Cybersecurity and the Infotainment System of Your Vehicle
As technology advances, there are more opportunities for vulnerabilities to be researched and
published. These continue to abound throughout the industries using these technologies. With
computer chips, there have been the Spectre and other vulnerabilities, and smart phones, Rowhammer
and many others for the different platforms. Vehicles have the same issues, as these are much of the
same equipment. There may not be as many issues published, however there are still critical issues with
these.
These issues, if properly executed, have the overt, direct potential to compromise a vehicle. This
could have a rather immediate and drastic effect. Two examples having expansive effects would be
locking up the brakes while on the expressway or diverting the vehicle to make an 85 degree turn in rush
hour while travelling 70 mph on the way to work.
These vulnerabilities, when published, creates quite a buzz. With the amount of press these
historically has been with each vulnerability, and pertinence these machines play in our life and culture,
the focus is only going to grow in attention and depth of importance.
This coupled with the exponential advances in autonomous drive (AD) and connected vehicles
(CV), the connected and autonomous vehicles (CAV) market and vehicle offerings is growing and
providing more of a product base to test and more modules to fail.
Infotainment Hacking
The latest subject vulnerability involves the infotainment system with two VW and Audi
vehicles. The infotainment system has been defined as the hardware and software functional modules
located in the vehicle, which provides entertainment to the occupants. This is recognized by most
consumers by the tv screen/monitor in their vehicle’s dash. Using this module, the consumers are able
to access the internet, listen to their music selection, call other parties, review maps, and many other
options This system, while exceptional, also has in the past and present, provided access points and
vulnerabilities.
These issues generally are not easy to fix due to the complexities in the modules, the millions of
lines of code (LoC), and more to the point, bringing the many groups together to analyze, review, and
mitigate the issue.
For the subject test, the module was tested by the Dutch cybersecurity firm Computest. As the
infotainment system was the focal point, the researchers, Daan Keuper and Thijs Alkemade, tested the
2015 Volkswagen Golf GTE and Audi A3 e-tron.
It is notable that the researchers were responsible with their testing and research publication
process. The test was successful in the researchers noted vulnerabilities and were able to execute the
exploit. The researchers did not fully disclose their process or finding. With this vulnerability, the issue
has to be corrected at the dealership. As this is not able to be fixed with a firmware-over-the-air (FOTA)
update, this will take time to implement through the fleet. For the researchers to publish the details of
the attack prior to allowing the auto manufacturers adequate to fix this, may have put people in harm’s
way.
Report
The research report itself is freely available online. The link is noted in the resources section
Compliments are due to the researchers at Computest. This was well-thought through and organized.
The report was presented with a sufficient amount of technical jargon, while still being perfectly
digestable by others not in the same sub-industry. The steps used in the report also were laid-out.
The report had a single question to be researched and answered. This was, from page 8 of the
report, “Can we influence the driving behavior or critical security systems of a car via an internet attack
vector””
The short answer was Yes.
Research – Subject Hardware (HW)
As noted, the focus was on the infotainment system for the vehicle. As for the hardware, this
module used a system manufactured by Harman and is known as the Modular Infotainment platform
(MIB). The tested hardware was the version 2.
Research Process
With any product testing, it is best to know what the subject product or module has to offer.
The more data and information, the better as it provides more for the researcher to work with.
The initial and basic step was completed with a basic port scan on the VW module. This scan
found several ports open, including the telnet port In particular, port 49152 was open and used a UPnP
service, which used the Plutino Soft Platinum UpNp. This is an open source app, and happened to be
used with the Audi A3 2015 model year.
As this curiosity was noted, the Audi was also scanned. This model only had two ports open. One
of these was 49152 with the same service running. In this particular section of the trust, no exploit was
noted with the limited testing that was completed.
As the testing continued, the researchers found a vulnerability to exploit. This allowed
researchers to read files from the disk and achieve the researcher’s end goal of a remote code execution
This allowed for a plethora of other tests and attacks. In short, the researchers got root. With these, the
attackers would also be able to toggle on or off the microphone in the vehicle, review the address book,
and history of the conversations. This was not fully disclosed due to safety issues. This was
acknowledged however by VW.
The researchers also analyzed the Renasas V850 chip. This is connected to the CANBus with a
serial connector. This manages the CAN communication for the vehicle. The researchers did not test
this, however, theorized, with a firmware image, which is not easy to find and secure a backdoor could
be placed into the modified firmware, and reflash the image.
But wait, there’s more…
The research report noted several instances of potential vulnerabilities to be tested. These and
others were not tested. The researchers had the opportunity to research and document, however
stopped.
As they did gain root, a number of these other tests were available to do. An example of this
involves the infotainment system. This is indirectly connected to the vehicle acceleration and braking
modules, which are targets.
The researchers ended up ceasing their efforts due to the testing itself. This testing could have
involved VW’s intellectual property. The researchers, with continuing the research and testing, may
have found themselves working through legal ramifications.
Resources
Cimpanu, C. (2018, April 30). Volkswagen and audi cars vulnerable to remote hacking. Retrieved from
https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-
hacking
Computest. (2018). The connected car: Ways to get unauthorized access and potential implications.
Retrieved from http://www.computest.nl/wp-content/uploads/2018/04/connected-car-rapport.pdf
Dunn, J.E. (2018, May 2). Volkswagen and audi car infotainment systems hacked remotely. Retrieved
from https://nakedsecurity.sophos.com/2018/05/02/volkswagen-and-audi-car-infotainment-systems-
hacked-remotely/
Information Security Newsletter. (2018, May 1). With this vulnerability you can remotely hack
Volkswagen and audi cars. Retrieved from
http://www.securitynewspaper.com/2018/05/01/vulnerability-can-remotely-hack-volkswagen-audi-
cars/
McGlaun, S. (2018, May 1). VW and audi cars have infotainment systems vulnerable to remote hacking.
Retrieved from https://www.slashgear.com/vw-and-audi-cars-have-infotainment-systems-vulnerable-
to-remote-hacking-01529071/
Smith. (2018, May 1). Car hackers find remotely exploitable vulnerabilities in volkswagen and audi
vehicles. Retrieved from https://www.csoonline.com/article/3269299/security/car-hackers-find-remote-
exploitable-vulnerabilities-in-volkswagen-and-audi-vehicles.html
Sussman, B. (2018, May 1). Research: VW and audi cards hacked through infotainment system.
Retrieved from https://www.secureworldexpo.com/industry-news/research-vw-and-audi-cars-hacked-
through-infotainment-system
Tung, L. (2018, May 1). VW-audi security: Multiple infotainment flaws could give attackers remote
access. Retrieved from https://www.zdnet.com/article/vw-audi-security-multiple-infotainment-flaws-
could-give-attackers-remote-access/
Wood, D.A. (2018, May 1). Volkswagen and audi vehicles remotely hacked. Retrieved from
https://www.carcomplaints.com/news/2018/volkswagen-audi-vehicles-remotely-hacked.shtml
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.