Cybersecurity and the Infotainment System of Your Vehicle

As technology advances, there are more opportunities for vulnerabilities to be researched and

published. These continue to abound throughout the industries using these technologies. With

computer chips, there have been the Spectre and other vulnerabilities, and smart phones, Rowhammer

and many others for the different platforms. Vehicles have the same issues, as these are much of the

same equipment. There may not be as many issues published, however there are still critical issues with

these.

These issues, if properly executed, have the overt, direct potential to compromise a vehicle. This

could have a rather immediate and drastic effect. Two examples having expansive effects would be

locking up the brakes while on the expressway or diverting the vehicle to make an 85 degree turn in rush

hour while travelling 70 mph on the way to work.

These vulnerabilities, when published, creates quite a buzz. With the amount of press these

historically has been with each vulnerability, and pertinence these machines play in our life and culture,

the focus is only going to grow in attention and depth of importance.

This coupled with the exponential advances in autonomous drive (AD) and connected vehicles

(CV), the connected and autonomous vehicles (CAV) market and vehicle offerings is growing and

providing more of a product base to test and more modules to fail.

Infotainment Hacking

The latest subject vulnerability involves the infotainment system with two VW and Audi

vehicles. The infotainment system has been defined as the hardware and software functional modules

located in the vehicle, which provides entertainment to the occupants. This is recognized by most

consumers by the tv screen/monitor in their vehicle’s dash. Using this module, the consumers are able

to access the internet, listen to their music selection, call other parties, review maps, and many other

options This system, while exceptional, also has in the past and present, provided access points and

vulnerabilities.

These issues generally are not easy to fix due to the complexities in the modules, the millions of

lines of code (LoC), and more to the point, bringing the many groups together to analyze, review, and

mitigate the issue.

For the subject test, the module was tested by the Dutch cybersecurity firm Computest. As the

infotainment system was the focal point, the researchers, Daan Keuper and Thijs Alkemade, tested the

2015 Volkswagen Golf GTE and Audi A3 e-tron.

It is notable that the researchers were responsible with their testing and research publication

process. The test was successful in the researchers noted vulnerabilities and were able to execute the

exploit. The researchers did not fully disclose their process or finding. With this vulnerability, the issue

has to be corrected at the dealership. As this is not able to be fixed with a firmware-over-the-air (FOTA)

update, this will take time to implement through the fleet. For the researchers to publish the details of

the attack prior to allowing the auto manufacturers adequate to fix this, may have put people in harm’s

way.

Report

The research report itself is freely available online. The link is noted in the resources section

Compliments are due to the researchers at Computest. This was well-thought through and organized.

The report was presented with a sufficient amount of technical jargon, while still being perfectly

digestable by others not in the same sub-industry. The steps used in the report also were laid-out.

The report had a single question to be researched and answered. This was, from page 8 of the

report, “Can we influence the driving behavior or critical security systems of a car via an internet attack

vector””

The short answer was Yes.

Research – Subject Hardware (HW)

As noted, the focus was on the infotainment system for the vehicle. As for the hardware, this

module used a system manufactured by Harman and is known as the Modular Infotainment platform

(MIB). The tested hardware was the version 2.

Research Process

With any product testing, it is best to know what the subject product or module has to offer.

The more data and information, the better as it provides more for the researcher to work with.

The initial and basic step was completed with a basic port scan on the VW module. This scan

found several ports open, including the telnet port In particular, port 49152 was open and used a UPnP

service, which used the Plutino Soft Platinum UpNp. This is an open source app, and happened to be

used with the Audi A3 2015 model year.

As this curiosity was noted, the Audi was also scanned. This model only had two ports open. One

of these was 49152 with the same service running. In this particular section of the trust, no exploit was

noted with the limited testing that was completed.

As the testing continued, the researchers found a vulnerability to exploit. This allowed

researchers to read files from the disk and achieve the researcher’s end goal of a remote code execution

This allowed for a plethora of other tests and attacks. In short, the researchers got root. With these, the

attackers would also be able to toggle on or off the microphone in the vehicle, review the address book,

and history of the conversations. This was not fully disclosed due to safety issues. This was

acknowledged however by VW.

The researchers also analyzed the Renasas V850 chip. This is connected to the CANBus with a

serial connector. This manages the CAN communication for the vehicle. The researchers did not test

this, however, theorized, with a firmware image, which is not easy to find and secure a backdoor could

be placed into the modified firmware, and reflash the image.

But wait, there’s more…

The research report noted several instances of potential vulnerabilities to be tested. These and

others were not tested. The researchers had the opportunity to research and document, however

stopped.

As they did gain root, a number of these other tests were available to do. An example of this

involves the infotainment system. This is indirectly connected to the vehicle acceleration and braking

modules, which are targets.

The researchers ended up ceasing their efforts due to the testing itself. This testing could have

involved VW’s intellectual property. The researchers, with continuing the research and testing, may

have found themselves working through legal ramifications.

Resources

Cimpanu, C. (2018, April 30). Volkswagen and audi cars vulnerable to remote hacking. Retrieved from

https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-

hacking

Computest. (2018). The connected car: Ways to get unauthorized access and potential implications.

Retrieved from http://www.computest.nl/wp-content/uploads/2018/04/connected-car-rapport.pdf

Dunn, J.E. (2018, May 2). Volkswagen and audi car infotainment systems hacked remotely. Retrieved

from https://nakedsecurity.sophos.com/2018/05/02/volkswagen-and-audi-car-infotainment-systems-

hacked-remotely/

Information Security Newsletter. (2018, May 1). With this vulnerability you can remotely hack

Volkswagen and audi cars. Retrieved from

http://www.securitynewspaper.com/2018/05/01/vulnerability-can-remotely-hack-volkswagen-audi-

cars/

McGlaun, S. (2018, May 1). VW and audi cars have infotainment systems vulnerable to remote hacking.

Retrieved from https://www.slashgear.com/vw-and-audi-cars-have-infotainment-systems-vulnerable-

to-remote-hacking-01529071/

Smith. (2018, May 1). Car hackers find remotely exploitable vulnerabilities in volkswagen and audi

vehicles. Retrieved from https://www.csoonline.com/article/3269299/security/car-hackers-find-remote-

exploitable-vulnerabilities-in-volkswagen-and-audi-vehicles.html

Sussman, B. (2018, May 1). Research: VW and audi cards hacked through infotainment system.

Retrieved from https://www.secureworldexpo.com/industry-news/research-vw-and-audi-cars-hacked-

through-infotainment-system

Tung, L. (2018, May 1). VW-audi security: Multiple infotainment flaws could give attackers remote

access. Retrieved from https://www.zdnet.com/article/vw-audi-security-multiple-infotainment-flaws-

could-give-attackers-remote-access/

Wood, D.A. (2018, May 1). Volkswagen and audi vehicles remotely hacked. Retrieved from

https://www.carcomplaints.com/news/2018/volkswagen-audi-vehicles-remotely-hacked.shtml

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Posts are coming soon
Stay tuned...
Recent Posts