Vulnerabilities in Volkswagen MIB3 Infotainment (Part 2)

This advisory details new vulnerabilities identified by the PCAutomotive team in the

Volkswagen MIB3 in-vehicle infotainment unit (IVI)

model “MIB3 OI MQB,” manufactured by Preh Car Connect GmbH (JOYNEXT GmbH). This report expands upon previous findings released in 2023.

The vulnerabilities were initially discovered in a

Skoda Superb III car

, which was equipped with an MIB3 IVI bearing

OEM part number 3V0 035 820

and running

software version 0304

. The PCAutomotive team also verified these vulnerabilities on a head unit with

OEM part number 3G5 035 816

, commonly found in Volkswagen vehicles.

Potentially affected MIB3 units by Preh Car Connect GmbH

include a wide range of OEM part numbers, found on the infotainment unit itself at

/etc/swup/tnr/tnrref.csv

. These include, but are not limited to:

3G5035816[A|B|C|D|E|F|G|H|G|K|L|M|N] (confirmed:

3G5035816

)

3V0035816[A|B|C|D|E|F|G|H|G|K|L|M|N]

3G5035820[A|B|C|D|E|F|G|H|G|K|L|M|N]

3V0035820[A|B|C|D|E|F|G|H|G|K|L|M|N] (confirmed:

3V0035820

)

3G5035832[A|C|D|E|F|G]

3V0035824[A|B|C|D|E]

3G5035846

3V0035832[A|B|C|D|E|F|G|H|G|K|L|M|N]

3G5035864[B|C|D|E|F]

3V0035874[A|B|C|D|E]

3G5035876

3V0035876[A|B|C|D|E|F|G|H|G|K|L|M|N]

3G5035880

3V9035832[A|B|C|D]

3G5035882[B|C|D|F]

3V9035876[A|B|C|D]

3G9035824[A|B|C|D]

3G9035832[A|B|C|D]

3G9035874[A|B|C|D]

3G9035876[A|B|C|D]

These infotainment systems are utilized in various Volkswagen Group vehicle models, including (but not limited to):

Skoda Karoq

Skoda Kodiaq

Skoda Superb

Volkswagen Passat B8 & CC

Volkswagen Arteon

Volkswagen Polo & Golf

Volkswagen T-Cross

Volkswagen T-Roc

Volkswagen Tiguan

Skoda Octavia

Volkswagen Discovery

The total number of affected cars sold in 2022 alone exceeds 1.4 million.

Summary of Achieved Impact

The disclosed vulnerabilities can be chained together, allowing an attacker to achieve

persistent malicious payload infection on the MIB3 IVI via a one-time Bluetooth attack

. Once infected, the attacker can then

remotely control IVI functions via a DNS tunnel over the Internet

.

This remote control capability enables various actions, including:

Remote vehicle controls

Real-time tracking of vehicle speed and location

Eavesdropping on in-car conversations via the microphone

Controlling vehicle sound

Controlling the infotainment screen

Exfiltrating the phone contact database

A video demonstration of these remote controls is available on YouTube.

Identified Vulnerabilities

PCAutomotive has identified and disclosed 12 new vulnerabilities in the MIB3 infotainment unit. The following table summarizes these findings:

CVE ID

Title

CVSS 3.1

CVE-2023-28902

DoS via integer underflow in picture handler

3.3 (Low)

CVE-2023-28903

DoS via integer overflow in picture handler

3.3 (Low)

CVE-2023-28904

Bypass of secure boot process

5.2 (Medium)

CVE-2023-28905

Heap buffer overflow in picserver

8.0 (High)

CVE-2023-28906

Command injection in networking service

7.8 (High)

CVE-2023-28907

Lack of access restrictions in CARCOM memory

6.7 (Medium)

CVE-2023-28908

Integer overflow in non-fragmented data (phone service)

5.4 (Medium)

CVE-2023-28909

Integer overflow leading to MTU bypass (phone service)

8.0 (High)

CVE-2023-28910

Disabled abortion flag (phone service)

8.0 (High)

CVE-2023-28911

Arbitrary channel disconnection leading to DoS (phone service)

6.5 (Medium)

CVE-2023-28912

Clear-text phonebook information

5.7 (Medium)

CVE-2023-29113

Lack of access control in custom IPC mechanism

6.3 (Medium)

Technical Details

1. DoS Vulnerabilities in Picture Handler

CVE IDs

: CVE-2023-28902 (DoS via integer underflow), CVE-2023-28903 (DoS via integer overflow)

CVSS 3.1 Score

: Both 3.3 (Low)

Description

: These vulnerabilities reside in the

tsd.media.picserver.mib3.app.target

binary, responsible for image parsing. They affect the picture browser app, which allows users to view images from a USB flash drive.

CVE-2023-28902 (Integer Underflow)

: Occurs during EXIF data parsing. The code reads 2 bytes, subtracts 2, and uses the result as an unsigned buffer size. If the result is less than 2, it attempts to allocate a very large buffer, leading to an unhandled C++ exception and an ABORT signal.

CVE-2023-28903 (Integer Overflow)

: Also identified during EXIF data parsing. A condition check involving

tag_data_size

and

tag_data_offset

is incorrect because both are 32-bit integers, allowing for an overflow when added. This can lead to process memory leaks or crashes (SEGFAULT).

Exploitation Scenario

: Requires physical access to the vehicle to attach a USB flash drive containing a specifically crafted JPEG image and opening it via the IVI HMI.

Impact

: Triggers an unhandled C++ exception, causing the affected process to receive an ABORT signal from the OS and terminate. Due to specific systemd configurations, this leads to the

whole IVI Linux system rebooting

, making multimedia and navigation services temporarily unavailable.

Credits

: Identified by Artem Ivachev.

2. Code Execution via Heap Overflow in Picture Handler

CVE ID

: CVE-2023-28905

CVSS 3.1 Score

:

8.0 (High)

Description

: This bug impacts

tsd.bt.phone.mib3

, which handles phone contact synchronization over Bluetooth. The vulnerability occurs when the IVI processes contact photos (avatars) from a vCard. The IVI scales JPEG images using

libjpeg 9c

. A temporary image row buffer (

scanline_buffer

) of fixed size (0x4000 bytes) is allocated. However,

jpeg_read_scanlines

can write up to 0x7FFF bytes into this buffer (max JPEG width 0xFFFF pixels * 4 bytes/pixel for common color spaces, reduced by internal 1/8 scaling), leading to a

heap buffer overflow

.

Exploitation Scenario

: Requires

Bluetooth pairing

between the attacker's device and the IVI. An attacker can use a Raspberry Pi with the nOBEX tool to emulate the Phone Book Access Profile (PBAP) and Hands-Free Profile (HFP). By sending a malicious vCard with a specially crafted JPEG image (using CMYK color space and max quality for predictable data), the overflow can be triggered. The main binary and

libjpeg

library are not position-independent executables and lack control flow integrity/pointer guard mitigations, simplifying exploitation.

Impact

: Enables

arbitrary code execution on the IVI as the unprivileged ‘phone' user

. This is achieved by manipulating the heap to place

libjpeg

object pools after the

scanline_buffer

, overwriting a function pointer, and triggering its use for Jump-Oriented Programming (JOP) and Return-Oriented Programming (ROP).

Credits

: Identified by Artem Ivachev.

3. Code Execution via a Chain of Bugs in Bluetooth Stack

CVE IDs

: CVE-2023-28908 (Integer overflow in non-fragmented data), CVE-2023-28909 (Integer overflow leading to MTU bypass), CVE-2023-28910 (Disabled abortion flag)

CVSS 3.1 Scores

: 5.4 (Medium),

8.0 (High)

,

8.0 (High)

respectively

Description

: These vulnerabilities affect the

tsd.bt.phone.mib3

binary, which manages Bluetooth communications.

CVE-2023-28908 (Integer Overflow in Non-Fragmented Data)

: Occurs when processing non-fragmented Host Controller Interface (HCI) packets. The

pLink->rxLen

variable, which tracks total received size, can be overflowed to a small value, despite the actual packet data not changing.

CVE-2023-28909 (Integer Overflow leading to MTU Bypass)

: Applies to fragmented channels. When HCI ACL fragments arrive,

pLink->rxLen

(total received size) is recalculated and can be overflowed. An attacker can send fragmented HCI ACL packets to overflow

pLink->rxLen

, thereby bypassing the channel's MTU validation.

CVE-2023-28910 (Disabled Abortion Flag)

: The Bluetooth stack uses

BGLOG_Assert

for error handling. However, the global

bAbortion

flag is set to 0 during Bluetooth host initialization, preventing process termination even when critical assertions fail. This allows an overflow to happen in the AVDTP incoming data handler without crashing the process.

Exploitation Scenario

: Requires

Bluetooth pairing

with the IVI via AVDTP protocol.

Impact

: These vulnerabilities can be chained to achieve

code execution on the MIB3 IVI as the low-privileged ‘phone' user

, similar to CVE-2023-28905. This allows an attacker to force the IVI to connect to their Wi-Fi hotspot and gain shell access to the system.

Credits

: Identified by Mikhail Evdokimov.

4. Privilege Escalation via Flaws in Custom IPC Mechanism

CVE IDs

: CVE-2023-28906 (Command injection in networking service), CVE-2023-29113 (Lack of access control in custom IPC mechanism)

CVSS 3.1 Scores

:

7.8 (High)

, 6.3 (Medium) respectively

Description

: The MIB3 IVI Linux processes use a

custom Inter-Process Communication (IPC) mechanism

for remote procedure calls between services on the R-CAR M3 System-on-Chip (SoC).

CVE-2023-29113 (Lack of Access Control)

: This IPC mechanism

lacks any privilege checking

. Any process that can initialize this mechanism can call any remote procedure from any service using it.

CVE-2023-28906 (Command Injection)

: The

tsd.networking.mib3

service had a remote procedure that called

popen

with partially controlled user input.

Exploitation Scenario

: By exploiting the lack of access control (CVE-2023-29113), an attacker can call the vulnerable remote procedure in the

networking

service (CVE-2023-28906).

Impact

: This command injection allows attackers to

escalate privileges to those of the

networking

service

. Since the

networking

service has the

CAP_SYS_MODULE

capability and the Linux kernel is compiled without kernel module signature verification, this can be used to

load a custom kernel module and achieve unrestricted root privileges

on the device.

Credits

: Identified by Artem Ivachev and Mikhail Evdokimov.

5. Persistence via Secure Boot Bypass

CVE ID

: CVE-2023-28904

CVSS 3.1 Score

: 5.2 (Medium)

Description

: This vulnerability is found in the

bootloader binary

bl2.bin

of the MIB3 IVI. The MIB3 system's secure boot is based on Renesas ARM Trusted Firmware for R-Car M3 SoCs. To save space, some boot images are stored in a LZ4-compressed format with a proprietary PCCP header. The critical flaw is that

signature verification (which uses image size from the certificate) occurs

after

decompression (which uses image size from the PCCP header)

. The PCCP header itself is not signed.

Exploitation Scenario

: An attacker can craft an LZ4 archive by appending arbitrary content to a compressed image. Because the decompression size (from PCCP header) can be larger than the signed size (from certificate), the signature verification will still succeed, but the decompressed image in RAM will contain the added malicious data. This allows overwriting already verified and running images in memory or appending malicious data to valid signed images. For example, by modifying the

initrd

CPIO archive, which Linux unpacks during boot, an attacker can

add or overwrite files, including the

init

script

, despite dm-verity protection on the root filesystem. The Linux unpacker for initrd does not stop at the "TRAILER!!!" file, allowing additional records to be appended.

Impact

: When chained with other vulnerabilities (such as the privilege escalation), this allows an attacker to

gain persistent root code execution on the MIB3 system

by modifying the SPI memory containing boot images. This allows for actions like permanently disabling PAM authentication for UART login.

Credits

: Identified by Danila Parnishchev and Polina Smirnova.

6. Access to CAN Bus due to Lack of Virtual Memory Isolation

CVE ID

: CVE-2023-28907

CVSS 3.1 Score

: 6.7 (Medium)

Description

: The MIB3 system's R-CAR M3 SoC includes a dedicated

CARCOM CPU core for CAN bus communication

and the main OS cores (running Linux). Both CARCOM and the main cores share a

common physical memory address space

, and there are

no access restrictions

for the main (Linux) OS to read or modify CARCOM's physical memory.

Exploitation Scenario

: If the main Linux OS is compromised (e.g., gaining root privileges through prior vulnerabilities), an attacker can directly modify the CARCOM chip's physical memory.

Impact

: Allows an attacker to

achieve code execution within the CARCOM system

and gain the ability to

read and write to the Infotainment CAN bus

of the vehicle. However, the CAN3 gateway typically filters traffic, preventing impact on safety-critical CAN buses like powertrain or sensors.

Credits

: Identified by Artem Ivachev.

7. Exfiltration of Phone Contact Database

CVE ID

: CVE-2023-28912

CVSS 3.1 Score

: 5.7 (Medium)

Description

: The infotainment system stores phonebook information from paired smartphones in

clear text

. This includes contact names, phone numbers, email addresses, and profile pictures. The data is stored in a SQLite database at

/var/lib/tsd.bt.phone.mib3/database

, with profile pictures located in

/var/lib/tsd.bt.phone.mib3/photo/

.

Exploitation Scenario

: An attacker can extract the car user’s contact database by compromising the IVI. This can be achieved remotely using one of the vulnerabilities described in this advisory, or physically by dumping the eMMC memory of the MIB3 unit.

Impact

:

Sensitive user contact data can be exfiltrated

.

Credits

: Identified by Artem Ivachev and Mikhail Evdokimov.

Vulnerability Chaining

The vulnerabilities described can be chained to achieve significant impact. For instance, a Bluetooth-based attack requires pairing as a prerequisite to achieve initial code execution as the ‘phone' user (CVE-2023-28905, CVE-2023-28909, CVE-2023-28910). This can then be escalated to root privileges using command injection and IPC flaws (CVE-2023-28906, CVE-2023-29113). Root access allows for persistence via secure boot bypass (CVE-2023-28904) and access to the CAN bus (CVE-2023-28907). The clear-text phonebook information (CVE-2023-28912) can then be accessed and exfiltrated. Denial of Service (DoS) attacks on the MIB3 ECU can also be achieved via Bluetooth (CVE-2023-28911) or locally via USB (CVE-2023-28902, CVE-2023-28903).

Disclosure Timeline

The vulnerabilities were reported to Volkswagen in March 2023.

07.03.2023

: Vulnerabilities reported to

[email protected]

.

11.04.2023

: Volkswagen requested additional details.

26.04.2023

: PCAutomotive sent clarifications to Volkswagen.

22.06.2023

: First meeting between PCAutomotive and Volkswagen. Volkswagen confirmed the findings, and remediation was reported to be in progress.

Beginning of 2024

: Volkswagen informed PCAutomotive that vulnerabilities were remediated.

08.2024

: PCAutomotive applied to Black Hat Europe and informed Volkswagen.

12.12.2024

: Public disclosure of the findings at Black Hat Europe 2024.

Credits

The research and discovery of these vulnerabilities are the result of the collaborative effort of the PCAutomotive security team.

Artem Ivachev

: Senior Security Researcher

Danila Parnishchev

: Head of Security Research/Assessment

Mikhail Evdokimov

: Senior Security Researcher

Polina Smirnova

: Senior Security Researcher

Aleksei Stennikov

,

Radu Motspan

,

Abdellah Benotsmane