[ad_1]
Security researchers have discovered multiple vulnerabilities in the infotainment modules used in some Skoda cars that could allow malicious actors to operate certain controls remotely and track the cars’ location in real time.
PCAutomotive, a cybersecurity company specializing in the automotive sector, revealed 12 new vulnerabilities affecting the latest Skoda Superb III sedan model, at Black Hat Europe this week. This comes one year after the organization Revealed 9 other vulnerabilities affecting the same model. Skoda is a car brand owned by the German car giant Volkswagen.
The vulnerabilities could be linked together and exploited by hackers to inject malware into the car, Danila Barnyshev, head of security assessment at PCAutomotive, told TechCrunch. An attacker would need to connect to the Skoda Superb III’s media unit via Bluetooth to exploit the flaws, Barnyshev told TechCrunch, but noted that “the attack could be carried out 10 meters away without authentication.”
The vulnerabilities, discovered in the car’s MIB3 infotainment unit, could allow attackers to execute unconstrained code and run malicious code every time the unit starts. This could allow an attacker to obtain live GPS coordinates and speed data, record conversations via the car’s in-car microphone, take screenshots of the infotainment screen and play random sounds in the car, according to PCAutomotive.
Parnishchev told TechCrunch that the flaws, which PCAutomotive verified themselves on the Superb III, also allow an attacker to compromise a car owner’s phone contact database if they enable contact syncing with their car.
“Phones are usually encrypted, so you can’t easily extract the contact database,” Barnyshev said. “In the case of the infotainment unit, you can – the contact database is stored in plain text.”
Barnyshev noted that they had not found a way to bypass the network gateway restrictions inside the car to access safety-critical vehicle controls such as the steering wheel, brakes and accelerator.
In research shared with TechCrunch ahead of its publication on Thursday, PCAutomotive noted that vulnerable MIB3 modules are used in several Volkswagen and Skoda models, and based on public sales data, estimates there are potentially more than 1.4 million vehicles at risk.
However, Parnyshev said the number of vehicles at risk could be much higher if one takes into account the aftermarket components market. “If you go to eBay and look for the part number, you will find it,” he explained. “If it was the case that the previous user had not deleted it, their contact database would be there as well,” he explained.
PCAutomotive said Volkswagen patched the vulnerabilities after they were reported through the company’s cybersecurity detection program.
In an emailed statement to TechCrunch, Skoda spokesman Tom Drechsler said: “The reported vulnerabilities in the infotainment system have been addressed and eliminated through continuous improvement management across our product lifecycle. At no time was there any risk to safety.” Our customers or vehicles.
[ad_2]