Hackers can quietly disable airbags in cars sold by Volkswagen using a zero day vulnerability in software popular with car mechanics.

The attacks demonstrated on an Audi TT require a mechanic's computer to be first compromised or for a malicious USB device to be plugged in for the exploit to work.

Research trio András Szijj, and Levente Buttyán of CrySyS Lab together with Zsolt Szalay of Budapest University of Technology and Economics say the the attack is a more "plausible", but less capable, threat than the dramatic remote hacking that has seen Jeep engines disabled at high speed, brakes seized, and locks popped.

The attack can allow intruders to conceal the disabling of airbags and other car functions from mechanics by falsifying read outs from the car.

Buttyán told Vulture South the third-party software is widely-used and compatible with cars sold by the Volkswagen Group (which includes Audi), adding that two other platforms also appear affected.

"... it works with other cars in the VW group too without any modification," Buttyán says.

"Anything that can be switched on or off from the diagnostic application could have been switched on or off.

"After switching off the airbag, we can consistently report to the application that it is still switched on."

Stuxnet: inspiring evildoers everywhere since 2005.

Buttyán stresses that the flaw "has nothing to do with VW itself" and relates solely to third-party software.

"It is not the specific software which makes our work interesting, but the main message that embedded devices are typically managed from PCs and they can be infected [and used] as stepping stones."

Other software suspected of being vulnerable but not confirmed could be immune should better encryption be used or particularly odd protocols be employed.

The team's attack works by replacing the FTDI DLL used to communicate with the diagnostic cable, with a malicious version.

The researchers faced a little anti-static analysis hurdles and digital signature checking, but the replacement of DLLs was found to be the easiest means of owning connected cars.

Buttyán says the most difficult aspect of the work was reverse engineering the software and protocols used but adds that the work is "completely doable" for a reasonably skilled attacker.

The attack is risky because it is more likely that a mechanic's PC would contain vulnerabilities than a car would sport remotely-accessible holes.

Still Buttyán says the attack could be made more dangerous if it becomes possible to update a car's embedded control unit firmware through the OBD2 port. That could allow an attacker to insert a hidden functionality to be triggered by a condition later on - such as cutting a critical system while the car is in motion.

"This is still not completely interactive, but more than a static switch off of a component," the researcher says.

Attack flow for the theoretical car-crimper

The team did not test that theory for fear of "bricking the university's car".

The authors say their work is a proof-of-concept of prior work by Stephen Checkoway (Comprehensive Experimental Analyses of Automotive Attack Surfaces (PDF) who in 2011 described the possibility of infecting cars through diagnostic equipment.

The attack vector could become more dangerous in the future should blackhats conduct similar research.

"This could be a nightmare in the future. Imagine that you manage all your smart devices in your home, office, or factory from your PC; Once dozens of embedded devices are successfully infected, the malware can even disappear deliberately from the PC, so all those embedded devices remain infected and you may never detect [the attack]."

Slides describing the hack are available here (PDF). ®