VW-Audi security: Multiple infotainment flaws could give attackers remote access

Some VW and Audi models are vulnerable to remote hacking over Wi-Fi and cellular networks.
Written by Liam Tung, Contributing Writer

Video: Hyundai and Cisco planning to launch hyperconnected cars next year.

Researchers at Dutch firm Computest have disclosed multiple vulnerabilities in the infotainment system of some Volkswagen and Audi models, allowing them to remotely access the system and commandeer the microphone, navigation system, and speakers.

Whitehat hackers Daan Keuper and Thijs Alkemade found the flaws in early 2017 after probing Harman-made infotainment systems in a 2015 model VW Golf GTE and an Audi A3 Sportback e-tron. Both vehicles are made by Volkswagen Group.

Hoping to build on the cellular-based remote Jeep hack in 2015 that prompted a massive recall, the researchers were on the hunt specifically for ways to compromise an internet-connected car remotely and without user interaction.

See: Our autonomous future: How driverless cars will be the first robots we learn to trust (cover story PDF)

The researchers found a flaw in the VW's in-vehicle infotainment (IVI) system that can be remotely exploited if the vehicle connects to an attacker's Wi-Fi network.

Keuper told ZDNet that they subsequently found the vulnerability could be exploited over cellular networks too, allowing for a longer-range attack.

The researchers say they opted against revealing the actual vulnerability because it can only be fixed with a firmware update that requires visiting a car dealer and having them install it.

Using the vulnerability, they were able to gain root access to the IVI system's main processor, which runs Blackberry's QNX operating system, and is responsible for navigation and multimedia decoding.

From there they were able to control the RCC or radio and car-control unit, which also runs on QNX, and is a potential avenue for sending malicious messages to the CAN (Controller Area Network) bus to manipulate vehicle controls such as the braking and steering system, as demonstrated in the Jeep hack.

However, the hackers decided to halt their research at this point for fear of legal ramifications as it would have required hacking a chip -- a Renesas V850 -- that sits between the RCC and the CAN's gateway, and performs a firewall function for CAN messages sent between different CAN buses.

"The firmware for the gateway is signed, so backdooring this chip won't work as it will invalidate the signature. Furthermore, reflashing the firmware is only possible from the debug bus (ODB-II port) and not from the IVI CAN bus," the researchers explained.

"If we want to bypass this chip, we need to find an exploitable vulnerability in the firmware. Our first step to achieve this would be to try to extract the firmware from the chip using a physical vector.

"However, after careful consideration we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law."

See: What is the IoT? Everything you need to know about the Internet of Things right now

The researchers reported their findings to Volkswagen Group in mid-2017. In April, Volkswagen Group wrote a letter to the researchers that appears to confirm the vulnerabilities they reported and suggested a patch was deployed on new models made after mid-2016.

"The objective of manipulating the steering and brake was not achieved. However, you did succeed in accessing the infotainment system and obtaining 'Root' authorizations. These administrator rights and modular infotainment matrix (MIB) are intended for development at Volkswagen and not for other people in a customer vehicle. The open interface on the Golf GTE and Audi A3 was closed by an update to the infotainment software from production week 22/2016 onwards."

It's not clear what VW has done to address the flaws in models produced before this date. However, the researchers suspect they're still vulnerable.

"This means that cars produced since this update are not affected by the vulnerabilities we found," the researchers note in a comment about Volkswagen's letter.

"But based on our experience, it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack."

It's also not certain from Volkswagen's response that it has addressed all vulnerabilities reported by the researchers.

"As we understood it, they knew they offered services on the cellular connection, which they firewalled in a later version. But they did not know about the vulnerability we found in one of these services," Keuper told ZDNet.

ZDNet has contacted Volkswagen Group for clarification and will update the story if it receives a response.

Computest has made its full report available.

Previous and related coverage

Hackers can take over your Jeep, literally driving you off the road

Jeep owners are urged to update their car's software after a vulnerability was found.

How secure is your car? Unpatchable flaw lets attackers disable safety features

A vehicle hack can disable safety features on most modern cars by posing as a faulty electronic component.

Does connecting your phone to your car open up new security risks?

'Always on' nature of today's software-reliant cars means using your smartphone on the road opens up additional attack vectors and vulnerabilities, warns one expert.

Editorial standards