Slashdot Mirror

← Back to Stories (view on slashdot.org)

Volkswagen, Audi Cars Vulnerable To Remote Hacking (bleepingcomputer.com)

Posted by BeauHD on from the remote-control dept.

An anonymous reader writes: "A Dutch cyber-security firm has discovered that in-vehicle infotainment (IVI) systems deployed with some car models from the Volkswagen Group are vulnerable to remote hacking," reports Bleeping Computer. The vulnerabilities have been successfully tested and verified on Volkswagen Golf GTE and Audi A3 Sportback e-tron models. Researchers say they were able to hack the cars via both WiFi (remote vector) and USB (local vector) connections. Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history," Computest researchers said in their paper. "Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time," researchers added. VW deployed patches.

11 of 75 comments (clear)

  1. They could? They could have tried by Zorpheus · · Score: 2

    The brake system is pretty well secured from the infotainment system, exactly because infotaintment systems are often not 100% secure.
    They could have tried to go after the brake system, but I doubt they would have been successful.

    1. Re:They could? They could have tried by Zorpheus · · Score: 2

      So the headline is sensational rubbish btw.

    2. Re:They could? They could have tried by Gravis+Zero · · Score: 3, Interesting

      The brake system is pretty well secured from the infotainment system, exactly because infotaintment systems are often not 100% secure.

      Actually, critical systems like brakes are on a separate CAN bus than the normal crap to prevent a DoS attack from making you crash. However, both CAN busses are connected to the ECU. Hacking an ECU via CAN bus isn't a new trick.

      They could have tried to go after the brake system, but I doubt they would have been successful.

      They aren't blackhats, so attacking the ECU was never their objective. Instead, they successfully demonstrated significant vulnerabilities in the wireless systems which could enable remote attacks.

      --
      Anons need not reply. Questions end with a question mark.
  2. Re:The address book? TF? by LynnwoodRooster · · Score: 2

    I do just that - but I do NOT need to share my address book and other stuff with my car. Just pair versus Bluetooth so I can use the car's microphone and speakers during calls. Nothing else needs to be exchanged to make it work.

    --
    Browsing at +1 - no ACs, I ignore their posts. So refreshing!
  3. Shielded from harm by Waffle+Iron · · Score: 4, Funny

    Researchers hinted they could have also went after the cars' braking and acceleration system, but stopped due to fear of breaking VW's intellectual property on those systems.

    This is yet another example of how strong IP laws can help to protect a nations' citizens from evildoers.

  4. Re:Is this still QNX/Blackberry? by jrumney · · Score: 2
    QNX is an operating system. It may provide the fundamentals required to secure the system, but it doesn't magically make the software running on top of it secure.

    But nothing that they accomplished supports the outlandish claim that they could have messed with the brakes, "but stopped due to fear of breaking VWs intellectual property on those systems." If they reverse engineered the the Wifi and USB protocols for controlling the unit, they have likely "broken VWs intellectual property" already, but accessing data that is normally under control of the infotainment system proves nothing about how secure the safety systems of the car are against remote attack.

  5. Re:Is this still QNX/Blackberry? by b0s0z0ku · · Score: 2

    Cell connection, IPv6, encrypted direct connection to your phone. No "clown" intermediate required if done right.

    Not that you should be idling for 10-15 minutes before driving off. Waste of fuel, probably a fire and CO hazard. Seat heaters warm up very quickly -- no need to "pre-warm" the car, and if you can't handle 5 minutes of 0 degree air temps, you're a weakling, sorry to say.

  6. Re:The address book? TF? by Anne+Thwacks · · Score: 2

    Its catch 22: if he wants a camera pointed at him, he IS mentally impaired.

    --
    Sent from my ASR33 using ASCII
  7. "they could have also went after" by Anonymous Coward · · Score: 2, Insightful

    "they could have also GONE after", I think you'll find...

  8. Re:Is this still QNX/Blackberry? by mjwx · · Score: 2

    VW products generally have separate (knob) HVAC controls, not the integrated junk that many other manufactures have stuck their customers with.

    As do BMWs, Toyotas, Mercedes, Hondas Jaguars (that is pronounced Jag-U-ar, if we called it Jagwar, we'd spell it that way), in fact most new cars retain physical knobs, switches and buttons for the HVAC, Radio and other things you use on the move. Most British, Asian and German manufacturers do, its only the Americans who think different (OK, I haven't driven a new French car and frankly, never plan to). Journalists call this a "dated interior" though.

    Only crappy manufacturers have swallowed the touchscreen hype and moved these functions behind them, the sad part is auto journalists are all too happy to felate anyone doing this. On my 2 series the touchscreen was an option (which I didn't pay for), if it had of been mandatory I would have walked out of the dealer (I almost did after feeling how lifeless an automatic M240i was, fortunately I bought a manual and it's a completely different car).

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  9. Re:Is this still QNX/Blackberry? by clodney · · Score: 4, Insightful

    Other than a feed of +12V, a signal line from the steering wheel controls, ground, and maybe a data signal from a rear-view camera, why does the "infotainment" system need to talk to the rest of the car at all?

    The most pragmatic reason is that wiring harnesses in cars are complex and expensive, and replacing a bunch of point to point wires with a data bus makes the car cheaper and easier to build. And once you have everything connected to a data bus, why not put the UI for many of those items on the thing with the biggest display and most available controls, like the infotainment system.

    And my car has lots of settings that you may not think are worthwhile, but that I appreciate. Like to unlock all 4 doors when I touch the door handle, and to fold in the mirrors when I park. Things that may not be everyone's preference, but I like my bells and whistles.

    My car has multiple cameras, and when the car is in reverse it shows me the rear view camera - so it needs to know transmission indicators. And it automatically turns off the cameras when I reach a certain forward speed, so it needs to know the speedometer reading. And since it has no physical gauges on the dash, the whole driver display is nothing but an LCD screen, so it needs to know speed, RPM, gas gauge, temperature, cruise control settings, etc.

    Maybe not to your taste, but definitely to mine.