanisms to report these issues may not exist. The only exceptions to this that I am aware of are GM and Tesla.
In short, all car companies need to step up their game when it comes to the security of their in car infotainment systems. Because it is clear that we are now approaching a place where something like this scene from the movie The Fate Of The Furious isn’t just fiction anymore:
The German Transport Ministry said it has asked Volkswagen’s (VOWG_p.DE) luxury division to recall around 24,000 A7 and A8 models built between 2009 and 2013, about half of which were sold in Germany. The affected Audi models with so-called Euro-5 emission standards emit about twice the legal limit of nitrogen oxides when the steering wheel is turned more than 15 degrees, the ministry said. It is also the first time that Audi’s top-of-the-line A8 saloon has been implicated in emissions cheating. VW has said to date that the emissions-control software found in its rigged EA 189 diesel engine does not violate European law. The 80,000 3.0-liter vehicles affected by VW’s emissions cheating scandal in the United States included Audi A6, A7 and Q7 models as well as Porsche and VW brand cars. The ministry said it has issued a June 12 deadline for Audi to come up with a comprehensive plan to refit the cars. Ingolstadt-based Audi issued a recall for the 24,000 affected models late on Thursday, some 14,000 of which are registered in Germany, and said software updates will start in July. It will continue to cooperate with Germany’s KBA motor vehicle authority, Audi said.
This shouldn’t come as a total surprise as Audi is owned by VW and VW likely shares parts and technology with Audi. But it’s likely bad press that neither company needs right now as it will likely spark similar probes elsewhere on the planet. Plus, VW was likely hoping to put DieselGate behind it.
From the “playing both sides of the fence department” comes this press release from Audi that announces that they will offer both CarPlay which is from Apple and Android Auto which is from Google in their cars:
“Our customers want to be ‘always on’ and use the services they know from their smartphones in cars as well,” says Prof. Dr. Ulrich Hackenberg, Board Member for Technical Development at AUDI AG. “In this regard, we are working closely with leading companies like Google and Apple. In the future, customers will be able to use the functions available to them on their smartphones via the operating systems in their cars as well.
So regardless of which side of the fence you’re on, you’ll be covered. The press release was light on other details. Though it did says that each system will use the Audi MMI interface and users can switch between systems at any time. Plus they’ll be in 2015 model year cars. So we’ll have to wait and see what they bring to the table and how they do it.
One thing that I suspect will happen is that other car companies will bring their plans for one system or the other forward soon.
Apple has been making a lot of news with their iOS in the Car initiative which GM, BMW, and Honda among others have signed on to. Well according to the Wall Street Journal, Google doesn’t want to be left out and according to them they will be announcing a partnership with Audi at CES 2014:
Next week at the Consumer Electronics Show in Las Vegas, Google and German auto maker Audi AG plan to announce that they are working together to develop in-car entertainment and information systems that are based on Google’s Android software, people familiar with the matter said.
They also plan to disclose collaborative efforts with other automotive and tech companies, including chip maker Nvidia Corp., to establish Android as an important technology for future vehicles, these people said. The aim is to allow drivers and passengers to access music, navigation, apps and services that are similar to those widely available now on Android-powered smartphones, these people added.
Cars are likely to be the next battleground for Apple and Google, so this doesn’t come as a huge shock to me as Google will want to be a player in this market to keep Apple from becoming the dominant player in this space. Doing a deal with Audi could be a springboard to more car companies jumping on board with Google as well. After all Android is a good fit as it is highly extensible which works well for many auto makers. This is going to be interesting to watch in 2014.
Flaws In VW And Audi Infotainment Systems Can Lead To Remote Pwnage Of Cars
Posted in Commentary with tags Audi, Security, VW on May 2, 2018 by itnerdRemember the Jeep hack were a security researcher pwned a Jeep remotely to the point they could control it, which in turn led to a recall to allow Chrysler to address the issue? Or the GM OnStar hack that allowed a security research to remote open the doors and start the engines of GM cars equipped with OnStar? Well, those were examples of the car industry not being on top of security of what are basically rolling computer systems. The thing is that those incidents happened years ago. Thus things should be better now. Right?
Actually, no they’re not based on this example brought to light by a Dutch research team looking into VW and Audi infotainment systems:
Researchers at Dutch firm Computest have disclosed multiple vulnerabilities in the infotainment system of some Volkswagen and Audi models, allowing them to remotely access the system and commandeer the microphone, navigation system, and speakers.
Whitehat hackers Daan Keuper and Thijs Alkemade found the flaws in early 2017 after probing Harman-made infotainment systems in a 2015 model VW Golf GTE and an Audi A3 Sportback e-tron. Both vehicles are made by Volkswagen Group.
And:
The researchers found a flaw in the VW’s in-vehicle infotainment (IVI) system that can be remotely exploited if the vehicle connects to an attacker’s Wi-Fi network.
Keuper told ZDNet that they subsequently found the vulnerability could be exploited over cellular networks too, allowing for a longer-range attack.
And:
Using the vulnerability, they were able to gain root access to the IVI system’s main processor, which runs Blackberry’s QNX operating system, and is responsible for navigation and multimedia decoding.
From there they were able to control the RCC or radio and car-control unit, which also runs on QNX, and is a potential avenue for sending malicious messages to the CAN (Controller Area Network) bus to manipulate vehicle controls such as the braking and steering system, as demonstrated in the Jeep hack.
This sounds insanely similar to the Jeep hack. The researchers stopped their work and informed VW who apparently confirmed the issues. Here’s where it gets murky. In the case of vehicles made after mid-2016, VW has implied that they have addressed these issues. But in vehicles made before that, it isn’t clear what has been done. Thus they may still be pwnable.
The full report is available [Warning: PDF]. But this does illustrate several fundamental flaws in how car companies approach security in their cars:
In short, all car companies need to step up their game when it comes to the security of their in car infotainment systems. Because it is clear that we are now approaching a place where something like this scene from the movie The Fate Of The Furious isn’t just fiction anymore:
1 Comment »