The exploit requires hackers to first compromise a mechanic’s diagnostic computer externally, or plug in a malicious USB device. The hack allows intruders to conceal the disabling of airbags from mechanics by falsifying diagnostic read outs from the car. Buttyán says the most recent example of a more dangerous compromise was the recent dramatic remote hacking of Jeep engines which were disabled at high speed, had their brake operating systems seized, and locks popped. He says the third-party software used in the hack his team demonstrated is widely-used and compatible with cars sold by the Volkswagen Group. “It works with other cars in the VW group too without any modification. Anything that can be switched on or off from the diagnostic application could have been switched on or off. After switching off the airbag, we can consistently report to the application that it is still switched on.” Buttyán says the flaw “has nothing to do with VW itself” but is contained in “third-party software”. “It is not the specific software which makes our work interesting, but the main message that embedded devices are typically managed from PCs and they can be infected and used as stepping stones.” says Buttyán.
