— A 2015 Volkswagen Golf GTE and 2015 Audi A3 Sportback e-tron have been remotely hacked through their Harman infotainment systems that allowed the possibility for the hackers to track where the vehicles had been and then remotely follow the vehicles.
In addition, the hack made it possible to remotely listen to conversations inside the vehicles and access the address book and conversation history.
The only good thing about the situation is who did the hack job. Daan Keuper and Thijs Alkemade are known as "ethical hackers" who work at security company Computest, and both researchers quickly informed VW about the vulnerabilities.
Volkswagen verified the findings and allegedly fixed the security flaws by updating the infotainment systems so that new vehicles won't have the same flaws. However, security researchers responded to the fix by saying,
"...it seems that cars which have been produced before are not automatically updated when being serviced at a dealer, thus are still vulnerable to the described attack."
Researchers say the only way older models could be updated is with dealers or consumers performing the updates since the Harman systems that were hacked are not capable of remote security updates.
The hackers claim they controlled the microphones, navigation systems and speakers by remotely gaining access in the vehicles, both by using USB devices and also by the administrative rights to the systems.
Researchers say the same systems that control the microphones and navigation systems are indirectly connected with the same systems that control acceleration and braking, so Keuper and Alkemade decided to halt the investigation at that stage.
"When you test the vulnerability of this type of critical functions, you are potentially acting illegally and you are possibly breaching the intellectual property rights. You need to be extremely careful when doing that. Therefore, continuing with the investigation without permission from the manufacturer wasn’t an option for us." - Hartger Ruijs, founder of Computest
According to researchers, their findings lead to questions about other potential weaknesses in the Harman infotainment systems.
Volkswagen isn't the only automaker to learn its infotainment systems are vulnerable to hackers as Fiat Chrysler learned the same thing about its Harman systems after two friendly hackers took control of a Jeep Cherokee and sent it off the highway.
The incident caused Chrysler to recall 1.4 million vehicles equipped with Harman Uconnect 8.4A (RA3) and 8.4AN (RA4) infotainment systems, followed by federal investigations that were eventually closed without additional actions.