Volkswagen, Audi Cars Vulnerable To Remote Hacking

An anonymous reader writes: "A Dutch cyber-security firm has discovered that in-vehicle infotainment (IVI) systems deployed with some car models from the Volkswagen Group are vulnerable to remote hacking," reports Bleeping Computer. The vulnerabilities have been successfully tested and verified on Volkswagen Golf GTE and Audi A3 Sportback e-tron models. Researchers say they were able to hack the cars via both WiFi (remote vector) and USB (local vector) connections. Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history," Computest researchers said in their paper. "Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time," researchers added. VW deployed patches.

Is this still QNX/Blackberry?

Those infotainment systems were once made by QNX under Harman Becker, now owned by Blackberry. I bet they're still doing them. This is actually surprising to me, as QNX is known for better work than that. If these car companies switched to a different dashboard maker, QNX should jump in at the marketing opportunity.

Re:Is this still QNX/Blackberry?

[b0s0z0ku]

Other than a feed of +12V, a signal line from the steering wheel controls, ground, and maybe a data signal from a rear-view camera, why does the "infotainment" system need to talk to the rest of the car at all?

Re:Is this still QNX/Blackberry?

[ELCouz]

HVAC controls and stuff... never been in a recent car lately eh?

Re:Is this still QNX/Blackberry?

[b0s0z0ku]

VW products generally have separate (knob) HVAC controls, not the integrated junk that many other manufactures have stuck their customers with.

I've been in new cars -- driving them has mostly made me want to beat the hell out of some of the people that engineered them.

Re: Is this still QNX/Blackberry?

At least in my eGolf, because the âoeinfotainmentâ system is more of a cr control hub. It controls charge rates, maximum discharge rates, engine modes, (I imagine in some Audis suspension modes), etc

The system is a UI for the whole car, not just controlling the radio and media inputs.

Re:Is this still QNX/Blackberry?

The QNX systems themselves are just fine. Volkswagen/Audi just deployed them with root:root credentials because they're lazy.

Re:Is this still QNX/Blackberry?

I mean, it's not just a radio anymore. It needs to read data like the car's temperature, light intensity (so it knows to flip the display to 'night mode'), the GPS needs to feed data to the secondary display next to your speedo. In my vehicle, I can GPS locate/lock/unlock/remote start it from an iPhone app. HVAC controls. Changing vehicle settings via the display (e.g. priority locking setting, do doors unlock when parked, chime volume, etc). Everything is integrated these days.

So uh yeah your oversimplification of how an infotainment system should work is way off.

Re:Is this still QNX/Blackberry?

[b0s0z0ku]

Most of which is useless crap that doesn't belong in a car. iPhone app to start/unlock the car? Fuck that idea with a jackhammer. That means that the car and iPhone likely talk through the auto company's servers, and the car company can track, unlock, and disable the car 24/7. Yuck.

GPS is pointless in 2018 since talking phones do a better job than most car GPS units.

Re:Is this still QNX/Blackberry?

My car (Ford) has both - the touchscreen on the radio & the traditional knobs. The two are linked via the data bus.

Re:Is this still QNX/Blackberry?

iPhone app to start/unlock the car? Fuck that idea with a jackhammer. That means that the car and iPhone likely talk through the auto company's servers, and the car company can track, unlock, and disable the car 24/7. Yuck.

It sure does. But you know what, I don't really care. Because it's 2018 and something's gotta give when it comes to advancing technology. I mean, the car still has a key and all for usual use.

I work in a large office building and when it's freeze-your-balls-off 0 degrees outside, I'd like to be able to pull out my phone whilst in the office on Wi-Fi (mind you, out of range of *any* key fob remote in existence) 10-15 minutes before I leave, remote start the car (which will fire up the heaters and seat warmers).

How else do you propose that would work? Connect to my car via two tin cans and a string? The string would be mighty long tracking all the way to my desk in the building.

But hey, you do you, pal. Stick to an older model car if you want to remain off the grid. I like having a warm ass in the winter.

Re:Is this still QNX/Blackberry?

[jrumney]

QNX is an operating system. It may provide the fundamentals required to secure the system, but it doesn't magically make the software running on top of it secure.

But nothing that they accomplished supports the outlandish claim that they could have messed with the brakes, "but stopped due to fear of breaking VWs intellectual property on those systems." If they reverse engineered the the Wifi and USB protocols for controlling the unit, they have likely "broken VWs intellectual property" already, but accessing data that is normally under control of the infotainment system proves nothing about how secure the safety systems of the car are against remote attack.

Re:Is this still QNX/Blackberry?

[b0s0z0ku]

Cell connection, IPv6, encrypted direct connection to your phone. No "clown" intermediate required if done right.

Not that you should be idling for 10-15 minutes before driving off. Waste of fuel, probably a fire and CO hazard. Seat heaters warm up very quickly -- no need to "pre-warm" the car, and if you can't handle 5 minutes of 0 degree air temps, you're a weakling, sorry to say.

Re:Is this still QNX/Blackberry?

Other than a feed of +12V, a signal line from the steering wheel controls, ground, and maybe a data signal from a rear-view camera, why does the "infotainment" system need to talk to the rest of the car at all?

they don't... modern cars are just designed by morons... thats all...

Re:Is this still QNX/Blackberry?

[CaffeinatedBacon]

Will the engine even start by remote? In the Audi's I've seen, even pushing the start button wont start the engine if you don't also put your foot on the brake. It just turns on the accessories.

Re:Is this still QNX/Blackberry?

[phantomfive]

the outlandish claim that they could have messed with the brakes, "but stopped due to fear of breaking VWs intellectual property on those systems."

Yeah that's the nonsense quote of the week.

Re:Is this still QNX/Blackberry?

[Anne+Thwacks]

I assure you that the black hats are mighty worried about the GDPR at the moment, and are far to distracted to mess with VW's intellectual property.

Meanwhile, I will continue to use my mechanically injected diesel - plenty of black smoke and no NOx.

Re:Is this still QNX/Blackberry?

[Zorpheus]

The access of the infotainment system to other parts of the car is very restricted. It is absolutely not unexpected that someone breaks into the infotainment system, but they should not get further from there. These researchers have not even tried, so this article is just sensational.

Re:Is this still QNX/Blackberry?

[phantomfive]

Black hats are worried about GDPR? Really? Why?

Re:Is this still QNX/Blackberry?

[thegarbz]

Why do you think it's called an "info" tainment instead of "entertainment" system? Because is displays a random wikipedia page on startup?

Re:Is this still QNX/Blackberry?

[froggyjojodaddy]

I don't know about Audi's but certainly in newer Fords you can remote start the car from a phone app. The car has some built in cellular service so it can communicate with the app as long as it is in coverage.

It's a gimmick - kinda. I've only used it once to remote start the car and turn on the air conditioning on a really hot day while I was still 10km away on the train travelling back to the train station. When I approached the car, it was clearly running and inside was nice and cool. However, there's also options within the car that allow you to 'pre-set' the climate control with timings so if you know you'll be back at the station for 5pm, you can pre-program the air-con to start at 4:30pm, thereby negating the need for an app to remote start the car for you.

BTW, it's a hybrid so it was running off battery power during the remote start - wasn't just sitting there idling the gas engine.

Re:Is this still QNX/Blackberry?

Isn't that what the auxiliary heater is for? Letting a cold engine run idle for 10-15 minutes just to heat the car seems a bit pointless and wasteful. It's bad for the engine and bad for the environment.

Re:Is this still QNX/Blackberry?

[mjwx]

VW products generally have separate (knob) HVAC controls, not the integrated junk that many other manufactures have stuck their customers with.

As do BMWs, Toyotas, Mercedes, Hondas Jaguars (that is pronounced Jag-U-ar, if we called it Jagwar, we'd spell it that way), in fact most new cars retain physical knobs, switches and buttons for the HVAC, Radio and other things you use on the move. Most British, Asian and German manufacturers do, its only the Americans who think different (OK, I haven't driven a new French car and frankly, never plan to). Journalists call this a "dated interior" though.

Only crappy manufacturers have swallowed the touchscreen hype and moved these functions behind them, the sad part is auto journalists are all too happy to felate anyone doing this. On my 2 series the touchscreen was an option (which I didn't pay for), if it had of been mandatory I would have walked out of the dealer (I almost did after feeling how lifeless an automatic M240i was, fortunately I bought a manual and it's a completely different car).

Re:Is this still QNX/Blackberry?

[clodney]

Other than a feed of +12V, a signal line from the steering wheel controls, ground, and maybe a data signal from a rear-view camera, why does the "infotainment" system need to talk to the rest of the car at all?

The most pragmatic reason is that wiring harnesses in cars are complex and expensive, and replacing a bunch of point to point wires with a data bus makes the car cheaper and easier to build. And once you have everything connected to a data bus, why not put the UI for many of those items on the thing with the biggest display and most available controls, like the infotainment system.

And my car has lots of settings that you may not think are worthwhile, but that I appreciate. Like to unlock all 4 doors when I touch the door handle, and to fold in the mirrors when I park. Things that may not be everyone's preference, but I like my bells and whistles.

My car has multiple cameras, and when the car is in reverse it shows me the rear view camera - so it needs to know transmission indicators. And it automatically turns off the cameras when I reach a certain forward speed, so it needs to know the speedometer reading. And since it has no physical gauges on the dash, the whole driver display is nothing but an LCD screen, so it needs to know speed, RPM, gas gauge, temperature, cruise control settings, etc.

Maybe not to your taste, but definitely to mine.

Re:Is this still QNX/Blackberry?

[CaffeinatedBacon]

Ok thanks, that's certainly interesting. I wonder if it would still do that if it wasn't a hybrid running off the battery.

Re: Is this still QNX/Blackberry?

Thanks to your snobbery in regards to pronunciation Americans now pronounce Jaguar like "jaggy wire."

I can't even begin to tell you how much I hate you now.

Re: Is this still QNX/Blackberry?

If idling your car is a fire hazard you got bigger problems so why not shut the fuck up?

Re:Is this still QNX/Blackberry?

Snobbery drips off your comment pretty strongly, my friend. The car may have originated in England, but where did the English (I presume they are the aforementioned "we" in your reply) borrow that word from? It's a loan word from South America, likely Tupian, where it is NOT prounounced "Jag-U-ar". So, you may well ask yourself, "Why do I prounounce it that way?" You'll likely say something to the effect of, "Someone older than I am told me to." Let's leave it at that, shall we?

Re:Is this still QNX/Blackberry?

Have you ever been in 0 degree Fahrenheit weather?
That's about -18 Celsius.

No, that is not what the 'auxiliary heater' is for.
I assume you just mean the heater.
Because I have no idea what cars outside of Alaska and Siberia have 'auxiliary heaters'

I'm guessing you live some place so warm you almost never even turn on the heater in your car, and hence don't know that you don't actually get heat until your engine is warmed up.
That is something that at -18 Celsius can take more than 20 minutes.
Also, for the 20 minutes you will not be able to see the road as the inside of the windows will instantly frost over from your breath at that temperature.

Warming your car before you drive off is not a a nice thing to have in places that get below -18. It is needed to safely drive.

Re: Is this still QNX/Blackberry?

You gotta get to -32 F to be freezing.
-18 C is well below freezing.

Are you high?

Re: Is this still QNX/Blackberry?

[sound+vision]

Between your description of these bells and whistles and my time working at the car wash, I gather you drive a Chevy. I can confirm for you each bell and each whistle will be broken about the time of next year's model. Although I consider the temperature controls broken to begin with, even the physical ones they still use in some models. They simply don't measure up to old fashioned knobs in tactile feedback, speed, or precision of operation.

Re:Is this still QNX/Blackberry?

Having bells and whistles won't save you when your brakes or accelerator mysteriously go nuts. The "data bus" needs to be separated from a security standpoint from the entertainment units. A wiring loom is a few kilo's of copper for fucks sake in an entire typical automobile, how much saving on a luxury car do YOU want scrimped on when there could be 2 isolated data buses instead of just the one? Of course, having your mirrors close over security is always a valid fucking argument.

Re: Is this still QNX/Blackberry?

[mjwx]

Thanks to your snobbery in regards to pronunciation Americans now pronounce Jaguar like "jaggy wire."

I can't even begin to tell you how much I hate you now.

Good, let your hate teach you how to pronounce Jaguar properly.

I on the other hand with smirk with mild amusement and drink tea. Toodle pipsky.

The address book? TF?

"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history,"

Why in the fuck does the car have an "address book" or a microphone?

My 1999 Ford gets me around just fine without a microphone or an address book.

What's next? A video camera pointed at the driver so people can take selfies and live stream themselves while they drive around? An in-dash scrolling facebook update for the addicts?

Has the world gone totally crazy now?

Re:The address book? TF?

[jonwil]

Many people happen to like the fact that you can link your phone to your car via Bluetooth and then make completly hands-free phone calls.

Re:The address book? TF?

Many people like meth. Doesn't make it a good idea.

Hang up and drive.

They could? They could have tried

[Zorpheus]

The brake system is pretty well secured from the infotainment system, exactly because infotaintment systems are often not 100% secure.
They could have tried to go after the brake system, but I doubt they would have been successful.

Re:They could? They could have tried

[Zorpheus]

So the headline is sensational rubbish btw.

Re:They could? They could have tried

[Gravis+Zero]

The brake system is pretty well secured from the infotainment system, exactly because infotaintment systems are often not 100% secure.

Actually, critical systems like brakes are on a separate CAN bus than the normal crap to prevent a DoS attack from making you crash. However, both CAN busses are connected to the ECU. Hacking an ECU via CAN bus isn't a new trick.

They could have tried to go after the brake system, but I doubt they would have been successful.

They aren't blackhats, so attacking the ECU was never their objective. Instead, they successfully demonstrated significant vulnerabilities in the wireless systems which could enable remote attacks.

Re:They could? They could have tried

Nope, you've got it backwards.
There's nothing the Germans like more than making you come to them for any upgrades. BMW and their ilk run the CAN bus THROUGH the head unit. Unplug the head unit, the car won't run. Once you've p0wned the head unit you can put anything you want on the CAN bus and have some real fun.

Re:They could? They could have tried

Actually, critical systems like brakes are on a separate CAN bus than the normal crap to prevent a DoS attack from making you crash. However, both CAN busses are connected to the ECU. Hacking an ECU via CAN bus [illmatics.com] isn't a new trick.

On some cars there are gateways between the distinct CAN busses but often they don't do as much intelligent filtering as they should. It does depend on the vehicle since MOST and FlexRay are different enough from CAN that unless the engineers specifically poked a protocol hole so the Infotainment system can reach something like EPS it shouldn't matter.

I just bought a new car and was very frustrated since I didn't want any infotainment system at all. Or even an amplifier. I'm one of those rare people who find all music obnoxious and only want quiet in my vehicle. It seems you can't since the Infotainment modules are critical enough to the car that ordering a vehicle without them is not even technically possible for most makes and models.

It would be nice to find a place where people don't have music going all the time. I was in line at a bank today - someone was blasting music from his headphones loud enough that it bothered me. Sheesh. Enough with infotainment already!

Re:They could? They could have tried

Actually, critical systems like brakes are on a separate CAN bus than the normal crap to prevent a DoS attack from making you crash.

I guess FCAU missed that memo when designing modern Jeeps, https://tech.slashdot.org/stor...

Re:They could? They could have tried

[crimson+tsunami]

You are one of those even rarer people who can't press the off button. The market for people who can buy and drive a car but who can't turn off music must be vanishingly small. It's no wonder you couldn't find a vehicle manufacturer catering to your extremely small market niche.

Re:They could? They could have tried

[Zorpheus]

Of course there have been holes in the CAM bus separation of cars before, but they can't just assume that there is one. The entertainment system is not assumed to be safe, the CAN bus separation is. These guys have not achieved anything that is not planned for.

Re:They could? They could have tried

[Gravis+Zero]

The point wasn't to impress you by wrecking the car, it was the compromise the security of the car's computer network which is exactly what was done. Stop moving the goal posts.

Re:They could? They could have tried

[Zorpheus]

Who placed that goal post?

Re:They could? They could have tried

[Zorpheus]

It's just that I had extensive discussions in Germany years ago, where everyone agreed that Wifi on cars is a security risk,especially since these systems are rarely patched. And the conclusion was that it is not an issue because of the CAN bus separation, although there were some issues with that found and fixed. This was before this topic even came up here.

Re:They could? They could have tried

[nhtshot]

On some cars there are gateways between the distinct CAN busses but often they don't do as much intelligent filtering as they should.

I can only speak with authority for Ford and VW/Audi/Porsche cars. VW/Audi/Porsche most certainly have one of these gateways between the can busses and it's quite good. In this case, we're talking about powertrain can and convenience can. The only messages allowed to pass between those are status updates from the ECU to convenience (engine RPM, temperatures, etc.. for the instrument cluster and some radios that can display vehicle stats), setting change messages from the radio to the body control module and ECU/TCU (sport/eco mode) and cruise control messages from the steering wheel controls.

No other messages will pass the gateway between those two busses.

So, the best they could have achieved if they completely own3d the infotainment system would be to possibly adjust the cruise control settings. Even that is speculative because I believe the steering wheel controls are now on a separate lin bus, which would eliminate that vector. They couldn't affect the brakes. They probably could switch between eco and sport modes or adjust the ride height on the higher end Audi's that have airbags. They might also be able to get the windshield wipers into service mode (they move to the top of their stroke and stop there).

So, ya, I think the headline is click baity. Also, "we didn't want to violate VWs IP" is a crock, by their definition of that, they did it already when they violated the radio to find the exploit. I would wager that they tried to do more but failed and CTA with this statement.

Re:They could? They could have tried

[Gravis+Zero]

the people who wrote the paper. try reading it.

Smart cars are not so smart

A car is supposed to be a vehicle. Adding computers, satellite links, networks, automated control to the whole thing adds a whole lot more failure modes.

Re:Smart cars are not so smart

[b0s0z0ku]

Of course, but automakers want to jump in on the whole "cloud" trend. If they know where their cars are, they can target marketing at consumers or even sell consumers' location data. Or "help them in case of an accident", though that doesn't actually need info about location until after the accident happens.

Re:The address book? TF?

[b0s0z0ku]

Doesn't need an address book if the interface is properly designed. It should just pass a command: "call John Smith" or "call 202-555-1212" to the phone itself. No need to save any data in the car itself.

Re:The address book? TF?

[LynnwoodRooster]

I do just that - but I do NOT need to share my address book and other stuff with my car. Just pair versus Bluetooth so I can use the car's microphone and speakers during calls. Nothing else needs to be exchanged to make it work.

Re:The address book? TF?

[haruchai]

"A video camera pointed at the driver so people can take selfies and live stream themselves while they drive around?"

The car's AI may also use such a camera to detect if the driver is conscious, alert or impaired

Shielded from harm

[Waffle+Iron]

Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

This is yet another example of how strong IP laws can help to protect a nations' citizens from evildoers.

Re:Shielded from harm

Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

This is yet another example of how strong IP laws can help to protect a nations' citizens from evildoers.

I'm not sure if your being sarcastic or not.
the Researchers are not "Evildoers" and stopped so they would not be sued.
"Evildoers" wouldn't care about strong IP laws.

Re:Shielded from harm

That would be the point, no?

In other news: BeauHD also on the poser bandwagon. Posting breathless crap is still not a viable route to being a "hacker", but at least he can now keep msmash company.

Re: Shielded from harm

In other words: they tried, failed then blamed on intelectual property.

Re:Shielded from harm

[mjwx]

Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

This is yet another example of how strong IP laws can help to protect a nations' citizens from evildoers.

Yes, hardened criminals intent on stealing your car will be stopped dead in their tracks by our onerous IP laws. Score one for the good guys.

Re:The address book? TF?

"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history,"

Why in the fuck does the car have an "address book" or a microphone?

My 1999 Ford gets me around just fine without a microphone or an address book.

What's next? A video camera pointed at the driver so people can take selfies and live stream themselves while they drive around? An in-dash scrolling facebook update for the addicts?

Has the world gone totally crazy now?

Subaru will/does offer a "feature" that where a camera watch your face to see if you get drowsy while driving.

Re:The address book? TF?

I suppose that could be alright IF it was not connected to any extra-vehicular connectivity. However that is never how these things appear to go in the end...

USB

[crimson+tsunami]

If you are plugging in a USB you probably know exactly where the car is already, also you would have a general idea if it's in WiFi range.

Re:USB

[sinij]

WiFi range is a big deal. This could be anyone in an unmarked van 30 meters (or more if they use directional antenna) in front of you on a busy highway that could potentially force your car to slam on the brakes just as you entering a corner, forcing a skid and a general life-threatening wreck.

Re:USB

[crimson+tsunami]

Yes, I agree. All those bad things are very bad. (If true, they didn't try the brakes). But 'being able to tell where the car is' was specifically highlighted in the summary, that's clearly not in the same league.

Re:USB

[sinij]

Expecting journalists to accurately report on technology-intensive topics was empirically shown to be unreasonable.

As Charlie Miller and Chris Valasek showed with their work culminating in sensational remote hacking of a Jeep Cherokee driven by a volunteering journalist, the key issue is that hackable infotainment units are capable of impacting other systems on the car's CAN bus. See Remote Exploitation of an Unaltered Passenger Vehicle for details.

That was a known issue in 2015. There is simply no excuses to still make the same mistakes in 2018. This is not unlike releasing a protocol library that is still vulnerable to Logjam.

But could you hack them

[Chrisq]

.. to make them emissions compliant?

Re:The address book? TF?

[Anne+Thwacks]

Its catch 22: if he wants a camera pointed at him, he IS mentally impaired.

"they could have also went after"

"they could have also GONE after", I think you'll find...

Head unit a real problem

I find these head units control too much of the car. Its like your combining infotainment with critical functions of the vehicle just to save money. Even beyond this hacking issues, these head units will only cause more headaches for these vehicles in the used car market for their owners. After all the support has expired and fixing them will definitely be a problem.

GPS Tracking

Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time

Actually, I installed an Android stereo in my old Porsche exactly for that reason. It is one of several security measures that were added. If you successfully steal my car, I will know exactly where it is simply by going to my Google Dashboard.

Also, know that there is no communication between the stereo and the ECU. That is a huge mistake that manufacturers are making.

did you reply to the wrong post?

[crimson+tsunami]

That's all well and good. But it's not what happened here. And has nothing to do with what I mentioned. Specifically sensationalizing things in the summary that are not that a big of a deal.
Is it possibly because they didn't have an actual big deal, but still desperately needed people to read their report?

Re:The address book? TF?

That's fine for incoming calls. The address book lets you dial out using the car's interface (dashboard display + steering wheel controls).

Make a Generic IVI Console Standard

I wish one car company would just make a generic interface in the dashboard where I can purchase and install the in-vehicle infotainment console of my choice. I can then choose between multiple 3rd party computers and OS vendors. And upgrade it in the future. Instead they all want to lock us into their system which they are not interested in supporting long-term.

No thruth in engineering

Surprise surprise can we get back to cars designed to be driven not a phone booth, video booth Internet cafe on wheels

Re:The address book? TF?

[LynnwoodRooster]

I just dial by voice... Works really well!