Security researchers have identified several vulnerabilities in the infotainment systems used in some Skoda vehicles, which could enable attackers to remotely control certain functions and track the vehicles’ locations in real-time.
PCAutomotive, a cybersecurity firm focused on the automotive sector, revealed 12 new security flaws affecting the latest Skoda Superb III sedan model at Black Hat Europe. This follows the disclosure of nine similar vulnerabilities a year earlier for the same model. Skoda is a brand owned by the German automaker Volkswagen.
Danila Parnishchev, head of security assessment at PCAutomotive, explained to TechCrunch that these vulnerabilities could be exploited by hackers to inject malware into the vehicle. The attack would require connecting to the Skoda Superb III’s media unit via Bluetooth, with a range of just 10 meters and no need for authentication.
The vulnerabilities, found in the vehicle’s MIB3 infotainment unit, could allow attackers to execute malicious code whenever the unit powers on. This could grant access to real-time GPS coordinates, vehicle speed data, microphone recordings, screenshots of the infotainment display, and the ability to play arbitrary sounds inside the car, according to PCAutomotive.
Parnishchev noted that attackers could also extract the phone contact database from vehicles that have enabled contact synchronization, even though phone contacts are usually encrypted. "The infotainment unit stores this database in plaintext," he explained.
While PCAutomotive confirmed these vulnerabilities on the Skoda Superb III, they did not find a way to bypass the in-vehicle network gateway restrictions affecting critical car controls like the steering, brakes, and accelerator.
In research shared with TechCrunch prior to its public release on Thursday, PCAutomotive estimated that the vulnerable MIB3 units are used in multiple Volkswagen and Skoda models, suggesting over 1.4 million potentially affected vehicles based on public sales data. However, Parnishchev cautioned that the actual number could be much higher, especially considering the aftermarket component market. "If you go to eBay and search for a part number, you will find it," he said. "If the previous user didn’t erase it, their contact database will still be accessible."
PCAutomotive confirmed that Volkswagen patched these vulnerabilities after they were reported through the company’s cybersecurity disclosure program.
In a statement to TechCrunch, Skoda spokesperson Tom Drechsler assured that the reported vulnerabilities are being addressed and eliminated through ongoing product improvement. "At no time was and is there any danger to the safety of our customers or our vehicles," Drechsler said.