Researchers discovered flaws in the Audi A3 Sportback e-tron and the Volkswagen Golf GTE that make the vehicles vulnerable to remote hacking. Security researchers discovered multiple vulnerabilities in Volkswagen and Audi vehicles that open them up to remote hacking. The flaws in the Volkswagen Group’s Harman-manufactured in-vehicle infotainment (IVI) system could allow an attacker to remotely access the microphone, speakers, and navigation system. Put another way, an attacker could turn the microphone on or off, eavesdrop on conversations, and track a car in real time.After testing on an Audi A3 Sportback e-tron and the Volkswagen Golf GTE, Daan Keuper and Thijs Alkemade, security researchers from the Dutch firm Computest, found that the flaws in the IVI system, referred to as the modular infotainment platform (MIB), could be remotely exploited via the internet.An attacker could use the car’s Wi-Fi connection to remotely exploit an exposed port and ultimately gain access to the vehicle’s infotainment system. In a press release, the researchers warned:Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history. Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been and to follow the car live wherever it is at any given time.Their research paper (pdf) states: We can remotely compromise the MIB IVI system and from there send arbitrary CAN messages on the IVI CAN bus. As a result, we can control the central screen, speakers, and microphone. This is a level of access that no attacker should be able to achieve.They had managed remote code execution via the internet, could control RCC, and could send arbitrary CAN messages. The next step would have been to attempt to actually control the car’s safety critical components — things dealing with the vehicle’s braking and acceleration system.Computest said, “After careful consideration, we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law.” The researchers reported the flaws to Volkswagen’s external lawyer in July 2017 because the company had no responsible disclosure policy on its website. They met with Volkswagen in August 2017.During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them. However, in their feedback for this paper Volkswagen stated that they already knew about this vulnerability.Volkswagen’s responseAfter looking into the vulnerabilities, Volkswagen told the researchers in October 2017 that it was “not going to publish a public statement.” Instead, VW said it was willing to review the researchers’ paper and check the facts. That review was completed in February 2018.In April 2018, right before the paper was released to the public, Volkswagen provided us with a letter that confirms the vulnerabilities and mentions that they have been fixed in a software update to the infotainment system. This means that cars produced since this update are not affected by the vulnerabilities we found.The researchers noted, “Based on our experience, it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack.”I encourage you to read their research paper, which delves into their attack strategy and technical system details, but it does not fully disclose the details of the remotely exploitable vulnerability because that, they believe, would be “irresponsible.”The researchers said they want to protect future cars but ask, “What about the cars of today or cars that were shipped last week? They often don’t have the required capabilities (such as over-the-air updates) but will be on our roads for the next fifteen years. We believe they currently pose the real threat to their owners, having drive-by-wire technology in cars that are internet-connected without any way to reliably update the entire fleet at once.”The hacked car models were from 2015, so if you have an Audi or Volkswagen, then contact to your dealer and ask about a software update. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe