Volkswagen Customer-Link App Protection Mechanism Failure CAN Message Injection Vulnerability
Vulnerability Details
This vulnerability allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations of Volkswagen Customer-Link App and HTC Customer-Link Bridge. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Customer-Link App and Customer-Link Bridge. The issue results from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this vulnerability to inject CAN messages.
Additional Details
Fixed in version 2.08
Disclosure Timeline
- 2017-10-18 - Vulnerability reported to vendor
- 2018-02-27 - Coordinated public release of advisory
- 2018-02-27 - Advisory Updated
Credit
Aaron Luo
Spencer Hsieh (TrendMicro)