Vulnerabilities Could Give Hackers Remote Access to VW, Audi Models -- Security Today

Vulnerabilities Could Give Hackers Remote Access to VW, Audi Models

Security researchers found that certain models from Volkswagen could be hacked and remotely controlled.

By Sydny Shepard
May 02, 2018

Security researchers have found several vulnerabilities in the infotainment system of some Volkswagen and Audi models, allowing them to remotely access the system and commandeer the microphone, navigation system and speakers.

Hackers Daan Keuper and Thijs Alkemade from Dutch firm Computest found the flaws in early 2017 after probing Harman-made infotainment systems in a 2015 model VW Golf GTW and Audi A3 Sportback e-tron. Both vehicles are made by the Volkswagen group.

The whitehat researchers were out to find ways to compromise an internet-connected car remotely and without user interaction. They found a flaw in the VW's in-vehicle infotainment system that can be remotely exploited if the vehicle connects to an attacker's Wi-Fi network.

Using the vulnerability, they were able to gain root access to the infotainment system's main processor, which is responsible for navigation and multimedia decoding. From there, they were able to control the RCC or radio and car-control unit, which could potentially allow an avenue for sending malicious messages to the Controller Area Network bus to manipulate vehicle controls such as the braking and steering system.

The researchers reported their findings to Volkswagen Group in mid-2017. In mid-April, the group wrote a letter to the researchers that appears to confirm the vulnerabilities they reported and suggested a patch was deployed on new models made after mid-2016.

"The objective of manipulating the steering and brake was not achieved. However, you did succeed in accessing the infotainment system and obtaining 'Root' authorizations. These administrator rights and modular infotainment matrix (MIB) are intended for development at Volkswagen and not for other people in a customer vehicle. The open interface on the Golf GTE and Audi A3 was closed by an update to the infotainment software from production week 22/2016 onwards," the letter said.

It is not clear at this time what Volkswagen did to address the flaws in models produced before mid-2016. Researchers suspect they are still vulnerable.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

i-PRO Certified as a 2025 Great Place to Work Around the World
11/20/2025
Motorola Solutions Acquires Blue Eye
11/19/2025
Allied Universal Named to Forbes List of America’s Best Companies
11/19/2025
SIA Names Jonathan Aguila as 2025 Insightful Practitioner Award Honoree
11/13/2025
Allied Universal Receives Top 50 Learning and Development Team Award
11/13/2025
PSA Network Joins the Foundation for Advancing Security Talent (FAST) as an Exclusive Member
11/12/2025
IPTECHVIEW Launches AI Orchestrator Cloud Video Management Platform
11/12/2025
barox Appoints Industry Veteran Reinhard Florin as Vice President of North America Sales
11/06/2025

Featured

Cost: Reactive vs. Proactive Security

Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now
- Facility Security
Achieving Clear Audio

In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now
- Facility Security
Beyond Apps: Access Control for Today’s Residents

The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now
- Access Control
Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now
- Facility Security
AI Used as Part of Sophisticated Espionage Campaign

A cybersecurity inflection point has been reached in which AI models has become genuinely useful in cybersecurity operation. But to no surprise, they can used for both good works and ill will. Systemic evaluations show cyber capabilities double in six months, and they have been tracking real-world cyberattacks showing how malicious actors were using AI capabilities. These capabilities were predicted and are expected to evolve, but what stood out for researchers was how quickly they have done so, at scale. Read Now
- Artificial Intelligence

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

A8V MIND

Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.
Connect ONE®

Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.
Camden CV-7600 High Security Card Readers

Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.