Skoda Cars Exposed to Real-Time Tracking Vulnerability
Amsterdam, Friday, 13 December 2024.
Security flaws in Skoda Superb III infotainment systems allow hackers to track vehicles in real time, raising serious cybersecurity concerns for over 1.4 million affected vehicles.
Critical Security Vulnerabilities Unveiled
PCAutomotive, a specialized automotive cybersecurity firm, revealed twelve new security vulnerabilities in the Skoda Superb III’s infotainment system during Black Hat Europe on December 10, 2024 [1][2]. This discovery follows nine previously identified vulnerabilities in the same model last year [1]. The impact extends beyond Skoda, potentially affecting approximately 1.4 million vehicles across both Volkswagen and Skoda models [2][3].
Exploitation Method and Risks
According to Danila Parnishchev, head of security assessment at PCAutomotive, attackers can exploit these vulnerabilities from within a 10-meter range of the vehicle, requiring only a Bluetooth connection without authentication [2][3]. Once compromised, hackers can inject malware that enables them to obtain live GPS coordinates, record in-car conversations, capture screenshots, play random sounds, and even access the owner’s phone contact database, which is stored in unencrypted plaintext [1][2]. Notably, while these vulnerabilities pose significant privacy risks, they do not affect critical vehicle controls such as steering, brakes, or acceleration systems [1][4].
Manufacturer Response and Mitigation
Volkswagen, Skoda’s parent company, has already taken steps to address these security concerns through their cybersecurity disclosure program [2][3]. Tom Drechsler, Skoda’s spokesperson, confirmed that the company is actively addressing the vulnerabilities through continuous improvement management [1][2]. He emphasized that ‘there was no danger to customer safety or vehicles at any time’ [3]. The company is implementing patches and updates as part of their product lifecycle management strategy [2].
Broader Implications for Automotive Cybersecurity
This security breach highlights the growing importance of cybersecurity in modern vehicles, which increasingly rely on sophisticated electronic systems [3]. The vulnerability’s scope is particularly concerning as the affected MIB3 infotainment units are present in multiple Volkswagen and Skoda models [4]. The situation serves as a crucial reminder for automakers to prioritize robust security measures in their connected vehicle systems [3].