Volkswagen, Audi Cars Vulnerable To Remote Hacking

An anonymous reader writes: "A Dutch cyber-security firm has discovered that in-vehicle infotainment (IVI) systems deployed with some car models from the Volkswagen Group are vulnerable to remote hacking," reports Bleeping Computer. The vulnerabilities have been successfully tested and verified on Volkswagen Golf GTE and Audi A3 Sportback e-tron models. Researchers say they were able to hack the cars via both WiFi (remote vector) and USB (local vector) connections. Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history," Computest researchers said in their paper. "Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time," researchers added. VW deployed patches.

Re:They could? They could have tried

[Gravis+Zero]

The brake system is pretty well secured from the infotainment system, exactly because infotaintment systems are often not 100% secure.

Actually, critical systems like brakes are on a separate CAN bus than the normal crap to prevent a DoS attack from making you crash. However, both CAN busses are connected to the ECU. Hacking an ECU via CAN bus isn't a new trick.

They could have tried to go after the brake system, but I doubt they would have been successful.

They aren't blackhats, so attacking the ECU was never their objective. Instead, they successfully demonstrated significant vulnerabilities in the wireless systems which could enable remote attacks.