Zoetermeer, April 20, 2018 - Ethical hackers at Computest have discovered vulnerabilities in the infotainment system used in various models of the Volkswagen Group. They gained remote access to the system, meaning that the privacy of drivers could seriously be damaged. Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history. Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time. Computest reported the leak first to the car manufacturer after it was discovered. According to Volkswagen the vulnerability has meanwhile been fixed.
The investigation concentrated on vulnerabilities in a Volkswagen Golf GTE and an Audi A3 Sportback e-tron, both of which were manufactured in 2015. Various different versions of an infotainment system of the brand Harman are installed in these types of cars. The hackers were able to remotely gain access both in the car, for example using a USB stick, and also to the administrative rights of the system. This led them to gaining control over the speakers, the microphone and the navigation system. The vulnerabilities identified involve the software. It is not possible to remotely update the specific type of infotainment system.
Daan Keuper and Thijs Alkemade, security specialists and ethical hackers at Computest, discovered the vulnerabilities during a research project. They are witnessing the rapid growth in the number of devices in our homes, as well as applications in the healthcare sector and in cars, to which internet connectivity is added. However, there is often no simple way of updating these connected systems. Moreover, the users will usually only pay attention to the security once something goes wrong. Because the specialists at Computest are involved on a daily basis with improving the security of software, they investigated the risks entailed in internet connectivity for cars.
Investigation stopped
The systems to which Keuper and Alkemade gained access are indirectly connected with the systems that allow the driver to brake and accelerate. Hartger Ruijs, director and founder of Computest, decided to stop the investigation at that point. “We believe in the value of digitalisation and in the role played by the ethical hacker community in investigating and drawing attention to the associated risks. But such work must remain justifiable. When you test the vulnerability of this type of critical functions, you are potentially acting illegally and you are possibly breaching the intellectual property rights. You need to be extremely careful when doing that. Therefore, continuing with the investigation without permission from the manufacturer wasn’t an option for us”, explains Ruijs.
The vulnerability in the systems in the cars not only poses the question as to what other weaknesses may exist, but also how these problems should be solved, bearing in mind that the infotainment systems are installed in numerous cars. Cars that will be in use for many years to come and for which there is no update mechanism available.
“Internet connectivity is a popular function in cars, although it also involves risks of which both the driver in question and also the manufacturer responsible are not always aware”, says Daan Keuper. “The biggest problem is mainly rooted in the systems in cars that have already been on the market for a number of years. That software is rarely updated. This means that the systems are almost always insufficiently protected. When you consider that a car has an average lifespan of 18 years, then that leaves a good few years during which attackers can make use this possibility.”
Modernisation of the update policy of manufacturers
Keuper is therefore advocating modernisation of the update policy by the automotive industry. “It should be easier for consumers to update the software systems in their cars to the latest version, so that they are always protected against the most recent threats. In other words, instead of proactively requesting an update themselves at the dealer, consumers should get the updates pushed automatically over-the-air, the same way as happens with a laptop or smartphone. However, this also means that manufacturers should select systems whereby that is possible. In addition, they must continue to support their cars actively with new updates throughout the whole lifetime of the car.”
Computest informed the Volkswagen Group about the vulnerabilities a few months ago. The report in which the research and the vulnerabilities are described in detail was shared with and verified by the manufacturer. Prior to release of this research paper, Volkswagen sent us a letter confirming the vulnerabilities. In this letter they also state that the vulnerabilities have been fixed in an update to the infotainment system, which means that new cars produced since this update are not affected by the vulnerabilities we found. But based on our experience, it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack.
The full research report, which includes the letter from Volkswagen Group and a description of how Computest managed the disclosure process of the vulnerability to Volkswagen, is available here.