Cybersecurity researchers from PCAutomotive have uncovered 12 significant vulnerabilities in the infotainment systems of certain Skoda and Volkswagen vehicles, exposing over 1.4 million cars to potential exploitation. These findings were disclosed at Black Hat Europe 2024 and underscore the critical need for enhanced security in connected vehicles.
Key Details:
- Affected Models: The Skoda Superb III (3V3) 2.0 TDI (2022) and potentially other Skoda and Volkswagen models using the MIB3 infotainment system.
- Vulnerabilities: Flaws in the MIB3 unit allow hackers to exploit Bluetooth connections to:
- Access GPS and speed data in real time.
- Record in-car conversations via the microphone.
- Capture infotainment display screenshots.
- Control audio playback.
- Extract phone contact data.
Notable CVEs:
- CVE-2023-28895 to CVE-2023-28901: Include hard-coded passwords, weak encoding, and denial-of-service vulnerabilities, with severity scores ranging from 3.3 (Low) to 5.3 (Medium).
- SWD Debug and OBD Issues: Allow attackers to bypass security protocols and even shut down vehicle components under certain conditions.
Exploitation Risks:
Attackers within a 10-meter range can compromise infotainment systems via Bluetooth without authentication. Exploits may also target the On-Board Diagnostics (OBD) interface to bypass security mechanisms.
Vendor Response:
Volkswagen has issued patches for the reported vulnerabilities through its cybersecurity disclosure program. Skoda assures customers of ongoing improvements and states that no safety risks existed during the discovery period.
Recommendations:
- Vehicle Owners: Ensure software updates are installed promptly and minimize the use of unsecured Bluetooth connections.
- Automakers: Prioritize comprehensive security protocols in connected systems, conduct regular audits, and engage in proactive vulnerability disclosure programs.
The incident serves as a stark reminder of the growing cybersecurity challenges in modern vehicles and the importance of safeguarding user data and safety against evolving threats.
For further information, consult PCAutomotive’s official disclosure or contact your vehicle manufacturer.