Daan Keuper and Thijs Alkemade, two researchers from a Dutch security firm Computest, discovered a flaw in Volkswagen and Audi cars that attackers could exploit remotely, over the internet. Volkswagen will not patch the flaw, as those car models lack the capability to be updated over-the-air.
Modern Cars, Modern Problems
The researchers looked at nine different car models, until they decided on the Volkswagen Golf GTE and Audi A3 (also made by the Volkswagen Group). However, they first asked for permission to review their security. In some countries, including in the U.S., it’s often illegal to mess with the car’s software. Additionally, Volkswagen has sometimes taken legal action against security researchers so they wouldn’t reveal flaws in its cars. However, this time, Volkswagen seems to have been more cooperative.
Modern cars have increasingly gone digital in order to offer customers more features, but security hasn’t kept pace. For instance, cars may now have two Controller Area Network (CAN) buses, one for safety-critical components such as the engine and brakes, and another for non-safety-critical ones such as the entertainment dashboard, AC, wipers, and so on.
However, these two CAN buses are still able to communicate with each other through a "gateway" so that certain features work. Firewalls are supposed to filter what type of communications between the buses are allowed.
Lately, cars have also introduced two separate modems for wireless communications, but often they don’t come with robust security solutions that can protect them against various types of attacks. The most prominent remote hacking attack was done by two researchers, Charlie Miller and Chris Valasek, against GM’s Jeep Cherokee back in 2015. The exploit was possible due to a flaw in the In-Vehicle-Infotainment (IVI) system, which had an unfirewalled internet connection.
Volkswagen’s Flawed Cars
Keuper and Alkemade wanted to see if the same kind of flaws existed in Volkwagen’s Golf GTE from 2015. They noticed that the IVI system, developed by Harman, seemed to have a broad attack surface, which increased their chance of finding a flaw.
The researchers found a service in the Golf system that allowed for reading arbitrary files from storage. This flaw was later turned into full remote code execution, but the payload could be delivered only through a Wi-Fi connection, which means the potential for attack is more limited, at least for now. In the future, as cars become more digital, malicious Wi-Fi hotspots could pose the same security risk to cars that update over-the-air, as they do today for laptop or smartphone owners that connect to said hotspots. The researchers found a similar flaw in the Audi A3.
Keuper and Alkemade also noted that this flaw should have been identified by a proper security audit of the system. However, they said that Volkswagen didn’t undergo a formal security test, even though the systems are used in tens of millions of vehicles.
The researchers didn’t disclose the specific vulnerability because Volkswagen can’t fix it without the car owners having to drive to an authorized dealer to patch it. Volkswagen told the researchers that it wouldn’t release a public statement about the bug, which likely means that its customers won’t know about this flaw except from the media. It's also not clear if owners would get the patch for free, if they do ask for it at an authorized dealer.
The Dutch researchers said that the car industry seems to be increasingly more interested in securing their future vehicles, although it remains to be seen how serious those efforts will be. The bigger threat in the meantime will be cars that have already been built and sold and will be in the market for another 15 years. These internet-connected cars will have flaws that will never be fixed.
The researchers recommended that car makers review the security of the components they buy themselves, even if the component suppliers have done their own security audit. Perhaps as a dig at Volkswagen, Keuper and Alkemade also said that car makers need to be transparent about the flaws they find in their cars and shouldn’t hide such facts from their customers. The car manufacturers should also not be hostile towards security researchers, and they should be easily reached by researchers whenever a new problem is found.
The two researchers said consumers should be aware that internet connectivity is a new type of feature for cars, and it’s not mature, which means it may not be well protected. Consumers should also educate themselves about cars’ software security as much as they do other types of ratings for cars.