A Dutch cybersecurity company found that the in-vehicle infotainment (IVI) system that deploys some models of the Volkswagen Group is vulnerable to remote hacking.
Computest’s security researchers Daan Keuper and Thijs Alkemade stated that they successfully validated their findings and used the public Golf GTE and Audi A3 Sportback e-Tron models (Audi is a brand part of the Volkswagen Group). Use an automobile’s WiFi connection to utilize an exposed interface and get an automotive IVI made by electronics supplier Harman. Researchers can also access the IVI system’s root account and allow them access to other car data. In some cases, the attacker can use the car kit to listen to the driver’s ongoing conversation, turn the microphone on and off, and access the full address book and conversation history.
In a press release, the researchers warned:
“Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history. Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been and to follow the car live wherever it is at any given time.”
“We can remotely compromise the MIB IVI system and from there send arbitrary CAN messages on the IVI CAN bus. As a result, we can control the central screen, speakers, and microphone. This is a level of access that no attacker should be able to achieve.“
The researcher was published their research paper, you can read it here.
