Car Hacking Project Volkswagen & Audi

Control over the navigation system

Research goal: "Can we influence the driving behavior or critical security systems of a car via an internet attack vector?"

We succeeded in gaining access to the system at a distance. This means that in certain situations attackers could:

• Listen in to conversations the driver conducted via a car kit
• Switch the microphone on and off
• Access the complete address book and conversation history
• Find out exactly where the driver had been via the navigation system
• Follow live where the car was at any given moment

The systems to which we were able to gain access are connected indirectly to the systems responsible for braking and accelerating. Since hacking of such systems is illegal, it was decided to stop the investigation at that point.

Modernisation of Update Policy

Immediately after the discovery we reported the leak to the Volkswagen Group. They have now been able to inform us that the vulnerabilities have been solved. However, this does not mean that the danger has passed. It is impossible to update this type of infotainment system at a distance, which means that cars already in use with this system are still vulnerable.

This is why we advocate modernisation of the update policy by the automotive industry, in order to make it easier for consumers to update the software systems in their cars to the most recent version. This would mean that they can always be protected against the latest threats.