Security researchers have discovered vulnerabilities of low-to-medium criticality in select Skoda and Volkswagen cars that may enable malicious actors to trigger certain controls, a cybersecurity firm announced at the Black Hat Europe 2024 event this week. At least 12 new vulnerabilities were found impacting the infotainment systems in the latest model of Skoda Superb III — a D-segment sedan manufactured by the Volkswagen Group which entered production in 2015. Although threat actors would need to connect to the vehicle via Bluetooth to get access, the attack may be carried even from a distance.
This builds upon the previous discovery of nine security flaws in the same vehicle that were reported last year.
Vulnerabilities in Skoda Cars
Cybersecurity firm PCAutomotive published a report detailing the vulnerabilities discovered in the third-generation model of Skoda Superb. The German sedan's MIB3 infotainment system may allow malicious actors unrestricted code execution access, enabling them to run malicious code upon startup. It is said to provide remote access to the vehicle's systems.
They may be able to track its speed and location in real time, eavesdrop on the in-car microphone, play sounds, and control its infotainment system. Another flaw may allow them exfiltrate the phone contact database if contact synchronisation with the phone is enabled. Further, the vulnerabilities could also allow access to the CAN bus which is used to connect with the vehicle's electronic control units (ECUs).
Although there are many suppliers of the MIB3 infotainment system, the researchers specifically talk about the one manufactured by Preh Car Connect Gmbh. It impacts the following models:
- Skoda Superb III
- Skoda Karoq
- Skoda Kodiaq
- VW Areteon
- VW Tiguan
- VW Passat
- VW T-Roc
- VW T-Cross
- VW Polo
- VW Golf
The sales data suggests that a total of 1.4 million vehicles from the Volkswagen Group are at risk. PCAutomotive reported the vulnerabilities to Skoda as part of its cybersecurity disclosure program. In a statement given to TechCrunch, Skoda revealed that they have been addressed and eliminated. “At no time was and is there any danger to the safety of our customers or our vehicles”, the German automotive company said.
