Volkswagen Cars Vulnerable To Flaws The Company Won't Patch

Volkswagen's Harman IVI

Daan Keuper and Thijs Alkemade, two researchers from a Dutch security firm Computest, discovered a flaw in Volkswagen and Audi cars that attackers could exploit remotely, over the internet. Volkswagen will not patch the flaw, as those car models lack the capability to be updated over-the-air.

Modern Cars, Modern Problems

The researchers looked at nine different car models, until they decided on the Volkswagen Golf GTE and Audi A3 (also made by the Volkswagen Group). However, they first asked for permission to review their security. In some countries, including in the U.S., it’s often illegal to mess with the car’s software. Additionally, Volkswagen has sometimes taken legal action against security researchers so they wouldn’t reveal flaws in its cars. However, this time, Volkswagen seems to have been more cooperative.

Modern cars have increasingly gone digital in order to offer customers more features, but security hasn’t kept pace. For instance, cars may now have two Controller Area Network (CAN) buses, one for safety-critical components such as the engine and brakes, and another for non-safety-critical ones such as the entertainment dashboard, AC, wipers, and so on.

However, these two CAN buses are still able to communicate with each other through a "gateway" so that certain features work. Firewalls are supposed to filter what type of communications between the buses are allowed.

Lately, cars have also introduced two separate modems for wireless communications, but often they don’t come with robust security solutions that can protect them against various types of attacks. The most prominent remote hacking attack was done by two researchers, Charlie Miller and Chris Valasek, against GM’s Jeep Cherokee back in 2015. The exploit was possible due to a flaw in the In-Vehicle-Infotainment (IVI) system, which had an unfirewalled internet connection.

Volkswagen’s Flawed Cars

Keuper and Alkemade wanted to see if the same kind of flaws existed in Volkwagen’s Golf GTE from 2015. They noticed that the IVI system, developed by Harman, seemed to have a broad attack surface, which increased their chance of finding a flaw.

The researchers found a service in the Golf system that allowed for reading arbitrary files from storage. This flaw was later turned into full remote code execution, but the payload could be delivered only through a Wi-Fi connection, which means the potential for attack is more limited, at least for now. In the future, as cars become more digital, malicious Wi-Fi hotspots could pose the same security risk to cars that update over-the-air, as they do today for laptop or smartphone owners that connect to said hotspots. The researchers found a similar flaw in the Audi A3.

Keuper and Alkemade also noted that this flaw should have been identified by a proper security audit of the system. However, they said that Volkswagen didn’t undergo a formal security test, even though the systems are used in tens of millions of vehicles.

The researchers didn’t disclose the specific vulnerability because Volkswagen can’t fix it without the car owners having to drive to an authorized dealer to patch it. Volkswagen told the researchers that it wouldn’t release a public statement about the bug, which likely means that its customers won’t know about this flaw except from the media. It's also not clear if owners would get the patch for free, if they do ask for it at an authorized dealer.

Researchers’ Recommendations

The Dutch researchers said that the car industry seems to be increasingly more interested in securing their future vehicles, although it remains to be seen how serious those efforts will be. The bigger threat in the meantime will be cars that have already been built and sold and will be in the market for another 15 years. These internet-connected cars will have flaws that will never be fixed.

The researchers recommended that car makers review the security of the components they buy themselves, even if the component suppliers have done their own security audit. Perhaps as a dig at Volkswagen, Keuper and Alkemade also said that car makers need to be transparent about the flaws they find in their cars and shouldn’t hide such facts from their customers. The car manufacturers should also not be hostile towards security researchers, and they should be easily reached by researchers whenever a new problem is found.

The two researchers said consumers should be aware that internet connectivity is a new type of feature for cars, and it’s not mature, which means it may not be well protected. Consumers should also educate themselves about cars’ software security as much as they do other types of ratings for cars.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • HideOut
    Gm does not make to the Cherokee
    Reply
  • dextermat
    And yet fanboys keep buying them...
    Reply
  • stdragon
    What moron thought it was a good idea to not air-gap the CAN bus from the rest of the internet connected entertainment system?! Did their engineering dept not object to the marketing dept? The fail here is epic!
    Reply
  • 10tacle
    Yes please edit the comment about "GM's Cherokee." Jeep is a Fiat-Chrysler company. Anyway what is up with VW? They used to make great products back in the 1980s and 1990s with Jettas and Golfs. The last auto show I went to I sat in a new Jetta and the controls like AC knobs just felt so cheap. I know they build some of them in Mexico for the North and South American markets, but I don't think that's their issue. They have a severe management quality control issue, and their diesel scandal put that under the microscope.

    Actually, I've noticed in general that all German auto makers are spiraling downward in quality. Here are just a few examples from owners of them I know:

    2008 Mercedes CL class two door convertible transmission failing at 48K miles.

    2011 Audi A4 engine ECM failure (repeat issue, spent more time at dealer than in garage)./

    2012 BMW 335i coupe with a bad turbocharger at only 32K miles.

    2013 Mercedes GL450 SUV diesel having a bad rear seal gasket leaking oil (known issue, anyone out of warranty had to pay thousands to fix it).

    2015 Porsche 911 GT3 bad engine component (owner had to wait six weeks after ordering for the factory to ship a replacement motor to install at the dealer before delivery - all GT3s were recalled).

    German quality engineering is not what it used to be and Japanese quality is top notch. Decades ago it used to be the other way around. My daily driver 2008 Infiniti G37 with 135K on the clock is still as good as new.
    Reply
  • 10tacle
    20930781 said:
    What moron thought it was a good idea to not air-gap the CAN bus from the rest of the internet connected entertainment system?! Did their engineering dept not object to the marketing dept? The fail here is epic!

    Probably the same genius who was previously employed at Airbus who thought the chances of being hacked remotely on avionics monitoring software transmitted to airline ground monitoring stations was non-existent.
    Reply
  • sykozis
    Please do some research before typing an article.....
    For instance, cars may now have two Controller Area Network (CAN) buses, one for safety-critical components such as the engine and brakes, and another for non-safety-critical ones such as the entertainment dashboard, AC, wipers, and so on.
    There are 5 network protocols used in automotive applications. There can be (and usually are) multiple instances of at least 2 of those 5 network types in any given vehicle. The more modules the vehicle contains, the more networks exist. Some modules are even connected to more than 1 network. There is a network protocol referred to as LIN or Local Interconnect Network. This is typically used for power windows, power door locks and wipers since data only has to go in 1 direction.

    Btw, CANs have existed for over 2 decades..... Roughly 27 years actually... The statement I quoted makes it sound as though networking in automotive applications is something new....
    Reply
  • mrjhh
    Over-the-air updates have their own set of issues. At the minimum, the firmware needs to be signed, and the vehicle needs to verify the signature. Anti-reversion checks also need to be in place to prevent someone from taking an old, buggy, but signed firmware version and pushing that into the vehicle. Then, there is the issue of having a validated path between the processor which validates the firmware, and the place where the firmware is stored, to be sure the validation doesn't get bypassed. Then, if there is a bug in any of the above processes, they can still be bypassed to install improper firmware.
    Reply
  • stdragon
    20932165 said:
    Over-the-air updates have their own set of issues. At the minimum, the firmware needs to be signed, and the vehicle needs to verify the signature. Anti-reversion checks also need to be in place to prevent someone from taking an old, buggy, but signed firmware version and pushing that into the vehicle. Then, there is the issue of having a validated path between the processor which validates the firmware, and the place where the firmware is stored, to be sure the validation doesn't get bypassed. Then, if there is a bug in any of the above processes, they can still be bypassed to install improper firmware.

    That's all well and good, and I agree with the above. But more to the point, WHY is any of the critical ECU components even exposed to "over the air" access??! At *minimum*, they should be air-gaped and can only be serviced with a hard-lined connector; meaning physical access.

    When you have a vehicle weighing between 2,500 and 4000+ pounds humming along a highway at 60+ MPH, that's a considerable amount of kinetic energy! There is no room for failure.

    When it comes to automotive tech, there's no getting around inherent electro-mechanical complexity. However, whenever possible, the model of KISS (Keep It Simple Silly) is preferred so unintended consequences aren't introduced.
    Reply
  • King_V
    20930781 said:
    Did their engineering dept not object to the marketing dept?

    As a software developer, I rather suspect that engineering gets overruled by marketing. Or anyone else, really.
    Reply
  • velocityg4
    20932282 said:
    20930781 said:
    Did their engineering dept not object to the marketing dept?

    As a software developer, I rather suspect that engineering gets overruled by marketing. Or anyone else, really.

    I'd say accounting overrules everybody. If engineering ruled. The cars would last 1,000,000+ miles, never rust out and be very easy to repair. Engineers in the 1800's created steam engines and other mechanical contraptions still in use today.

    They'd also have us wear a harness with five point restraints and dump the airbags. Like in race cars. Simpler, more effective, cheaper, reliable and reduces weight.
    Reply