Skoda Security Flaw: Millions of Vehicles Vulnerable to Remote Attack
Vulnerabilities have been discovered in the media systems of Skoda vehicles, allowing remote control of certain car functions and real-time tracking of their location. The findings were revealed by PCAutomotive during the Black Hat Europe conference.
The research identified 12 newly discovered flaws affecting the Skoda Superb III (3V3) – 2.0 TDI model released in 2022. Skoda, a brand owned by German automotive giant Volkswagen, has been significantly impacted by these findings.
Experts at PCAutomotive explained that the vulnerabilities can be combined to inject malicious software into the car’s system. To execute such an attack, a hacker would need to connect to the Skoda Superb III’s multimedia system via Bluetooth. Notably, no authentication is required, and the attacker can operate from a distance of up to 10 meters from the vehicle.
The flaws, targeting the MIB3 system, enable the execution of arbitrary code each time the device is powered on. This allows attackers to access vehicle location data via GPS, monitor speed, record conversations through the built-in microphone, capture screenshots of the multimedia system, and play any audio within the car’s interior.
In addition, synchronized contact data of vehicle owners can be stolen. Unlike secure databases on phones, the contact information stored in the MIB3 system is saved in an unencrypted format, making theft significantly easier. However, despite the gravity of these threats, researchers found no vulnerabilities granting access to critical vehicle control systems, such as steering, brakes, or acceleration.
According to PCAutomotive, the vulnerable MIB3 modules are used across various Volkswagen and Skoda models. The company estimates that more than 1.4 million vehicles worldwide may be affected. Experts also highlight that the actual number of at-risk vehicles could be significantly higher when accounting for the secondary market. For example, multimedia systems sold on platforms like eBay may still contain synchronized contact data if previous owners failed to delete it.
PCAutomotive reported its findings to Volkswagen, which promptly issued security updates to address the issues. A Skoda representative emphasized that, throughout the vehicles’ operational lifetimes, no security threats to customers or their cars have been recorded.
