Volkswagen and Skoda Flaws Allow Engine Disruption and Owner Data Theft
Researchers from PCAutomotive have uncovered several vulnerabilities in Skoda and Volkswagen vehicles, which could allow attackers to access sensitive systems, disable vehicles, or extract user data.
HThe vulnerabilities were discovered by PCAutomotive security researchers during a detailed analysis of the Skoda Superb III 2022 (3V3) 2.0 TDI model. This mid-size car, part of the Volkswagen Group, uses the Modularer Querbaukasten (MQB) platform.
Key components affected by the researchers’ attack include the MIB3 infotainment unit, manufactured by Preh GmbH, which integrates Apple CarPlay, Android Auto, and MirrorLink for mobile device connectivity, the Telematics Control Unit (TCU), which provides over-the-air (OTA) updates and communication with backend servers via cellular networks, the OBD interface, which enables diagnostics and system commands, and the Skoda Connect Cloud Backend that hosts user and vehicle data.
In the first case, the debug interface and OBD vulnerabilities demand close proximity to the vehicle or its components. Remote access can open the way to exploiting the backend API flaws and in-car Wi-Fi. The researchers also note that installing rogue devices via OBD ports could allow long-term, persistent access to attackers.
