Cybersecurity researchers at PCAutomotive have uncovered twelve critical security vulnerabilities in Skoda vehicles’ MIB3 infotainment system, potentially affecting more than 1.4 million vehicles worldwide. The findings, presented at Black Hat Europe, reveal significant privacy and safety implications for vehicle owners.
Critical Vulnerabilities in the MIB3 Entertainment System
The investigation identified twelve distinct security flaws in the MIB3 multimedia unit, primarily found in the Skoda Superb III. The most concerning vulnerability allows unauthorized remote access via Bluetooth, enabling an attacker within Bluetooth range to compromise vehicle systems without physical access to the car. The flaws were responsibly disclosed to Volkswagen Group before the Black Hat presentation.
Scope of Data Exposure and Privacy Risks
The security flaws enable unauthorized access to sensitive information, including:
- Real-time vehicle GPS location tracking and speed data
- Unauthorized audio recording through the car’s built-in microphone
- Capture of infotainment system screen contents
- Access to synchronized contact databases stored in plaintext
Technical Analysis: Exploit Chains and Data Storage Flaws
Researchers demonstrated the ability to build exploit chains that inject malicious code into the vehicle’s infotainment system. Contact information is stored in plaintext format in the MIB3, significantly reducing the effort required for unauthorized data extraction. Bluetooth pairing logic also contained implementation flaws that bypass standard authentication steps.
MIB3-Equipped Volkswagen Group Vehicles: Skoda, VW, and Seat Models
The vulnerable MIB3 unit is installed across multiple Volkswagen Group brands, not only Skoda. Affected models include variants of the Skoda Superb III and several Volkswagen models that share the same multimedia platform. Aftermarket availability of MIB3 units expands the attack surface further. Critical vehicle control systems — braking and steering — are isolated from the infotainment network and are not affected by these vulnerabilities.
What Vehicle Owners Should Do
- Contact your authorized Skoda or Volkswagen dealer to check whether a security update is available for your vehicle’s infotainment firmware
- Enable over-the-air update notifications in the Skoda Connect or myŠKODA app if your vehicle supports them
- Avoid pairing unknown Bluetooth devices with your vehicle’s infotainment system
- Review connected apps and revoke access for any applications you no longer use
- Until patched, avoid storing sensitive contacts or personal data in the infotainment system’s address book
Volkswagen Group has acknowledged the vulnerabilities and is actively developing security patches to be distributed through authorized dealerships and OTA updates. Updates are expected to be released according to the standard service cycle. CISA’s automotive cybersecurity guidance recommends keeping all vehicle software up to date as a baseline protection measure.
