CVE-2023-28911

CVE-2023-28911 is a vulnerability in the Bluetooth stack of MIB3 infotainment units manufactured by Preh Car Connect GmbH. The issue stems from improper validation of user-supplied data, which can trigger an arbitrary channel disconnection. This flaw was originally identified in a Skoda Superb III with unit part number 3V0035820 and verified on other MIB3 units. [1][2]

An attacker can exploit this vulnerability by sending specially crafted Bluetooth packets to the infotainment system without requiring authentication or physical access, as long as they are within Bluetooth range. The lack of proper input validation allows the attacker to force disconnection of any connected Bluetooth client. [1]

Successful exploitation results in a denial-of-service condition for all devices connected to the infotainment system via Bluetooth, disrupting functionality such as phone calls, media streaming, and navigation prompts. The attacker can repeatedly trigger disconnections, rendering the Bluetooth service unusable for the duration of the attack. [2]

Volkswagen Group has not released a public patch for this vulnerability; however, affected models include many Skoda and Volkswagen vehicles equipped with MIB3 units, such as the Skoda Superb, Octavia, and Volkswagen Passat. The list of potentially affected OEM part numbers is extensive, covering units used in over 1.4 million cars sold in 2022 alone. [1][2]