As technology advances, there are more opportunities for vulnerabilities to be researched and published. These continue to abound throughout the industries using these technologies. With computer chips, there have been the Spectre and other vulnerabilities, and smart phones, Rowhammer and many others for the different platforms. Vehicles have the same issues, as these are much of the same equipment. There may not be as many issues published, however there are still critical issues with these.
These issues, if properly executed, have the overt, direct potential to compromise a vehicle. This could have a rather immediate and drastic effect. Two examples having expansive effects would be locking up the brakes while on the expressway or diverting the vehicle to make an 85 degree turn in rush hour while travelling 70 mph on the way to work.
These vulnerabilities, when published, creates quite a buzz. With the amount of press these historically has been with each vulnerability, and pertinence these machines play in our life and culture, the focus is only going to grow in attention and depth of importance. This coupled with the exponential advances in autonomous drive (AD) and connected vehicles (CV), the connected and autonomous vehicles (CAV) market and vehicle offerings is growing and providing more of a product base to test and more modules to fail.
The latest subject vulnerability involves the infotainment system with two VW and Audi vehicles. The infotainment system has been defined as the hardware and software functional modules located in the vehicle, which provides entertainment to the occupants. This is recognized by most consumers by the tv screen/monitor in their vehicle’s dash. Using this module, the consumers are able to access the internet, listen to their music selection, call other parties, review maps, and many other options This system, while exceptional, also has in the past and present, provided access points and vulnerabilities.
These issues generally are not easy to fix due to the complexities in the modules, the millions of lines of code (LoC), and more to the point, bringing the many groups together to analyze, review, and mitigate the issue.
For the subject test, the module was tested by the Dutch cybersecurity firm Computest. As the infotainment system was the focal point, the researchers, Daan Keuper and Thijs Alkemade, tested the 2015 Volkswagen Golf GTE and Audi A3 e-tron.
It is notable that the researchers were responsible with their testing and research publication process. The test was successful in the researchers noted vulnerabilities and were able to execute the exploit. The researchers did not fully disclose their process or finding. With this vulnerability, the issue has to be corrected at the dealership. As this is not able to be fixed with a firmware-over-the-air (FOTA) update, this will take time to implement through the fleet. For the researchers to publish the details of the attack prior to allowing the auto manufacturers adequate to fix this, may have put people in harm’s way.
The research report itself is freely available online. The link is noted in the resources section Compliments are due to the researchers at Computest. This was well-thought through and organized. The report was presented with a sufficient amount of technical jargon, while still being perfectly digestable by others not in the same sub-industry. The steps used in the report also were laid-out.
The report had a single question to be researched and answered. This was, from page 8 of the report, “Can we influence the driving behavior or critical security systems of a car via an internet attack vector””
The short answer was Yes.
Research – Subject Hardware (HW)
As noted, the focus was on the infotainment system for the vehicle. As for the hardware, this module used a system manufactured by Harman and is known as the Modular Infotainment platform (MIB). The tested hardware was the version 2.
With any product testing, it is best to know what the subject product or module has to offer. The more data and information, the better as it provides more for the researcher to work with. The initial and basic step was completed with a basic port scan on the VW module. This scan found several ports open, including the telnet port In particular, port 49152 was open and used a UPnP service, which used the Plutino Soft Platinum UpNp. This is an open source app, and happened to be used with the Audi A3 2015 model year. As this curiosity was noted, the Audi was also scanned. This model only had two ports open. One of these was 49152 with the same service running. In this particular section of the trust, no exploit was noted with the limited testing that was completed.
As the testing continued, the researchers found a vulnerability to exploit. This allowed researchers to read files from the disk and achieve the researcher’s end goal of a remote code execution.
This allowed for a plethora of other tests and attacks. In short, the researchers got root. With these, the attackers would also be able to toggle on or off the microphone in the vehicle, review the address book, and history of the conversations. This was not fully disclosed due to safety issues. This was acknowledged however by VW.
The researchers also analyzed the Renasas V850 chip. This is connected to the CANBus with a serial connector. This manages the CAN communication for the vehicle. The researchers did not test this, however, theorized, with a firmware image, which is not easy to find and secure a backdoor could be placed into the modified firmware, and reflash the image.
But wait, there’s more…
The research report noted several instances of potential vulnerabilities to be tested. These and others were not tested. The researchers had the opportunity to research and document, however stopped.
As they did gain root, a number of these other tests were available to do. An example of this involves the infotainment system. This is indirectly connected to the vehicle acceleration and braking modules, which are targets. The researchers ended up ceasing their efforts due to the testing itself. This testing could have involved VW’s intellectual property. The researchers, with continuing the research and testing, may have found themselves working through legal ramifications.
Cimpanu, C. (2018, April 30). Volkswagen and audi cars vulnerable to remote hacking. Retrieved from https://www.bleepingcomputer.com/news/security/volkswagen-and-audi-cars-vulnerable-to-remote-hacking
Computest. (2018). The connected car: Ways to get unauthorized access and potential implications. Retrieved from http://www.computest.nl/wp-content/uploads/2018/04/connected-car-rapport.pdf
Dunn, J.E. (2018, May 2). Volkswagen and audi car infotainment systems hacked remotely. Retrieved from https://nakedsecurity.sophos.com/2018/05/02/volkswagen-and-audi-car-infotainment-systems- hacked-remotely/
Information Security Newsletter. (2018, May 1). With this vulnerability you can remotely hack Volkswagen and audi cars. Retrieved from http://www.securitynewspaper.com/2018/05/01/vulnerability-can-remotely-hack-volkswagen audi- cars/
McGlaun, S. (2018, May 1). VW and audi cars have infotainment systems vulnerable to remote hacking. Retrieved from https://www.slashgear.com/vw-and-audi-cars-have-infotainment-systems-vulnerable- to-remote-hacking-01529071/
Smith. (2018, May 1). Car hackers find remotely exploitable vulnerabilities in volkswagen and audi vehicles. Retrieved from https://www.csoonline.com/article/3269299/security/car-hackers-find-remote- exploitable-vulnerabilities-in-volkswagen-and-audi-vehicles.html
Sussman, B. (2018, May 1). Research: VW and audi cards hacked through infotainment system. Retrieved from https://www.secureworldexpo.com/industry-news/research-vw-and-audi-cars-hacked- through-infotainment-system
Tung, L. (2018, May 1). VW-audi security: Multiple infotainment flaws could give attackers remote access. Retrieved from https://www.zdnet.com/article/vw-audi-security-multiple-infotainment-flaws- could-give-attackers-remote-access/
Wood, D.A. (2018, May 1). Volkswagen and audi vehicles remotely hacked. Retrieved from
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!