VW bugs: "Unpatchable" remote code pwnage

Two security researchers have excoriated Volkswagen Group for selling insecure cars. As in: hackable-over-the-internet insecure.

They broke into a recent-model VW and an Audi, via the cars’ internet connections, and were able to jump from system to system, running arbitrary code. Worryingly, they fully pwned the unauthenticated control bus connected to some safety-critical systems—such as the cruise control.

But VW has no way to push updates to its cars, and won’t alert owners to visit a dealer for an update.

Yes, it’s the internet of **** again: Potentially safety-critical bugs caused by the conflict between convenience and security. In this week’s Security Blogwatch, we prefer classic, analog vehicles.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Globfinity War

Gartner Magic Quadrant for Application Security Testing 2018

CAN VW push an update? No.

What’s the craic, Lucian Armasu? Volkswagen Cars Vulnerable To Flaws The Company Won't Patch:

A Dutch security firm … discovered a flaw in Volkswagen and Audi cars that attackers could exploit remotely, over the internet. Volkswagen will not patch the flaw, as those car models lack the capability to be updated over-the-air.

[It] allowed for reading arbitrary files from storage. This flaw was later turned into full remote code execution.

The researchers didn’t disclose the specific vulnerability because Volkswagen can’t fix it without the car owners having to drive to an authorized dealer [but] it wouldn’t release a public statement about the bug, which likely means that its customers won’t know about this flaw.

Wait, what? Calling Catalin Cimpanu—Volkswagen and Audi Cars Vulnerable to Remote Hacking:

Daan Keuper and Thijs Alkemade … said they successfully tested their findings and exploit chains on Volkswagen Golf GTE and Audi A3 Sportback e-tron models. [They] used a car's Wi-Fi connection to exploit an exposed port and gain access to the car's IVI, manufactured by electronics vendor Harman [including] access to the IVI system's root account.

The IVI system is also indirectly connected to the car's acceleration and braking system. … Researchers also found other flaws that could be exploited via USB debugging ports located under the car dashboard.

Researchers made it very clear they don't plan to reveal the exact services and ports they used to break [in] during their experiments.

And Ms. Smith puts it another way:

Put another way, an attacker could turn the microphone on or off, eavesdrop on conversations, and track a car in real time.

The researchers reported the flaws to Volkswagen’s external lawyer in July 2017 because the company had no responsible disclosure policy on its website. They met with Volkswagen in August 2017.

So if you have an Audi or Volkswagen, then contact to your dealer and ask about a software update.

Let’s hear from the horse’s mouth, shall we? Computest’s Daan Keuper and Thijs Alkemade drive home the point, in The Connected Car:

We focused our research on one specific in-vehicle infotainment (IVI) system, that is used in most cars from the Volkswagen Auto Group and often referred to as MIB. … We first informed the manufacturer about the vulnerability and disclosed all our findings to them [and] gave them the chance to review this research paper.

If an attacker would gain access to the CAN bus of a vehicle, he or she would control the car. They could impersonate the front radar for example to instruct the braking system to make an emergency stop due to a near collision or take over the steering. The attacker only needs to find a way to actually get access to a component that is connected to the CAN bus. … The attacker has a lot of remote attack surface to choose from. Some … are reachable from anywhere around the globe.

A modern car has more than one CAN bus, separating safety critical devices from convenience devices. … In theory these buses should be completely separated, in practice however they are often connected. [And] in the last few years we have seen an increase in cars that feature an internet connection.

The system we had access to identified itself as MMX. It runs on the ARMv7a architecture and uses the QNX operating system, version 6.5.0. It is the main processor in the MIB system. … The device on the other end identified itself as RCC, and also had a telnet service running.

Even the best quality control cannot prevent mistakes from being made. … Manufacturers should stand to their responsibility and communicate swiftly and with transparency to affected customers. Hiding cannot only lead to damages on the customer side, but can also have a very negative impact on the manufacturers reputation.

To summarize our research up to this point: we have remote code execution, via the internet. … The next step would be to send arbitrary CAN messages. … There are still some attack vectors on the [CAN bus firewall] gateway that are definitely worth exploring … in cooperation with the manufacturer.

What we need about now is a spittle-flecked rant from stdragon:

What moron thought it was a good idea to not air-gap the CAN bus from the rest of the internet-connected entertainment system?! Did their engineering dept not object to the marketing dept? The fail here is epic!

Yet VW isn’t the only car maker doing this. At least, not according to this Anonymous Coward:

There's nothing [German car manufacturers] like more than making you come to them for any upgrades.

BMW and their ilk run the CAN bus through the head unit. Unplug the head unit, the car won't run. Once you've pwned the head unit you can put anything you want on the CAN bus and have some real fun.

Can someone speak with authority about CAN? Sean Mollet can: [You’re fired—Ed.]

I can only speak with authority for Ford and VW/Audi/Porsche cars. VW/Audi/Porsche most certainly have one of these gateways between the CAN busses. … The only messages allowed to pass … are status updates from the ECU to convenience (engine RPM, temperatures, etc. for the instrument cluster and some radios that can display vehicle stats), setting change messages from the radio to the body control module and ECU/TCU (sport/eco mode) and cruise control messages from the steering wheel controls. No other messages will pass the gateway.

So, the best they could have achieved if they completely own3d the infotainment system would be to possibly adjust the cruise control settings. … They probably could switch between eco and sport modes or adjust the ride height on the higher end Audis. … They might also be able to get the windshield wipers … to the top of their stroke and stop there.

But we’ve been here before, right? Yep, remembers sinij:

As Charlie Miller and Chris Valasek showed with their work culminating in sensational remote hacking of a Jeep Cherokee driven by a volunteering journalist, the key issue is that hackable infotainment units are capable of impacting other systems on the car's CAN bus.

That was a known issue in 2015. There is simply no excuse to still make the same mistakes.

Meanwhile, Chrisq makes the obligatory VW gag:

But could you hack them to make them emissions compliant?


The moral of the story? If you create embedded software, you need a way to get updates to the devices.

And Finally…

Please, make it stop.


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: esclphotograf (cc0)

Gartner Magic Quadrant for Application Security Testing 2018
Topics: Security