Volkswagen and Audi Cars Remotely Exploitable for Eavesdropping and Tracking

Some Audi and Volkswagen in-vehicle infotainment systems were deemed vulnerable and remotely controllable by hackers, allowing them to turn on or off microphones, speakers, and even track the vehicle using its built-in navigation system.

The software vulnerabilities were found in the Harman infotainment systems on the 2015 models of Volkswagen Golf GTE and an Audi A3 Sportback e-tron, which allowed security researchers to remotely dial into the internet-connected vehicle and even gain administrative rights. The research paper strongly emphasizes the privacy implications of hackers potentially spying on conversations, accessing users’ full address books, and reading the conversation history.

“Internet-connected cars are rapidly becoming the norm,” reads the paper. “As with many other developments, it’s a good idea to sometimes take a step back and evaluate the risks of the path we’ve taken, and whether course adjustments are needed. That’s why we decided to pay attention to the risks related to internet-connected cars. We set out to find a remotely exploitable vulnerability, which required no user interaction, in a modern-day vehicle and from there influence either driving behavior or a safety feature.”

The same investigation revealed that the accessed systems were also indirectly connected to critical safety systems, such as braking or acceleration, which the researchers could have influenced. However, they stopped short of tampering with them because of potential legal implication involving intellectual property rights. Going further would have required explicit consent of the manufacturer.

“During our meeting with Volkswagen, we had the impression that the reported vulnerability and especially our approach was still unknown,” reads the research paper. “We understood in our meeting with Volkswagen that, despite it being used in tens of millions of vehicles world-wide, this specific IVI system did not undergo a formal security test and the vulnerability was still unknown to them. However, in their feedback for this paper Volkswagen stated that they already knew about this vulnerability.”

After the team reported the vulnerability to the Volkswagen group in July 2017, a software update was released and applied. However, researchers noted that only vehicles produced after April 2018 will benefit from this update, as previous models have no over-the-air software update capabilities, meaning that tens of millions of vehicles could be left vulnerable throughout their entire lifetime or until car owners take the option to update the software when serviced.