Car Hacking Concerns Over Golf GTE Infotainment System
Security researchers at a Dutch cyber-security firm, Computest, have discovered that the in-vehicle infotainment system in the Golf GTE along with other models from the Volkswagen Group has a weakness that can be exploited over WiFi.
The two researchers that discovered the flaw, Daan Keuper and Thijs Alkemade, described how they have successfully tested their findings on a Golf GTE and an Audi A3 Sportback e-tron. They explained how they use the car’s WiFi connection to gain access to the Harman infotainment system via an exposed software component.
The researchers went on to describe how under certain conditions, attackers could listen to phone conversations, turn the microphone on or off and gain access to the address book and conversation history. They also explained that there is a chance of discovering satellite navigation data, such as where the car has been or even follow the car to wherever it is at any given time.
It was also identified that the infotainment system is indirectly connected to the car’s acceleration and braking systems, but the researchers stopped short of delving further over concerns they might breach VW’s intellectual property. Although they did discover that other flaws could be exploited using USB debugging ports located under the dashboard.
The good news is that these flaws were reported to VW back in July 2017, and the open interface on the Golf GTE and Audi A3 infotainment systems had already been closed by an update that was applied from production week 22/2016 onwards.
In writing their report, Keuper and Alkemade purposefully withheld crucial information on how they exploited the security flaws. They made it very clear that they do not plan to reveal the exact services and software ports that they used to break into the Golf and A3 during their experiments.
They explained that when writing their paper, they would describe the process they followed, but not the full details on the remote exploitable vulnerability as they are committed to a responsible disclosure policy and they didn’t want to put people at risk.