Researchers have discovered multiple vulnerabilities in the infotainment units used in some Skoda cars. These flaws could allow malicious actors to remotely trigger certain controls and track the cars’ location in real-time. PCAutomotive, a cybersecurity firm specializing in the automotive sector, unveiled 12 new security vulnerabilities.
They impact the latest model of the Skoda Superb III sedan. Danila Parnishchev, head of security assessment at PCAutomotive, explained that the vulnerabilities could be chained together. This would allow hackers to inject malware into the vehicle.
To exploit the flaws, an attacker must connect with the Skoda Superb III’s media unit via Bluetooth. The vulnerabilities discovered in the vehicle’s MIB3 infotainment unit could allow attackers to execute unrestricted code. This could let an attacker obtain live vehicle GPS coordinates and speed data.
They could also record conversations via the in-car microphone, take screenshots of the infotainment display, and play arbitrary sounds in the car.
Skoda infotainment vulnerabilities exposed
The flaws also make it possible for an attacker to exfiltrate the phone contact database of the vehicle owner if contacts are synchronized with the car.
“Usually phones are encrypted, so you cannot easily extract the contact database,” Parnishchev said. “In the case of the infotainment unit, you can — the contact database is stored in plaintext.”
However, researchers did not find a way to bypass the in-vehicle network gateway restrictions. This means they could not access safety-critical car controls such as the steering wheel, brakes, and accelerator.
PCAutomotive noted that the vulnerable MIB3 units are used in multiple Volkswagen and Skoda models. Based on public sales data, they estimate there are potentially more than 1.4 million vulnerable vehicles. Parnishchev suggested that the number could be much higher if the aftermarket component market is considered.
Volkswagen patched the vulnerabilities after they were reported through the company’s cybersecurity disclosure program. In an emailed statement, Skoda spokesperson Tom Drechsler said: “The reported vulnerabilities in the infotainment system have been and are being addressed and eliminated through continuous improvement management via the lifecycle of our products. At no time was and is there any danger to the safety of our customers or our vehicles.”
