Modern-day vehicles have become overly digitized for the sake of offering advanced technicality to drivers. However, being digital cannot ensure optimal security and the same has been the case with smart cars.
Security researchers Daan Keuper and Thijs Alkemade from Computest claim that some of the car models manufactured by Audi and Volkswagen contain a flaw that can be exploited by attackers easily over the internet. The problem is that Volkswagen doesn’t want to patch the flaw claiming that the models are not equipped with updating over-the-air capability.
For the purpose of this research [PDF], researchers at the Dutch security firm examined 9 different models. Volkswagen Golf GTE and Audi A3 were then finalized for the research after acquiring permission from the company for conducting an analysis of its cars’ security status.
It must be noted that Audi A3 is also manufactured by the Volkswagen Group. Unlike previous times when Volkswagen proved to be a hard nut to crack when it came to judging the security software, it installed in its cars, this time around the company was far more cooperative.
Researchers state that the two CAN (controller area network) buses that are used in the cars for safety-critical components (e.g. brakes and engine) and non-safety critical components (e.g. AC, wipers and dashboard), can communicate with each other. The communication is facilitated by a gateway and it is important because it ensures that features are working well.
The communication is filtered through firewalls but recently there has been a shift in technology and modern cars now use two different modems for initiating wireless communications. Quite often these lack robust security methods to evade a variety of attacks, most of which are launched remotely.
Computest researchers wanted to check if there is a flaw in Volkswagen cars related to the communication between the CAN buses. They identified that the Harman developed IVI system is an easy attack target and this substantially increased their chances of identifying a flaw.
They discovered a service in the Golf and Audi A3 systems, which allowed reading of arbitrary files; this could later lead to a full-fledged remote code execution attack. It must be noted that the payload can only be delivered through a wireless connection. This means, attack scope is limited as of now but in the future, cars would become more digitized and presence of infected Wi-Fi hotspots would certainly prove to be a big security risk for cars that are updated over-the-air.
Keuper and Alkemade claim that a vast number of vehicles manufactured by Volkswagen use the same system and this flaw must have been detected during a system security audit but it is surprising that Volkswagen didn’t perform a formal security test.
Since Volkswagen cannot fix the flaw unless the car owner gets it manually patched from an authorized dealer, so researchers chose to not disclose it. Whether the patching process would be conducted for free or not, it is yet unclear. Volkswagen also didn’t release a public statement to make sure that customers stay unaware of the flaw.
Researchers urge that car manufacturers need to properly review the components’ security before buying and installing them into their vehicles. Manufacturers also need to be transparent about the security issues identified in their cars so as to ensure the security of their customers. Same goes for customers; before investing in smart cars, they should make themselves aware of the numerous security risks that the vehicles might pose.