UPDATE – Over the last few years, automakers like Ford, Jeep, Nissan and Toyota have all suffered car-hacking vulnerabilities in their vehicles. Now, it looks like Volkswagen has been pulled into the mix after researchers discovered that in-vehicle infotainment (IVI) systems in certain Volkswagen-manufactured cars could be remotely hacked.

Not only that, but it’s possible to pivot to more critical systems.

The vulnerability was discovered in the Volkswagen Golf GTE and an Audi3 Sportback e-tron, which were both manufactured in 2015. Computest researchers Daan Keuper and Thijs Alkemade, who discovered the flaw, said that under certain conditions the IVI vulnerability could enable attackers to commandeer the on-board microphone to listen in on the conversations of the driver, turn the microphone on and off, and access the system’s complete address book and the conversation history. There is also a possibility of hackers tracking the car through the navigation system at any given time, they said.

A Volkswagen spokesperson told Threatpost that the vehicles impacted are those produced with Discover Pro infotainment systems – Golf GTE and Audi A3 e-tron.

“We have been in contact with Computest since mid-2017,” the spokesperson told Threatpost. “The bug fix – in other words eliminating the vulnerability – had already taken place in early May 2016.”

The spokesperson stressed that “from what is currently known, it is impossible for [attackers] to manipulate the brakes, steering or vehicle access systems.”

The researchers said they were able to leverage an undisclosed vulnerability in Harman-manufactured modular infotainment (MIB) platforms in the affected car models to access the IVI system remotely via Wi-Fi. Then, they exploited an exposed port to gain access to the management software of the system: “We can remotely compromise the MIB IVI system and from there send arbitrary CAN [control area networks] messages on the IVI CAN bus,” they said in a report. “As a result, we can control the central screen, speakers and microphone. This is a level of access that no attacker should be able to achieve.”

Beyond an Annoyance Hack

The researchers initially found they could use the vulnerability to read arbitrary files from disk, but quickly found that they could expand their possibilities into full remote-code execution.

The access didn’t stop there: Through the vulnerability, Computest researchers also found that they could access the IVI system’s multimedia applications unit (MMX) main processor, which is responsible for tasks like screen compositing and multimedia decoding. From there, they were able to control the radio and car control unit (RCC).

“The next step would be to send arbitrary CAN messages over the bus to see if we can reach any safety critical components,” said the report.

However, sending an arbitrary CAN message to the CAN bus would involve hacking a chip that is directly connected to a gateway, and is used to firewall messages between different CAN buses. At this point, Computest researchers said that they decided to drop their research, as it would require extracting the firmware from the chip using a physical vector.

“After careful consideration we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law,” Computest researchers said. Not Fixable OTA

Computest brought its research to Volkswagen in the summer of 2017. Keuper said that in April 2018, Volkswagen provided Computest with a letter confirming the vulnerabilities, and stating that they have been fixed in a software update to the infotainment system – meaning that cars produced since the update will not be impacted by the vulnerabilities.

Despite the fact that Volkswagen has fixed cars currently being produced, the Computest researchers stressed that they would not disclose further details about the vulnerability because the updates are not able to be made over-the-air (OTA); as a result, affected car owners have to to meet with their dealers for a fix.

“The system we investigated can also not be updated by the end user itself, a user needs to go to an official dealer to receive an update,” Keuper told Threatpost in an email. “However, based on our experience, it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack.”

In an ideal world, instead of having to proactively request an update themselves at the dealer, consumers should get the updates pushed automatically OTA, similar to a smartphone, said Keuper.

“This is also the key point in our research: these are all problems we can fix in the car of tomorrow, for example by enabling OTA updates,” he said. “But what about the cars that are sold today? They will be around for the next 15 to 18 years and will most likely never receive security updates.”

Car security issues – and how manufacturers respond to them – were put on the forefront after researchers Charlie Miller and Chris Valasek famously remotely hacked a 2014 Jeep Cherokee to control the braking, steering and acceleration of the vehicle in 2015. Since then, the attack surface for many vehicles has only expanded as infotainment systems and other Wi-Fi-enabled capabilities have become increasingly popular in cars.

For now, owners of impacted vehicles need to make sure they explicitly ask for security updates, Keuper told Threatpost. Meanwhile, manufacturers can also adopt security measures to tighten security, such as including third-party components as part of quality and security assurance measures.