Security researchers from PCAutomotive have uncovered serious vulnerabilities in the infotainment systems of certain Skoda vehicles, revealing potential risks to user privacy and security.
The flaws, detailed at Black Hat Europe, impact the MIB3 infotainment unit used in the latest Skoda Superb III sedans, along with other models under Volkswagen, Skoda’s parent company.
According to PCAutomotive’s Danila Parnishchev, the vulnerabilities could allow hackers to connect to the infotainment unit via Bluetooth and execute malicious actions without requiring authentication. The attack, achievable within a 10-meter range, could enable the injection of malware into the system. This malware could run every time the unit starts, giving attackers the ability to monitor the vehicle’s GPS location, capture its speed data, and even record in-car conversations using the built-in microphone. Additionally, the infotainment system’s display could be manipulated to show altered visuals or play unauthorized sounds in the car.
Perhaps more alarmingly, attackers could extract sensitive personal data, such as the car owner’s phone contacts. Parnishchev highlighted that when contact synchronization is enabled, the data is stored in plaintext, making it easily accessible to malicious actors. This is a significant vulnerability, as encrypted storage is typically expected for such sensitive information.
While the vulnerabilities offer access to infotainment features, researchers did not find a way to bypass the car’s network gateway, meaning critical systems like the steering, brakes, or accelerator remain unaffected.
The scope of the vulnerabilities is broad. PCAutomotive estimates that over 1.4 million vehicles could be affected based on public sales data of models using MIB3 units. This number could increase when considering aftermarket parts, as used components sold online might still contain residual personal data from previous owners.
Skoda Infotainment Vulnerabilities Could Expose Cars to Cyberattacks
