Skoda Car Security Flaws Discovered - Remote Tracking Possible

Skoda Infotainment Systems Reveal Security Weaknesses

Recent investigations by security professionals have identified several security flaws within the infotainment systems found in select Skoda vehicles. These vulnerabilities potentially enable unauthorized remote control and real-time vehicle tracking.

Vulnerabilities Uncovered in Skoda Superb III

PCAutomotive, a cybersecurity firm focused on automotive security, presented findings detailing 12 newly discovered security vulnerabilities. These impact the latest iteration of the Skoda Superb III sedan, revealed at Black Hat Europe. This disclosure follows a previous report last year, which identified nine separate vulnerabilities affecting the same vehicle model.

Skoda operates as a car brand under the ownership of the German automotive manufacturer, Volkswagen.

Exploitation Pathway via Bluetooth

According to Danila Parnishchev, head of security assessment at PCAutomotive, these vulnerabilities can be combined to facilitate the injection of malicious software into the vehicle. Successful exploitation requires an attacker to establish a Bluetooth connection with the Skoda Superb III’s media unit, as reported to TechCrunch.

Potential Impacts of the Flaws

The identified vulnerabilities, located within the vehicle’s MIB3 infotainment unit, could grant attackers unrestricted code execution capabilities. This allows for the execution of malicious code each time the unit is powered on.

Specifically, an attacker could potentially:

• Obtain real-time GPS coordinates and speed data.
• Record audio through the in-car microphone.
• Capture screenshots of the infotainment display.
• Emit arbitrary sounds within the vehicle.

Compromised Contact Data

Parnishchev explained to TechCrunch that the vulnerabilities also permit the extraction of the vehicle owner’s phone contact database, provided contact synchronization is enabled. The contact information is stored in an unencrypted format.

“While phones typically employ encryption, making database extraction difficult,” Parnishchev stated, “the infotainment unit presents a different scenario – the contact database is stored in plaintext.”

Safety-Critical Systems Remain Protected

Importantly, PCAutomotive confirmed that they did not discover a method to circumvent the in-vehicle network gateway restrictions. This means access to safety-critical vehicle controls, such as the steering, brakes, and accelerator, remains protected.

Widespread Potential Impact

PCAutomotive’s research, shared with TechCrunch prior to public release, indicates that the vulnerable MIB3 units are utilized across various Volkswagen and Skoda models. Based on available sales figures, they estimate that over 1.4 million vehicles may be susceptible to these vulnerabilities.

However, Parnishchev suggests the actual number of affected vehicles could be significantly higher, considering the aftermarket component market.

“Components can be readily acquired through platforms like eBay,” he explained. “If a previous owner failed to erase the data, their contact database could remain accessible.”

Remediation Efforts

Volkswagen has implemented patches to address these vulnerabilities following their disclosure through the company’s cybersecurity program.

Skoda’s Response

In a statement provided to TechCrunch, Skoda spokesperson Tom Drechsler affirmed that the reported vulnerabilities are being actively addressed and eliminated through ongoing product lifecycle improvements. He emphasized that customer safety and vehicle security have not been compromised.