Volkswagen Group MIB3 Infotainment Clear-Text Phonebook Exfiltration Vulnerability

A vulnerability exists in the Volkswagen Group MIB3 in-vehicle infotainment (IVI) system, specifically in units manufactured by Preh Car Connect GmbH. This vulnerability allows for the exfiltration of phonebook information from paired smartphones, including contact names, phone numbers, email addresses, and profile pictures. The data is stored in clear text within a SQLite database on the IVI system. The vulnerability affects several OEM part numbers, including those used in various Volkswagen and Skoda models.

Impact

Exploitation of this vulnerability allows for the unauthorized access and extraction of sensitive contact information from the vehicle owner's smartphone, stored in clear text on the MIB3 infotainment system.

Reproduction

The vulnerability can be reproduced by pairing a smartphone with the affected MIB3 infotainment unit. Once paired, the IVI system will synchronize the phonebook data via Bluetooth, storing it in clear text on the IVI's filesystem. This contact database can then be accessed and exfiltrated, either remotely through a compromised IVI system or physically by dumping the eMMC memory where the data is stored.