Volkswagen’s in-vehicle infotainment (IVI) systems in certain model cars can be remotely hacked, and it’s possible to pivot it to more critical systems.
A significant vulnerability was found in Volkswagen’s Golf GTE model and an Audi 3 Sportback e-Tron. Under certain conditions, the IVI vulnerability could enable attackers to take over the onboard microphone to listen in on the conversations of the driver, turn the microphone on and off, access the system’s complete address book or conversation history and track the car through the navigation system at any point.
IVI vulnerability impacts only vehicles produced with Discover Pro infotainment systems – Golf GTE and Audi A3 e-Tron.
A bug fix had already taken place in early May 2016, and now it is impossible for hackers to manipulate the brakes, steering or vehicle access systems.
We said it before, and we are saying it now: anything can be hacked a door, a phone, a camera, a car or a laptop. Remember that it is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose the company’s network of revealing its most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.
Now hackers can only leverage a vulnerability in Harman modular infotainment (MIB) platforms in the affected car models to access the IVI system remotely via Wi-Fi. From there they can send arbitrary CAN messages on the IVI CAN bus, which can be used to control the central screen, speakers, and microphone.
However, sending an arbitrary CAN message to the CAN bus would involve hacking a chip that is directly connected to a gateway, and is used to firewall messages between different CAN buses. At this point, a hacker would require extracting the firmware from the chip using a physical vector.
Volkswagen is aware of this new critical flaw since the summer of 2017, and in April, this year, Volkswagen confirmed the vulnerabilities in an open letter.
Volkswagen has fixed cars currently being produced, and the affected car owners have to meet with their dealers for a fix because the end user itself cannot update the system. Be aware! Cars which have been produced before are not automatically updated when being serviced by a dealer are still vulnerable to the described attack.
In an ideal world, instead of having to request an update themselves at the dealer proactively, consumers should get the updates pushed OTA, similar to a smartphone automatically.
Let’s not forget the famously remotely hack of the 2014 Jeep Cherokee which can be used to control the braking, steering, and acceleration of the vehicle. Since then, the attack surface for many cars has only expanded as infotainment systems, and other Wi-Fi-enabled capabilities have become increasingly popular in cars.
For now, owners of impacted vehicles need to make sure they explicitly ask for security updates.
Because we want you to stay safe and secured in front of all vulnerabilities like this one, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.