[German]Security researchers have taken a closer look at the infotainment system in Skoda vehicles (belongs to Volkswagen car manufacturer group). They discovered several vulnerabilities that could allow attackers to remotely trigger certain functions on the vehicle and track the location of the cars in real time.
The MIB3 infotainment system from VW
The MIB3 infotainment system is installed in VW Group vehicles. The following illustration provides an overview of the relevant features, based on a Skoda model.
VW MIB3 Infotainment system
But what happens when the system has vulnerabilities? As early as 2022 and 2023, numerous vulnerabilities were found in this system and reported to VW.
In addition to Skoda, this infotainment system, which was probably introduced in 2021, can also be found in Seat and VW vehicles. However, the system is manufactured by various suppliers and provided for the VW Group. It is therefore unclear whether the same firmware is used everywhere. The following information therefore refers to the system in Skoda vehicles. However, if I interpret the presentation slides correctly, the infotainment system from this supplier is also installed in VW models – so there are millions of vehicles with it on the market.
PCAutomotive finds 12 vulnerabilities
The cyber security company PCAutomotive, which specializes in the automotive sector, has once again addressed the issue of security in the MIB3 infotainment system in 2024. In the Skoda Superb III (produced between 2015 and 2023), whose infotainment system is manufactured by Preh Car Connect GmbH, the security researchers discovered 12 new vulnerabilities, which they recently presented at the Black Hat Europe security conference.
Techcrunch has reported about that finding in this article über den Sachverhalt. The vulnerabilities in the vehicle's MIB3 infotainment unit allow unrestricted code execution in the system. An attacker could retrieve GPS coordinates and speed data of the vehicle, record conversations via the vehicle microphone, take screenshots of the infotainment display and play arbitrary sounds in the vehicle, PCAutomotive states.
According to Danila Parnishchev from PCAutomotive, the vulnerabilities can be linked together. This would allow attackers to connect to the Skoda Superb III's media unit via Bluetooth and inject malware into the vehicle. Parnishchev told TechCrunch that "an attack can be carried out at a distance of 10 meters from the vehicle without authentication."
The presentation slides from the Black Hat conference with a lot of details can be accessed here. Parnishchev pointed out to TechCrunch that the vulnerabilities, which PCAutomotive itself verified on a Superb III, also allow an attacker to exfiltrate the vehicle owner's phone contact database if they have enabled contact synchronization with their car. "Usually phones are encrypted, so you can't just extract the contact database," Techchrung quotes Parnishchev as saying. "In the case of the infotainment unit, this is possible – the contact database is stored in plain text."
