Vulnerabilities have been successfully discovered by Computest in a 2015 Volkswagen Golf GTE and a 2015 Audi A3 Sportback e-tron. Both cars are manufactured by Volkswagen Audi Group (VAG).
An insecure software process exposed by the Wi-Fi interface used by the cars Harman In-Vehicle Infotainment (IVI) system allows unauthenticated access. Some further digging revealed that it was also possible to access the IVI’s Control Area Network (CAN) bus.
This meant that:
"Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history."
"There is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time."
The car uses a different, high-speed CAN bus for vehicle-critical communication such as steering, door unlocking, park assist, and – yes – braking.
That high-speed CAN bus is precisely one component away from the compromised IVI CAN bus: the two are separated by a CAN bus gateway that acts as a firewall between the two.
It’s here that the researchers stopped in order to avoid breaking the law. The researchers reported their findings to VAG, which seems to have taken the issue seriously enough to invite them to come to its HQ in Germany to explain them.
The company later said it had patched the flaws that allowed access, although of course that would only fix new cars made from the point that firmware image became available.