Security researchers have discovered multiple vulnerabilities in the infotainment units used in some Skoda cars that could allow malicious actors to remotely trigger certain controls and track the car's location in real time. Cybersecurity company PC Automotive, which specializes in the automotive sector, announced 12 new security vulnerabilities affecting the latest model of Skoda's Superb III sedan at the Black Hat Europe conference this week. The previous year, the group announced nine other vulnerabilities affecting the same vehicle model. Skoda is a car brand owned by German automobile giant Volkswagen.
Danila Parnishchev, director of security assessments at PC Automotive, said hackers could string together these vulnerabilities and exploit them to inject malware into cars. An attacker would need to be connected to the Skoda Superb III's media unit via Bluetooth to exploit the vulnerabilities, but he noted: "The attack can be carried out within a 10-meter range and does not require authentication."
The vulnerabilities were discovered in the car's MIB3 infotainment unit, allowing an attacker to execute unrestricted code and run malicious code every time the unit is started. According to PCAutomotive, this could allow an attacker to obtain real-time vehicle GPS coordinates and speed data, record conversations through the vehicle's microphone, take screenshots of the infotainment display, and play arbitrary sounds within the vehicle.
PCAutomotive verified these flaws on a Superb III, and it is also possible for an attacker to steal the owner's mobile phone contact database if the owner has enabled contact synchronization with the car.
"Typically, mobile phones are encrypted, so the contact database cannot be easily extracted, and the contact database of infotainment devices is usually stored in clear text," Parnishchev said.
Parnishchev pointed out that they have not found a way to bypass the in-vehicle network gateway's restrictions on access to safety-critical car controls such as the steering wheel, brakes and accelerator.
PCAutomotive shared the report ahead of a research note released on Thursday stating that vulnerable MIB3 units are used in multiple models from Volkswagen and Skoda, with estimates that the number of vulnerable vehicles could exceed 1.4 million based on public sales data.
If the aftermarket is taken into account, the number of vulnerable vehicles is likely much higher. "If you search for a part number on eBay, you'll find it," he explained. "If the previous user didn't delete it, their contact database will still be there."
Volkswagen patched the vulnerabilities after they were reported through the company's Cybersecurity Disclosure Program;
Skoda spokesman Tom Drechsler said in an emailed statement: "The reported vulnerabilities in the infotainment system have been and are being addressed and eliminated through continuous improvement management of the product life cycle. At no time was there any threat to the safety of customers or vehicles."