Security researchers have discovered multiple vulnerabilities in the infotainment units used in some Skoda cars that could allow malicious actors to remotely trigger certain controls and track the cars’ location in real time.

PCAutomotive, a cybersecurity firm specializing in the automotive sector, unveiled 12 new security vulnerabilities impacting the latest model of the Skoda Superb III sedan, at Black Hat Europe this week. This comes a year after the organization disclosed 9 other vulnerabilities affecting the same model. Skoda is a car brand owned by German automobile giant Volkswagen.

Danila Parnishchev, head of security assessment at PCAutomotive, told TechCrunch the vulnerabilities could be chained together and exploited by hackers to inject malware into the vehicle. An attacker would need to connect with the Skoda Superb III’s media unit via Bluetooth to exploit the flaws, Parnishchev told TechCrunch, but noted that “the attack can be performed within 10 meters without authentication.” 

The vulnerabilities, discovered in the vehicle’s MIB3 infotainment unit, could allow attackers to achieve unrestricted code execution and run malicious code every time the unit starts. This could let an attacker obtain live vehicle GPS coordinates and speed data, record conversations via the in-car microphone, take screenshots of the infotainment display, and play arbitrary sounds in the car, according to PCAutomotive.

Parnishchev told TechCrunch that the flaws, which PCAutomotive verified for itself on a Superb III, also make it possible for an attacker to exfiltrate the phone contact database of the vehicle owner if they have enabled contact synchronization with their car.

“Usually phones are encrypted, so you cannot easily extract the contact database,” Parnishchev said. “In the case of the infotainment unit, you can — the contact database is stored in plaintext.”

Parnishchev noted that they did not find a way to bypass the in-vehicle network gateway restrictions to access safety-critical car controls such as the steering wheel, brakes and accelerator.

In research shared with TechCrunch before it was published on Thursday, PCAutomotive noted that the vulnerable MIB3 units are used in multiple Volkswagen and Skoda models, and based on public sales data, estimates there are potentially more than 1.4 million vulnerable vehicles out there. 

However, Parnishchev said the number of vulnerable vehicles could be much higher if one considers the aftermarket component market. “If you go to eBay and search for a part number, you will find it. And if it’s the case that the previous user didn’t erase it, their contact database will be there, too,” he explained.

PCAutomotive said Volkswagen patched the vulnerabilities after they were reported through the company’s cybersecurity disclosure program. 

In an emailed statement to TechCrunch, Skoda spokesperson Tom Drechsler said: “The reported vulnerabilities in the infotainment system have been and are being addressed and eliminated through continuous improvement management via the lifecycle of our products. At no time was and is there any danger to the safety of our customers or our vehicles.”