A way has been found to hack Škoda cars via Bluetooth – this way you can monitor the driver and eavesdrop on what is being said inside the car

Researchers have discovered several vulnerabilities in infotainment systems used in some Škoda car models. By exploiting these vulnerabilities, attackers can remotely activate certain controls and track the location of vehicles in real time.

Image source: skoda-auto.com

The discovery belongs to specialists from the company PCAutomotive, which specializes in cybersecurity issues – they conducted a study using the example of the Škoda Superb III sedan and reported on 12 vulnerabilities at the Black Hat Europe event. A year earlier, the same company disclosed 9 more vulnerabilities in the same model. The new vulnerabilities can be linked together and used to launch malware on vehicle systems.

To initiate an attack, an attacker can connect to the Škoda Superb III media unit via Bluetooth – no authentication is required, and the hacker can be located 10 m from the car. Vulnerabilities in the MIB3 infotainment system allow unlimited code execution and execution every time the device is turned on.

A hacker can receive the car’s GPS coordinates in real time, record speed data, record conversations inside the car through a microphone installed in the system, take screenshots of the infotainment system interface and play arbitrary sound through it. If the car owner has enabled synchronization of contacts with the phone, then the attacker can copy the phone book – it is noteworthy that this data is usually encrypted on the phone. Researchers were unable to bypass the protection of the car’s network gateway to access the steering system, brakes and accelerator.

Vulnerable MIB3 systems are used in several Volkswagen and Škoda car models; According to open data on sales volumes, about 1.4 million cars are vulnerable. With aftermarket components included, that number could be much higher, experts warn. PCAutomotive specialists reported their discoveries to Volkswagen, which owns the Czech company, and the latter closed the identified vulnerabilities. “The disclosed vulnerabilities in the infotainment system have been and will be addressed through continuous monitoring of updates throughout the life cycle of our products. There have never been and are no security threats to our customers or our cars,” a Škoda representative told TechCrunch.