Security researchers from PCAutomotive, a leading cybersecurity firm specializing in the automotive sector, have uncovered 12 new vulnerabilities in the infotainment systems of certain Skoda vehicles. These vulnerabilities, disclosed at Black Hat Europe, pose potential risks by enabling malicious actors to exploit the car’s system remotely.
The Discovery
The vulnerabilities, found in the MIB3 infotainment unit of the Skoda Superb III sedan, allow attackers to:
Access live GPS coordinates and speed data.
Record conversations using the in-car microphone.
Take screenshots of the infotainment display.
Play arbitrary sounds within the car.
Danila Parnishchev, head of security assessment at PCAutomotive, noted that attackers can connect to the media unit via Bluetooth without authentication from a distance of up to 10 meters. Once connected, the flaws enable unrestricted code execution, allowing malware to be injected and executed every time the unit powers on.
A Threat to Privacy
The security gaps also extend to the car owner’s contact database, stored in plaintext on the infotainment system if contact synchronization is enabled. This vulnerability could allow hackers to exfiltrate sensitive personal information easily, bypassing the encryption typically found on phones.
Despite these severe risks, PCAutomotive clarified that the vulnerabilities do not provide access to safety-critical systems like steering, brakes, or accelerators.
Scale of Vulnerability
The MIB3 units impacted by these flaws are not exclusive to the Skoda Superb III but are also found in other Skoda and Volkswagen models. PCAutomotive estimates that over 1.4 million vehicles are potentially affected based on sales data, and the actual figure could be higher when accounting for aftermarket components.
Manufacturer’s Response
Volkswagen, Skoda’s parent company, addressed the vulnerabilities through its cybersecurity disclosure program and has since released patches. Skoda spokesperson Tom Drechsler assured customers that measures to resolve the issue are ongoing:
The identified vulnerabilities in the infotainment system have been addressed and resolved through ongoing product lifecycle improvements. At no point was the safety of our customers or vehicles compromised.
Protecting Vehicle Security
While manufacturers are working to fix vulnerabilities, car owners should take proactive steps to safeguard their vehicles. Here are some recommendations:
Update Software Regularly: Always install updates provided by manufacturers to fix security gaps.
Disable Bluetooth: Turn off Bluetooth when not in use to reduce exposure.
Erase Data Before Selling: Ensure infotainment systems are wiped clean before reselling or transferring ownership.
Be Cautious with Aftermarket Components: Avoid using unverified aftermarket systems that may not be secure.
Conclusion
The discovery of vulnerabilities in Skoda cars underscores the critical importance of automotive cybersecurity. As vehicles become increasingly connected, manufacturers must prioritize robust security measures to protect user privacy and safety.
For more information about safeguarding your digital systems and securing your connected devices, contact BlueFactor, your trusted provider of IT services and cybersecurity solutions.
Protect your data and privacy with advanced IT security solutions. Contact BlueFactor today to learn how our IT services can secure your digital world.