Skoda and Volkswagen car vulnerabilities allow hackers to track users remotely

Home/Internet Security, Security Advisory, Security Update, vulnerability/Skoda and Volkswagen car vulnerabilities allow hackers to track users remotely

Skoda and Volkswagen car vulnerabilities allow hackers to track users remotely

Researchers have found vulnerabilities in the infotainment systems of some Skoda and Volkswagen cars, which could let hackers track users and access sensitive data remotely. PCAutomotive, an automotive cybersecurity firm, revealed 12 security flaws in the latest Skoda Superb III sedan at Black Hat Europe.

Skoda and Volkswagen car vulnerabilities

The vulnerabilities in the MIB3 infotainment unit could allow hackers to inject malware and access vehicle functions without authorization.

The issue affects the 2022 Skoda Superb III and may extend to other Skoda and Volkswagen models with similar systems, potentially impacting over 1.4 million vehicles.

Hackers Can Remotely Track Users
If exploited, these vulnerabilities could let attackers:

  • Track GPS location and speed in real time
  • Record conversations via the car’s microphone
  • Capture infotainment screen images
  • Play sounds in the car
  • Access the owner’s phone contacts

Danila Parnishchev from PCAutomotive explained that attackers within 10 meters could exploit these flaws via Bluetooth without authentication.

Researchers also found issues in the OBD interface, allowing attackers to bypass UDS authentication. Alarmingly, one flaw could even shut off the engine at high speed, though this requires physical access to the OBD port.

Volkswagen, Skoda’s parent company, has patched the vulnerabilities after they were reported.

Skoda spokesperson Tom Drechsler assured customers there was no risk to safety and said the company is addressing the issues through ongoing improvements.

This incident highlights the need for stronger cybersecurity as vehicles become more connected, emphasizing the importance of robust security measures and regular audits to protect users.

CVE IDTitleSeverity (CVSS 3.1)
CVE not assignedSWD debug interface available on infotainment ECUNot calculated
CVE not assignedDebug console on Power Controller ChipNot calculated
CVE-2023-28895Hard-coded password for access to power controller chip memory3.5 (Low)
CVE-2023-28896Weak encoding for password in UDS services3.3 (Low)
CVE-2023-28897Hard-coded password for UDS services4.0 (Medium)
CVE-2023-28898Head Unit Denial-of-Service via Apple CarPlay service5.3 (Medium)
CVE-2023-28899Denial of Service via ECU reset service4.7 (Medium)
CVE-2023-28900Nickname disclosure on the backend automotive server5.3 (Medium)
CVE-2023-28901Trip data disclosure on host fal-3a.prd.eu.dp.vwg-connect.com5.3 (Medium)

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-12-13T23:17:17+05:30 December 12th, 2024|Internet Security, Security Advisory, Security Update, vulnerability|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!