The multi-advertised networked car has in addition to some advantages above all about more convenience also serious security disadvantages. Experts of the Dutch company Computest have just demonstrated again. They report on how to use WLAN connections into the Infotainment System of the Audio and Navigation Specialist Harman in models of VW and Audi and could gain root access to whose central computer. In the form of the Control Area Network (CAN), a rudimentary communication with the central car network should also have been possible.
The extensive attacks found the security researchers in the Wi-Fi "Modular infotainment kit" (MIB) at the Audi A3 Sportback e-Tron and the Gulf Gte. The examined vehicles were built in 2015. The central computer of the Harman system includes a plug-in module designed "MMX board" (Multi-Media Extension), which is approximate for the satellite navigation and the control of the display and the information entered, as well as a response "Radio Car Control Unit" (Rcc) for radio reception and communication with the CAN. Via Wlan and Telnet, the experts managed to take over these components using some gear hacker tricks to take control of these components.
Details of their procedure did not make the security researchers in a now publishing document not public in order not to hover unnotically. Attackers, however, were able to operate the communication under certain conditions, which a driver uses the infotainment and navigation system, set the microphone or turn off the microphone as well as access to the complete address book and the recorded data to be made conversations.
The navigation components also have to understand pracation, where the driver was traveling or where he is currently moving. Indirectly, the MIB is also associated with even more sensitive electronic components such as Drive-by-Wire or the brake system. The experts did not pursue according to their own indications in the interior of the AutoNetzwerk penetrating attack options "intellectual property rights" Do not hurt Volkswagen.
In parallel, the COMPUTEST employees rely on further potential security in USB interfaces behind the instrument panel, which should be officially used for example for error control or connecting smartphones. The researchers turned to Volkswagen after their investigation, which they carried out in July 2017 and informed the security experts about their finds.
In a meeting with representatives of the automotive company, to which Audi is also obvious, they gained the impression that the other side had not yet known the reported vulnerability and, above all, the concrete approach of the Tuftler. Apparently, the MIB has not yet been subjected to an official security test, even though he is used in several million cars worldwide.
In a COMPUTEST letter of mid-April, an employee of the quality arance of the Wolfsburg for the "Professional cooperation" and the response time provided. Information such as that of Computest Easily enabled Volkswagen, own products "even more secure" To make it in the letter. At the same time, however, there is talk of that the open interfaces in the infotainment software were already closed in mid-2016.
The security experts go according to a report of "Bleeping computer" but it does not matter that all the attacks are already sealed. Completely open is about how Volkswagen with ages, produced before 2016 vehicles, which are in principle vulnerable. There is no possibility to update the infotainment systems from afar, so that workshop truck calls were well allowed to be. Questions about the concrete procedure, with which security fixes could be recorded, as well as for the whole of the vehicle models concerned, Volkswagen has not answered so far.