Hacking vehicles isn’t anything new. Over recent years, researchers have demonstrated through proof-of-concept experiments that many popular car models can be hacked by exploiting carefully selected vulnerabilities for a particular system integrated into the vehicle. Just ask Ford, Jeep, Nissan, and Toyota. Some of these vehicles can be remotely turned off; some of them can be remotely unlocked and turned on; and some can have sensitive information stolen from them.
Volkswagen Golf GTE and Audi3 Sportback e-tron models are now added to the list of hackable vehicles. Security researchers claim that the “in-vehicle infotainment (IVI)” systems can be hacked. By exploiting the IVI system, the vehicle’s microphone could be seized, allowing hackers to eavesdrop on phone conversations. This would also allow hackers unauthorized access to the vehicle-owner’s address book or call history. The researchers further added that it’s also possible access to the vehicle’s navigation system, permitting hackers to track the vehicle’s location.
But, this is only the beginning! There were more exploits that the researchers were able to find!
The IVI system is meant to integrate with the vehicle-owner’s smartphone system, which creates somewhat of a unification between the smartphone and the vehicle. With the IVI system, vehicle owners can access some of their favorite apps via a touch screen on the vehicle dashboard. Some popular supported apps include iHeart Radio, Stitcher, Spotify and Skype. There is even SMS message capabilities. Vehicle owners can connect their smartphones via AUX cable, USB, or Bluetooth.
Currently, the exact vulnerability has not been disclosed to the public, but the researchers were generous enough to “gently” elaborate on what they found. According the researchers, a vulnerability exists in the “Harman-manufactured modular infotainment (MIB) platforms.” Though we don’t know the exact vulnerability, the researchers we able to leverage this vulnerability to access the IVI system over a Wi-Fi connection.
With this vulnerability, the researchers could send arbitrary Control Area Network (CAN) messages to the vehicle. The CAN makes up the internal network and the numerous interconnections inside the vehicle. There are two CAN buses in the vehicle. One CAN bus is for convenience services and the other is for critical safety components. This allows the researchers to control the capacitive touch screen, speaker system, and microphone, and possibly unrelated critical systems inside the vehicle. The problem is that the communication between the two CAN buses is controlled by a CAN bus gateway, which acts as a firewall (I will discuss this problem momentarily).
The two CAN buses. Reprinted from “Researchers find critical security flaws in popular car models,”
What’s really interesting is that the researchers then discovered that the vehicles were vulnerable to wireless remote code execution as well, which could possible allow them to reach critical safety systems in the vehicle. Therefore, popular hacking targets would probably be the vehicle’s acceleration and breaking system.
At this point, however, the researchers cautiously chose to terminate their research because any further testing would require that they physically extract the firmware from a chip connected to the CAN bus gateway, which would compromise the integrity of Volkswagen’s intellectual property.
The problem with this vulnerability is that it can’t be patched unless the vehicle owner takes it to a auto-dealer and gets it manually patched. It would be very convenient if there was an over-the-internet patching system in place, but this is simply not the case for modern-day vehicles. This is precisely why the researchers chose not to disclose the vulnerability.
References
E Hacking News. (2018). Volkswagen and Audi Cars Are Vulnerable To Remote Hacking. E Hacking News. Retrieved from http://www.ehackingnews.com/2018/05/volkswagen-and-audi-cars-are-vulnerable.html
O’Donnel, L. (2018). Volkswagen Cars Open to Remote Hacking, Researchers Warn. Threat Post. Retrieved from https://threatpost.com/volkswagen-cars-open-to-remote-hacking-researchers-warn/131571/
Wagas. (2018). Researchers find critical security flaws in popular car models. HackRead. Retrieved from https://www.hackread.com/critical-security-flaws-in-popular-car-models/
The Cybersecurity Man 