Security researchers have discovered multiple vulnerabilities in the infotainment units used in some Skoda cars, which could allow malicious actors to remotely trigger certain controls and track the cars' location in real-time. The vulnerabilities, discovered by cybersecurity firm PCAutomotive, impact the latest model of the Skoda Superb III sedan and potentially affect over 1.4 million vehicles.

PCAutomotive unveiled 12 new security vulnerabilities at Black Hat Europe this week, just a year after disclosing nine other vulnerabilities affecting the same model. The firm's head of security assessment, Danila Parnishchev, explained that the vulnerabilities could be chained together and exploited by hackers to inject malware into the vehicle. An attacker would need to connect with the Skoda Superb III's media unit via Bluetooth to exploit the flaws, but Parnishchev noted that "the attack can be performed within 10 meters without authentication."

The vulnerabilities, discovered in the vehicle's MIB3 infotainment unit, could allow attackers to achieve unrestricted code execution and run malicious code every time the unit starts. This could enable an attacker to obtain live vehicle GPS coordinates and speed data, record conversations via the in-car microphone, take screenshots of the infotainment display, and play arbitrary sounds in the car, according to PCAutomotive.

Parnishchev also highlighted that the flaws make it possible for an attacker to exfiltrate the phone contact database of the vehicle owner if they have enabled contact synchronization with their car. Notably, the contact database is stored in plaintext, making it vulnerable to extraction. "Usually phones are encrypted, so you cannot easily extract the contact database," Parnishchev said. "In the case of the infotainment unit, you can."

While the vulnerabilities are concerning, Parnishchev noted that they did not find a way to bypass the in-vehicle network gateway restrictions to access safety-critical car controls such as the steering wheel, brakes, and accelerator. This limitation reduces the risk of catastrophic consequences, but the potential for privacy breaches and data theft remains significant.

PCAutomotive estimates that there are potentially more than 1.4 million vulnerable vehicles on the road, considering public sales data. However, Parnishchev warned that the number could be much higher if one considers the aftermarket component market. "If you go to eBay and search for a part number, you will find it. And if it's the case that the previous user didn't erase it, their contact database will be there, too," he explained.

In response to the findings, Volkswagen, the parent company of Skoda, patched the vulnerabilities after they were reported through the company's cybersecurity disclosure program. Skoda spokesperson Tom Drechsler stated, "The reported vulnerabilities in the infotainment system have been and are being addressed and eliminated through continuous improvement management via the lifecycle of our products. At no time was and is there any danger to the safety of our customers or our vehicles."

The discovery of these vulnerabilities highlights the importance of cybersecurity in the automotive industry, particularly as vehicles become increasingly connected and reliant on IoT technology. As the number of vulnerable devices grows, so does the potential attack surface, emphasizing the need for manufacturers to prioritize security and transparency in their products.

In the context of the broader automotive industry, this incident serves as a reminder of the critical role that cybersecurity plays in ensuring the safety and privacy of drivers. As vehicles become more connected, the stakes for security vulnerabilities will only continue to rise. It is essential that manufacturers, policymakers, and cybersecurity experts work together to address these risks and protect the integrity of our increasingly connected transportation systems.