14 DAY TRIAL // The trend of car-hacking revelations continues with three researchers from CrySys Lab and the Budapest University of Technology and Economics saying that they were able to quietly disable the airbags system on an Audi TT model.
Presenting their findings to The Register, the three explained that while their attack is not as glamorous as all the recent car-hacking cases from the past six months, their attack is more plausible to happen in real life.
That's because the attack relies on a zero-day exploit found in car mechanics software used to debug and fix cars sold by the Volkswagen Group. This software is built and sold by third-parties, not Volkswagen. Let's not put the blame on the company this time, Volkswagen has enough on its plate right now.
The researchers said they only experimented with the exploit on an Audi TT model, but other car makes and models may be vulnerable as well, at least in theory.
The attack leverages poor PC security measures, not the actual car software
The attack, as described by the three scientists, relies on infecting a car dealership's computers with malware which leverages this vulnerability in the car computer debug tools used by mechanics.
When this tool is connected to an Audi TT to perform routine maintenance checks or fixes, the malware will turn off the car's airbags system, all without the mechanic or the car owner noticing it.
Still Buttyán, one of the three researchers, says that the risk is higher for this attack because the previous car exploits relied on vulnerabilities in the car software while their attack leverages the security loopholes of regular computers, which we all know can be quite lacking.
This is the exact scenario security researcher Craig Smith was warning about at the start of the month in his DerbyCon presentation, where he exposed a method of infecting cars using cars while at car dealerships and repair shops.
