A Harman International auto entertainment system is once again at the centre of a car hacking issue as Dutch researchers have used the device's Wi-Fi connection to exploit an open port enabling remote code execution.
Researchers Daan Keuper and Thijs Alkemade at Computest discovered the vulnerability, which is found in Harman units installed in some Volkswagen company vehicles. The proof-of-concept test was conducted on nine different cars including 2015 Volkswagen Golf GTE and an Audi A3 Sportback e-tron vehicles. Computest decided to attempt this hack to build upon the previous work done by Charlie Miller and Chris Valasek, which exposed additional flaws in Harman's auto entertainment systems, that were also from 2015 model vehicles.
If the flaw is exploited a hacker “Could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history. Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time,” the Computest report stated.
The researcher's goal was to gain access to the car via the Internet and without directly accessing the hardware. The final attack vector utilised the car's Wi-Fi hotspot, which did require the attacker to be near the target vehicle.
The issue was presented to Volkswagen and the issue has been fixed. The report noted any fix applied must be done by a dealer and cannot be handled by a simple over the air firmware update.
Keuper and Alkemade noted the system they were able to access connects, indirectly, with the car's ability to brake and accelerate. However, Computest decided to halt testing before this was proven conclusively.
“We believe in the value of digitalisation and in the role played by the ethical hacker community in investigating and drawing attention to the associated risks. But such work must remain justifiable. When you test the vulnerability of this type of critical functions, you are potentially acting illegally and you are possibly breaching the intellectual property rights. You need to be extremely careful when doing that,” said Hartger Ruijs, director and founder of Computest.