Over the Air: Compromise of Modern Volkswagen Group Vehicles

Modern cars offer an increasing number of connected features: in-vehicle Wi-Fi, Bluetooth, and USB to name a few. At the same time, the internal architecture of a modern car has closed nature. This situation, coupled with the fact that car security directly affects everyone’s safety, makes cars extremely important targets for security research.

The talk will disclose a chain of critical vulnerabilities in the Infotainment System used in many Volkswagen Group vehicles including Skoda Superb III 2022, which allowed would-be attackers to gain code execution on the MIB3 infotainment unit over Bluetooth, elevate privileges to root, bypass secure boot to gain persistent code execution, and control infotainment unit via DNS channel every time the car starts.

Tracking vehicle location & speed in real-time? Piece of cake! Want to play spy and listen in through the car’s mic? Bam, just like that! Stealing phone contact database and ruining the owner’s privacy? Just ask.

Since MIB3 infotainment unit is used in numerous Skoda & Volkswagen cars, the number of affected vehicles counts in millions.

By:
Danila Parnishchev | Head of Security Assessment, PCAutomotive
Artem Ivachev | Senior Security Researcher, PCAutomotive
Mikhail Evdokimov | Senior Security Researcher, PCAutomotive
Aleksei Stennikov | Hardware Security Expert, PCAutomotive
Polina Smirnova | Senior Security Researcher, PCAutomotive
Radu Motspan | Senior Security Researcher, PCAutomotive

Full Abstract and Presentation Materials:
https://www.blackhat.com/eu-24/briefings/schedule/#over-the-air-compromise-of-modern-volkswagen-group-vehicles-42466Black HatRead More