- Security flaws were found affecting Skoda Superb III cars
- Over 1.4 million cars could be affected
- The same model car was found to have similar vulnerabilities last year
Experts have revealed a discovery of 12 new security vulnerabilities affecting the Skoda Superb III sedan, including flaws which could allow a threat actor to access the vehicle’s GPS and speed information, as well as remotely record conversations and access the infotainment screen.
Cybersecurity researchers from PCAutomotive revealed they were able to exploit the vulnerabilities to inject malware into the vehicle without authentication. The security flaws allowed them to to achieve unrestricted code execution and to run malicious code when the unit starts.
In turn, a malicious actor could have taken screenshots of the in-car infotainment screen, or recorded conversations through the microphone – and access live GPS coordinates. This was achieved through a Bluetooth connection with the system, so researchers could not access safety-critical controls like brakes, steering, or accelerators.
Deja Vu
If this sounds a little familiar, that’s because the group who discovered the vulnerabilities, PCAutomative, were also responsible for the discovery of nine other security flaws which affected the same model of car in November 2023 – also affecting the car’s infotainment unit.
The most recent Skoda vulnerabilities could affect over 1.4 million vehicles, and could affect an even higher number of people if their data was not properly erased before they sold their car on to a second-hand buyer.
Although it’s not difficult to imagine how this could be used to exploit victims in a normal setting, it’s even more worrying when you find out that Skoda is a huge supplier for law enforcement vehicles across the globe.
Another manufacturer which supplies police vehicles, Kia, was found earlier this year to have a software flaw that meant hackers could unlock and start any Kia vehicle built after 2013, and could have had similarly wide-reaching consequences.
Via TechCrunch
Leave a comment