Researchers Discover Vulnerabilities in Skoda Cars That Enabled Owner Surveillance
Cybersecurity experts have uncovered a series of vulnerabilities in the infotainment systems of certain Skoda vehicles. These bugs allowed attackers to, for example, track the real-time location of cars. The vulnerabilities were reported by PCAutomotive, a company specializing in automotive cybersecurity. At the Black Hat Europe conference, researchers presented 12 vulnerabilities affecting the latest Skoda Superb III model.
Danila Parnishchev from PCAutomotive told TechCrunch that the vulnerabilities could be chained together and used to install malware on a vulnerable car. To carry out the attack, a hacker needed to connect to the Skoda Superb III’s multimedia unit via Bluetooth.
The vulnerabilities were found in the MIB3 unit and allowed for code execution and the launch of malicious code every time the device started. As a result, an attacker could obtain GPS coordinates and vehicle speed data, record conversations through the car’s microphone, take screenshots of the infotainment system display, and play arbitrary sounds.
According to Parnishchev, PCAutomotive tested the discovered issues on a Superb III, and the bugs also allowed them to extract the owner’s contact database if the owner had enabled contact synchronization with the car.
Similar vulnerable MIB3 units are used in many Volkswagen and Skoda models, leading researchers to believe that potentially more than 1.4 million cars are at risk. If the spare parts market is included, the number of vulnerable vehicles could be even higher. “If you go on eBay and search for the part number, you’ll find it. And the contact database will be there if the previous owner didn’t delete it,” the expert explained.
“Phones are usually encrypted, so extracting the contact database isn’t easy,” Parnishchev said. “But with the infotainment unit, it’s possible because the contact database is stored in plain text.”
The specialist also noted that he and his colleagues were unable to find a way to bypass protections and gain access to control elements such as the steering wheel, brakes, or accelerator pedal.
PCAutomotive reported that they notified the manufacturer about the vulnerabilities, and Volkswagen specialists have already fixed these issues. Skoda representatives confirmed this information to the press and assured journalists that the vulnerabilities did not pose any threat to the safety of users or the company’s vehicles.