Researchers discovered multiple flaws in the infotainment systems of Volkswagen Group vehicles that could allow to track them in real-time.
A team of security researchers from cybersecurity firm PCAutomotive discovered multiple vulnerabilities in the infotainment units used in some vehicles of the Volkswagen Group. Remote attackers can exploit the flaws to achieve certain controls and track the location of cars in real time.
The team led by Danila Parnishchev and Artem Ivachev discovered 12 vulnerabilities in the MIB3 infotainment systems, which appeared in 2021, and now being used in many VW Group cars.
Volkswagen Group does not manufacture its MIB3 infotainment systems but sources them from Tier-1 suppliers. Multiple versions exist, including models by Preh Car Connect GmbH, LG, and Aptiv. The experts focused on MIB3 units produced by Preh Car Connect GmbH.
The vulnerabilities recently disclosed impact the latest model of the Skoda Superb III sedan The experts presented the results of their research at the recent Black Hat Europe.
The recent study builds on earlier research that identified 21 vulnerabilities in Volkswagen vehicles in 2022, nine of which were disclosed in 2023.
The researchers identified an issue in the phone book synchronization process via Bluetooth, where the phone book consists of a sequence of vCards with a specific structure. They discovered a critical flaw in handling contact photos, where converting a photo associated with a contact could trigger a buffer overflow, potentially leading to arbitrary code execution.
An attacker could exploit the vulnerability to access the GPS data in real-time, access the contacts list, monitor speed, record in-car conversations, play sounds, and capture infotainment screenshots.
An unauthenticated attacker can exploit the issue within several meters of the target.
Below is the list of vulnerabilities discovered by the experts:
- CVE-2023-28902 DoS via integer underflow in picserver
- CVE-2023-28903 DoS via integer overflow in picserver
- CVE-2023-28904 Secure boot bypass in BL2
- CVE-2023-28905 Heap buffer overflow in picserver
- CVE-2023-28906 Command injection in networking service
- CVE-2023-28907 Lack of access restrictions in CARCOM memory
- CVE-2023-28908 Integer overflow in non-fragmented data (phone service)
- CVE-2023-28909 Integer overflow leading to MTU bypass (phone service)
- CVE-2023-28910 Disabled abortion flag (phone service)
- CVE-2023-28911 Arbitrary channel disconnection leading to DoS (phone service)
- CVE-2023-28912 Clear-text phonebook information
- CVE-2023-29113 Lack of access control in custom IPC mechanism
The researchers published a video PoC of attack exploiting the above flaws:
The Volkswagen Group confirmed that some issues have been already fixed and the others and are being addressed.
“The reported vulnerabilities in the infotainment system have been and are being addressed and eliminated through continuous improvement management via the lifecycle of our products. At no time was and is there any danger to the safety of our customers or our vehicles.” Skoda spokesperson told TechCrunch.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Volkswagen Group)