Researchers were able to live-track drivers, listen to phone calls, and view data.
An auto entertainment system installed in some Volkswagen vehicles was exploited to enable remote code execution (RCE), allowing hackers to track drivers, listen to phone calls, and access data.
The vulnerability was discovered by researchers at Computest, who were able to access the system via the vehicles’ WiFi connection.
They tested Volkswagen’s Golf GTE and an Audi A3 Sportback e-tron, both of which were made in 2015 and run various versions of Hardman International entertainment software.
Researchers were aiming to influence driving behavior or other critical safety components using an attack carried out via the internet and without user interaction.
They were able to perform RCE on the vehicles via a WiFi hotspot, though this did require an attacker to be within close proximity of the car.
And the results were alarming – the team successfully accessed the microphone, allowing them to listen in to hands-free calls, and the navigation system, which allowed them to view previous locations and even live-track the drivers’ movements.
Call logs, address books, and other data were also exposed.
Although this wasn’t necessarily a security issue or safety hazard, which the original investigation was aiming to uncover, the findings did spark serious privacy concerns.
A report by the Dutch security firm read: “They gained remote access to the system, meaning that the privacy of drivers could seriously be damaged.
“Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history.
“Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time.”
Researchers could have also gained access to a connected system, which controls the brakes and acceleration, but stopped before their investigation went further as they didn’t have permission.
Daan Keuper, of Computest, said the lack of software updates on older models connected to the internet could be to blame.
He said: “The biggest problem is mainly rooted in the systems in cars that have already been on the market for a number of years. That software is rarely updated.
“This means that the systems are almost always insufficiently protected. When you consider that a car has an average lifespan of 18 years, then that leaves a good few years during which attackers can make use this possibility.”
Volkwagen has patched the issue, it confirmed.
Computest also listed a number of recommendations for consumers about how to be security conscious when buying a WiFi-enabled vehicle.
The report read: “Become informed: ask about quality and security standards of the car you are looking into as much as you do for aspects like crash tests.
“Specifically ask about the remote maintenance possibilities and how long the manufacturer would maintain the software used in the car (support period).
“If you want to protect yourself against remote threats, please ask your dealer to install updates during their normal service schedule.
“Keep the software in your car up to date where you have the possibility. This does not only apply to cars, but to all IoT devices such as baby monitors, smart TVs and home automation.”