Body Background
TrendAI™ Zero Day Initiative™ Logo

Volkswagen Customer-Link App Protection Mechanism Failure CAN Message Injection Vulnerability

February 27th, 2018
ZDI-18-214 ZDI-CAN-5264

CVE ID

CVE-2018-1170

CVSS Score

8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C

Affected Vendors

Volkswagen

Affected Products

Customer-Link App

Vulnerability Details


This vulnerability allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations of Volkswagen Customer-Link App and HTC Customer-Link Bridge. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Customer-Link App and Customer-Link Bridge. The issue results from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this vulnerability to inject CAN messages.

Additional Details


Fixed in version 2.08


Disclosure Timeline

  • 2017-10-18 - Vulnerability reported to vendor
  • 2018-02-27 - Coordinated public release of advisory
  • 2018-02-27 - Advisory Updated

Credit

Aaron Luo
Spencer Hsieh (TrendMicro)

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected