The duo found that by taking advantage of these vehicles’ WiFi connection, they could access the cars’ IVI, (in-vehicle infotainment system) and from there, gain access to other systems as well.
The researchers had this to say about their work:
“Under certain conditions, attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and conversation history. Furthermore, due to the vulnerability, there is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time.”
It gets worse though. Once the researchers had gained access to these systems, they found they could also access the car’s braking and acceleration systems. They stopped short of performing exploits on these for fear of violating Volkswagen’s intellectual property rights. A hacker, however, would not hesitate to do so.
Worse still, the company apparently had no idea there was a problem. In fact, when the researchers presented their findings, they discovered that the company had deployed the IVI system completely untested.
Since bringing the issue to the company’s attention, they have addressed the issue. However, the fix only applies to newly manufactured vehicles. If you purchased either of the models listed above prior to June 2016, your vehicle has not received the fix, and will not get fixed unless you take it back to the dealership. There’s no way for the company to remotely install it. That means there are untold thousands of cars on the road right now that are vulnerable.