Jump to content

SmartGate security


Recommended Posts

Might be worth heeding this advise from Trend Micro regarding security issues with the current version of SmartGate found in the Mk3. Basically, the information that the owner/driver can get from the car is relatively accessible by those outside the car, as its broadcast over WiFi with a breakable password. Not on the scale of Jeep, but privacy issues instead and you could also be locked out of the system all together.

"Right now, Trend Micro recommends all owners of Škoda cars that support SmartGate (in Germany it’s the Fabia, Octavia, Yeti and Superb, but it may vary in different countries) to do the following, where at least step 1 is highly recommended:

1.Change the Wi-Fi transmission (Wi-Fi TX) power to 10%

2.Change the Wi-Fi password and change the Wi-Fi Direct PIN (if Wi-Fi Direct is supported)

3.Change the Wi-Fi network name

SmartGate is currently rolled out to other Škoda car models, so it is high time for Škoda to take action as well. These are good places to look into:

1.Re-consider to set the Wi-Fi TX power to 10% as default via a firmware update.

2.Add a strong recommendation in the car’s manual for owners to change the password and PIN.

3.Design an “on/off” switch for SmartGate."

More details here:

http://blog.trendmicro.com/trendlabs-security-intelligence/is-your-car-broadcasting-too-much-information/

Link to comment
Share on other sites

interesting, what about those running a Bluetooth OBDII dongle and Torque app on a phone, will that have a similar vulnerability?

 

bearing in mind I believe there is a limited ability to read codes and clear them with the app?

Link to comment
Share on other sites

interesting, what about those running a Bluetooth OBDII dongle and Torque app on a phone, will that have a similar vulnerability?

bearing in mind I believe there is a limited ability to read codes and clear them with the app?

If you leave it plugged in permanently and not connected to your phone I think the same would apply. I'm not sure if there is a limit on how many devices can connect to the dongle at the same time.

I think the thing with the SmartGate though is that multiple devices can connect at the same time.

Neither are going to be 100% secure though, so you've just got to bear they in mind. Trouble is most people wont be aware of it!

Link to comment
Share on other sites

Might be worth heeding this advise from Trend Micro regarding security issues with the current version of SmartGate found in the Mk3. Basically, the information that the owner/driver can get from the car is relatively accessible by those outside the car, as its broadcast over WiFi with a breakable password. Not on the scale of Jeep, but privacy issues instead and you could also be locked out of the system all together.

"Right now, Trend Micro recommends all owners of Škoda cars that support SmartGate (in Germany it’s the Fabia, Octavia, Yeti and Superb, but it may vary in different countries) to do the following, where at least step 1 is highly recommended:

1.Change the Wi-Fi transmission (Wi-Fi TX) power to 10%

2.Change the Wi-Fi password and change the Wi-Fi Direct PIN (if Wi-Fi Direct is supported)

3.Change the Wi-Fi network name

SmartGate is currently rolled out to other Škoda car models, so it is high time for Škoda to take action as well. These are good places to look into:

1.Re-consider to set the Wi-Fi TX power to 10% as default via a firmware update.

2.Add a strong recommendation in the car’s manual for owners to change the password and PIN.

3.Design an “on/off” switch for SmartGate."

More details here:

http://blog.trendmicro.com/trendlabs-security-intelligence/is-your-car-broadcasting-too-much-information/

 

So how do we do those 3 steps?  Anyone got some video instructions?  I am tempted to back to the dealer and have them pull out the module completely from the car quite frankly..

Link to comment
Share on other sites

So how do we do those 3 steps?  Anyone got some video instructions?  I am tempted to back to the dealer and have them pull out the module completely from the car quite frankly..

 

I'd love to help you, but I'm just the messenger unfortunately! Dealer should know how to do this, but it's highly unlikely anyone in Skoda/VW has realised this issue yet. Perhaps take the list of things recommended and just ask them to do it?

I have posted the link on the SUK facebook page but have yet to get a response.  My bet is on my post being deleted! :p

Link to comment
Share on other sites

I'd love to help you, but I'm just the messenger unfortunately! Dealer should know how to do this, but it's highly unlikely anyone in Skoda/VW has realised this issue yet. Perhaps take the list of things recommended and just ask them to do it?

I have posted the link on the SUK facebook page but have yet to get a response.  My bet is on my post being deleted! :p

 

Having re-read the link you posted.. it says something about the Smartgate module being under the drivers seat..?  Would be good to know how to get to it.  I've just downloaded the Smartgate app to my Samsung, so I can possibly connect and change passwords and broadcast names, if it's as straight forward as what skoda-auto page says it is..

Link to comment
Share on other sites

As I posted in another thread I would say it is not really smartlink/smartgate that is the problem as it has a factory set password (admittedly not difficult to find if you see the car) and the ability to do damage is limited as smartgate information seems to go only one way (you can only read information AFAIK)


 


However the MIB2 Columbus comes with a WLAN mobile hotspot functionality which is eminently hackable. You can secure it with WPA/WPA2 but it arrives set to "no security level"


 


I wonder how many people bother to set a password for these things??


  • Like 1
Link to comment
Share on other sites

 

As I posted in another thread I would say it is not really smartlink/smartgate that is the problem as it has a factory set password (admittedly not difficult to find if you see the car) and the ability to do damage is limited as smartgate information seems to go only one way (you can only read information AFAIK)

 

However the MIB2 Columbus comes with a WLAN mobile hotspot functionality which is eminently hackable. You can secure it with WPA/WPA2 but it arrives set to "no security level"

 

I wonder how many people bother to set a password for these things??

 

Setting passwords on these things should be done by the dealer with the customer as the car is being collected..it would make sense.

Link to comment
Share on other sites

Setting passwords on these things should be done by the dealer with the customer as the car is being collected..it would make sense.

I agree, but in my experience neither Skoda UK or any dealers I spoke to had a clue about smartgate, smart link or MIB2 so I wouldn't hold my breath that you would find one that could set the WPA2 password on the car even if you found one that knew the function existed.

Link to comment
Share on other sites

I agree, but in my experience neither Skoda UK or any dealers I spoke to had a clue about smartgate, smart link or MIB2 so I wouldn't hold my breath that you would find one that could set the WPA2 password on the car even if you found one that knew the function existed.

 

Do you know where the exact location of the so-called .ota update files are hosted on Skoda's websites for Smartgate.. ?

Link to comment
Share on other sites

It would appear I've made Smartgate completely unhackable to the outside world.. I had set the transmit power down to 5%, changed the broadcast name, the channel and added a new password.. great, worked a treat.. however, I thought going from a 17 character password to something else would be a little less secure, especially if it didn't have mixed case, numbers, or a special characters..

 

It would appear underscores _ are not well liked.  I've not managed to get a connection to Smartgate since.  all you get is your phone or laptop, trying to connect, then authenticating and finally after saying secured, saved, it just tries to connect again.. ad infinitum.. going around in circles. 

 

So, if it stops me from connecting to it.. it'll probably stop anyone else..  the only way to reset it now, is to pull the plug on Smartgate to restore it to factory settings.

  • Like 1
Link to comment
Share on other sites

  • 1 year later...

@Gumby - great topic, and one which I'm surprised hasn't seen more activity in the past year and half (unless there is a separate thread?)

 

Has anyone else seen an update to this? I've got the 2016 Amundsen infotainment system in my VRS 230, and am concerned at the level of connectivity (outside of Bluetooth connection) that is available to potential attackers.  

 

The Trend Micro blog mentions it's possible to disconnect the cable of the SmartGate device, located underneath the driver's chair. Anyone found this / instructions to do it? (I don't want to go removing trim on a blind search for an unknown cable...)

 

Much appreciated if anyone has any further info!

Link to comment
Share on other sites

  • 1 month later...
On ‎24‎-‎01‎-‎2017 at 17:30, Ads230 said:

@Gumby - great topic, and one which I'm surprised hasn't seen more activity in the past year and half (unless there is a separate thread?)

 

Has anyone else seen an update to this? I've got the 2016 Amundsen infotainment system in my VRS 230, and am concerned at the level of connectivity (outside of Bluetooth connection) that is available to potential attackers.  

 

The Trend Micro blog mentions it's possible to disconnect the cable of the SmartGate device, located underneath the driver's chair. Anyone found this / instructions to do it? (I don't want to go removing trim on a blind search for an unknown cable...)

 

Much appreciated if anyone has any further info!

 

Í installed my Smartgate myself and it is very unhandy to get to under the drivers seat. To install the unit and wiring we had to remove the drivers seat, the trim on the footstep of the driver side, the footrest, the knee airbag and a warm air channel under the steering wheel.....and still it was one hell of a task to install the wiring.

 

If you just need to unplug the Smartgate unit you would probably need to take out the drivers seat and you will find the unit behind the Canton amplifier. You may be able to get to it woth out taking out the seat but you would need to be extremely flexible :).

 

In the picture you will see my car iwth out the front seat with a red marking where the Smartgate unit lives beneath the carpet.

 

 

Capture.JPG

Edited by MikkelF
  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Community Partner

×
×
  • Create New...

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.