Cars are increasingly being hacked. This trend is even more pronounced as connected cars enter the market. Computest, a Dutch IT security firm, recently published a report describing precisely how it carried out a remote attack in order to enter the infotainment system of a Golf GTE and an Audi A3 Sportback e-tron via their Wi-Fi connection. An intrusion that will have allowed them to read the driver’s conversations, the history of his movements and to follow the vehicle in real time.
Audi car administrator access
The IVI (infotainment) “Discover Pro” system embedded in Volkwagen vehicles would contain a vulnerability allowing a malicious individual to hijack certain controls. Thus, a hacker could take control of the microphone to listen to conversations within the cabin and have access to call history and other data recorded in the system according to researchers from Computest, Daan Keuper and Thijs Alkemade.
The two researchers said they used a car’s Wi-Fi connection to operate an exposed port and gain access to the car’s IVI, manufactured by electronics vendor Harman. The researchers also had access to the IVI system administrator account, which allowed them to access other data on the cars. Under certain conditions, attackers could listen to the driver’s conversations via a car kit, turn the microphone on and off, and have access to the complete address book and conversation history,” the researchers said. In addition, because of the vulnerability, there is the possibility to discover through the navigation system precisely where the driver has gone, and to follow the car wherever it is at any time.
A worrying takeover
According to Daan Keuper and Thijs Alkemade, the authors of the report, it is also possible to access data from the navigation system. This allows to know the places visited by the vehicle while offering the possibility to follow it in real time. Much more worrying: the researchers discovered that the IVI system was indirectly connected to the brakes and the accelerator of the car… Regarding the terrorist attacks which were perpetrated by vehicles running into the crowd, as in Nice or London, designers and customers must be worried. The two researchers stopped studying the possibility of interacting with these systems, fearing to violate Volkswagen’s intellectual property. In addition to the Wi-Fi attack vector that allowed remote access to a car’s IVI, the researchers also found other vulnerabilities that could be exploited via the USB debug ports located under the car’s dashboard. The researchers found all these flaws in July 2017, and they reported all the problems to Volkswagen, even attending meetings with the car manufacturer. “The vulnerability we first identified should have been discovered in a proper security test,” researchers said. “When we met Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood when we met Volkswagen that although it is used in tens of millions of vehicles worldwide, this specific IVI system was not formally tested for safety and the vulnerability was still unknown to them.
For the moment, these are only intrusions made by researchers and experts in the field within a very precise framework and without any malicious thought. The fact remains that this proves that the breach can be opened, leaving a glimpse of a loophole that could well be exploited for much more worrying uses. A threat that could become increasingly important with the development of autonomous vehicles and in-car entertainment systems (IVI). The team that successfully hacked the GTE Golf and A3 e-tron system believes that the cars produced in recent years are the most vulnerable to potential attack. Computest strongly encourages recent car owners to regularly ask their dealer if an update to the infotainment software is available, in order to protect themselves as best they can. Computest proposes to generalize the principle of software updates via the Internet to continuously improve the user experience and strengthen security by correcting certain identified flaws.
CERTs give these vulnerabilities the following CVSS score according to the following criteria:
Vector of attack: exploitable at distance
Access complexity: easy
Authentication: not required