Hackers could gain control of systems in Volkswagen connected cars through vulnerabilities in the in-vehicle infotainment systems, researchers at Computest have discovered.
The vulnerabilities in the connected cars—2015 Volkswagen Golf GTE and Audi A3 e-tron—cannot be fixed remotely. Owners must bring their vehicles into the dealer to get the firmware upgrade. This means owners will continue to be vulnerable to the attack until they bring their cars in.
The researchers, Daan Keuper and Thijs Alkemade, exploite vulnerabilities in the infotainment system manufactured by Harman. They were then able to gain control of the central screen, speakers, and microphone. “This is a level of access that no attacker should be able to achieve,” the researchers opined.
At the same time, the researchers said that they were not able to directly affect driving behavior or any safety systems because of the control area network (CAN) gateway.
“A remote adversary is new territory for most industrial component manufacturers, which, to be mitigated effectively, requires embedding security in the software development lifecycle,” they observed.
“This is easier in an environment with automatic testing, continuous deployment and possibility to quickly apply updates after release. This is not always possible in the hardware industry, due to local regulations and the ecosystem. It often requires coordination between many vendors. But, if we want to protect future cars, these are problems we have to solve,” they concluded.