Security researchers just revealed an interesting series of hacks through on-board systems of a Volkswagen and an Audi.
Let's dive right into the white hat thought process and what they wanted to accomplish at overseas automation and security company Computest.
"A modern car has many remote vectors, such as Bluetooth, TPMS and the key fob. But most vectors require that the attacker is in close proximity to the victim. However, for this research we specifically focused on attack vectors that could be triggered via the internet and without user interaction. Once we would have found such a vector, our goal was to see if we could use this vector to influence either driving behavior or other critical safety components in the car. In general, this would mean that we wanted to gain access to the high-speed CAN bus, which connects components like the brakes, steering wheel and the engine."
They decided to go with the internet attack vector since an increasing number of new cars come with on-board Wi-Fi. And they chose one Volkswagen model and one Audi model to probe and prod.
They tried several ways in and hit dead ends at first. Then, success.
"After further research, we found a service on the Golf with an exploitable vulnerability. Initially we could use this vulnerability to read arbitrary files from disk, but quickly could expand our possibilities into full remote code execution."
The researchers met with Volkswagen to reveal their findings, but are not telling the rest of us about the issue with IVI, or In-Vehicle-Infotainment.
"Because there is no mechanism to update this type of IVI remotely, we made the decision not to disclose the exact vulnerability we used to gain initial access. We think that giving full disclosure could put people at risk, while not adding much to this paper."
But the researchers did share their impressions of where cybersecurity stands with regards to today's connected cars. More needs to be done.
"The vulnerability we initially identified should have been found during a proper security test. During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown. We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them."
Read the "The Connected Car" research report for yourself.
[Note: Score a win for the white hats. VW told researchers that the vulnerability was fixed in new cars, starting with those produced April 2018 and later.]
