Researchers at Dutch firm Computest have disclosed multiple vulnerabilities in the infotainment system of some Volkswagen and Audi models, allowing them to remotely access the system and commandeer the microphone, navigation system, and speakers.
Whitehat hackers Daan Keuper and Thijs Alkemade found the flaws in early 2017 after probing Harman-made infotainment systems in a 2015 model VW Golf GTE and an Audi A3 Sportback e-tron. Both vehicles are made by Volkswagen Group.
Hoping to build on the cellular-based remote Jeep hack in 2015 that prompted a massive recall, the researchers were on the hunt specifically for ways to compromise an internet-connected car remotely and without user interaction.
The researchers found a flaw in the VW's in-vehicle infotainment (IVI) system that can be remotely exploited if the vehicle connects to an attacker's Wi-Fi network.
Keuper told ZDNet that they subsequently found the vulnerability could be exploited over cellular networks too, allowing for a longer-range attack.
The researchers say they opted against revealing the actual vulnerability because it can only be fixed with a firmware update that requires visiting a car dealer and having them install it.
Using the vulnerability, they were able to gain root access to the IVI system's main processor, which runs Blackberry's QNX operating system, and is responsible for navigation and multimedia decoding.
From there they were able to control the RCC or radio and car-control unit, which also runs on QNX, and is a potential avenue for sending malicious messages to the CAN (Controller Area Network) bus to manipulate vehicle controls such as the braking and steering system, as demonstrated in the Jeep hack.
However, the hackers decided to halt their research at this point for fear of legal ramifications as it would have required hacking a chip -- a Renesas V850 -- that sits between the RCC and the CAN's gateway, and performs a firewall function for CAN messages sent between different CAN buses.
"The firmware for the gateway is signed, so backdooring this chip won't work as it will invalidate the signature. Furthermore, reflashing the firmware is only possible from the debug bus (ODB-II port) and not from the IVI CAN bus," the researchers explained.
The researchers reported their findings to Volkswagen Group in mid-2017. In April, Volkswagen Group wrote a letter to the researchers that appears to confirm the vulnerabilities they reported and suggested a patch was deployed on new models made after mid-2016.
"The objective of manipulating the steering and brake was not achieved. However, you did succeed in accessing the infotainment system and obtaining 'Root' authorizations. These administrator rights and modular infotainment matrix (MIB) are intended for development at Volkswagen and not for other people in a customer vehicle. The open interface on the Golf GTE and Audi A3 was closed by an update to the infotainment software from production week 22/2016 onwards."
It's not clear what VW has done to address the flaws in models produced before this date. However, the researchers suspect they're still vulnerable.