The quantity of different devices in the home, applications in the healthcare sector and cars with internet connectivity is increasing fast. However, little attention is paid to the security of all these devices. That is, of course, until something goes wrong. Since we are involved on a daily basis with improving the security of software, our ethical hackers investigated what risks are involved with the internet connectivity in cars.
Research goal: “Can we influence the driving behavior or critical security systems of a car via an internet attack vector?”
These days cars are ‘connected’ far more than you might think. This connectivity has improved our experience enormously while on the road, but it also causes some disadvantages, namely the security risks. Our research was targeted at the infotainment system of the brand Harman, which is used in various models of the Volkswagen Group. In our research we investigated a Volkswagen Golf GTE and an Audi A3 Sportback e-tron, both with 2015 as year of construction.
Control over the navigation system
We succeeded in gaining access to the system at a distance. This means that in certain situations attackers could listen in to conversations the driver conducted via a car kit, switch the microphone on and off and also access the complete address book and conversation history. In addition, due to the vulnerability, it was possible via the navigation system to find out exactly where the driver had been, as well as following live where the car was at any given moment. These are all factors through which the privacy of the driver could be seriously damaged.
The systems to which we were able to gain access are connected indirectly to the systems responsible for braking and accelerating. Since hacking of such systems is illegal and the intellectual property of the manufacturer is thereby infringed, it was decided at that point to stop the investigation.
Modernisation of update policy
Immediately after the discovery we reported the leak to the Volkswagen Group. They have now been able to inform us that the vulnerabilities have been solved. However, this does not mean that the danger has passed. It is, in fact, impossible to update this type of infotainment system at a distance, which means that cars already in use with this system are still vulnerable. And if you may rightly assume that a car is on average 18 years old when it is scrapped, then there are still many years in which attackers could abuse that system.
This is why we advocate modernisation of the update policy by the automotive industry, in order to make it easier for consumers to update the software systems in their cars to the most recent version. This would mean that they can always be protected against the latest threats.