Adventures with Volkswagen’s horrible software in the ID.4

TL;DR – if you’re having issues with the user profiles not saving your settings, ignore the primary driver profile. Steps to fix.

I’ve been reading a lot of posts on Reddit and vwidtalk forums about the user profiles and how it doesn’t seem to work. I’ve not come across a post though that proposes a solution. This is what I did to finally get all the settings to work with profiles: ignore the primary driver profile.

We purchased our ID.4 at the end of July. This is Noelle’s vehicle and as such, I added her as the primary driver, and me as a secondary. She’s had non-stop issues with the seat not going back to where she wants it, or it’ll suddenly reset her ambient light settings, switch her driving mode to something else, etc. Initially, she blamed me for changing her settings and not putting them back (I take the ID.4 to shuttle kids to before-school activities, or quick errands when she isn’t using it), but then she experienced the same thing when getting into the car after work.

Oddly enough, during this whole time, my profile seemed to work just fine. When I switched to my profile, it would move my seat to the correct position. Switching to her profile, it would say it was moving the seat, but never actually did. My profile would switch back to the last driving mode I used, the last ambient light setting, etc. but switching to her profile was a roll of the dice to see what you got.

The final straw was the car locked her out of her profile because she hadn’t logged in recently into the app. WTF? Why should she need to log into the app at all? It prompted her for an “S-PIN” and when she couldn’t remember it, it completely locked her out and she could only use the guest profile. At this point, I decided to factory reset the infotainment center and start over from the beginning.

I reset the infotainment center and went down the path of re-adding her as the primary driver, but now the Infotainment center informed me that it was loading her settings and any changes I make would not be saved. I went ahead and moved forward with setting up my profile. I came back later to her profile and it continued to state it was syncing her account, changes would be lost, etc. Sure enough, if I made a change to her profile (e.g. Ambient lighting colors), switched to another profile, and then back, the changes were lost. This continued for two hours. I assumed something had to be wrong, so I reset the Infotainment center again.

ID4 saying it is "loading your settings" but it was all a lie

This time though, I decided to just reset everything to zero. So not only did I factory reset the Infotainment Center, but I also deleted her account from the myVW app, as well as my account. I decided this time around to make a fake “primary” driver account, and then add her real account as a secondary driver, and it worked! Now when we switch profiles between her real profile and my profile, the car switches correctly!

Here is the complete list of steps I took:

Steps

  1. Reset the Infotainment Console to remove all previous profiles
  2. Remove all accounts from the myVW app
  3. Create a new account in the myVW app
  4. Add the primary driver account in the ID.4, following the steps in the Infotainment Console. We are going to completely ignore this profile later
  5. Create a new account via https://carnet.vw.com/ to use for the actual primary driver, NOT in the myVW app. This will require a second email address and a second phone number.
    • If you’re using gmail, you can use the `+` trick for creating a vanity email address. If your email address is [email protected], add a `+` and whatever after the account name. I.e. [email protected]. We have to use carnet.vw.com to create the account because the myVW app flags the email address as invalid. 
    • The myVW app requires a phone number it can text message but carnet does not. I used a Google Voice number for this step.
  6. In the myVW app, while still logged in as the user we created in step 3, add an authorized user to the vehicle and use the same email address from step 5
  7. In the vehicle, add a new user profile, but DO NOT USE THE QR CODE! Instead, click on the “Login with email” section in the upper right corner (see photo below)
  8. Log into the profile with the email address and password you set up in step 5. This is now your REAL primary driver profile
  9. Make sure you are in the profile, and make adjustments to the vehicle as you need (e.g. seat position, ambient lighting, driving mode, etc)
  10. Get out of the vehicle
  11. Lock the vehicle
  12. Unlock the vehicle
  13. Get in the vehicle
  14. Press the brake pedal to start the car
  15. Repeat steps 5-14 to add and save a secondary driver profile, though now you can use a real email address and phone number for all other users
User Profile login screen in the VW ID.4 Infotainment Center

Now when we switch user profiles EVERYTHING works like we expect it to: the seat and mirrors move into the correct position, the ambient lighting changes to the colors and brightness as set, the vehicle switches to the last driving mode the user set, etc. We’ll see if it continues to work but so far, it’s still working.

_Interface Archives

Collection of articles written by me for the _Interface blog that has been decommissioned, and were not archived by the Internet Archive WAYBACK Machine. Unfortunately, many of the associated images have been lost.

Using Git to manage your site on VH

PHPCodeSniffer + PHPCompatibility For Checking Codebase Before Migration

Testing Your Codebase for the PHP7 Migration

Setting up Multiple Independent Subdomains in a WordPress Network

Cross-site Scripting: How to Prevent It

20170623 Vulnerable Plugins Report and Other News

Photo above by Joshua Earle

This week’s vulnerable plugins report.

Vulnerable Plugins

See my post over at WPCampus.org for information on this week’s report and other security news.

WordPress News

The Gutenberg Editor was released recently as a plugin for beta testing.  Please note THIS IS A BETA PLUGIN AND SHOULD NOT BE USED IN PRODUCTION.  If you’re not familiar with the Gutenberg Editor, it’s a reimagining of the post and page editor in WordPress slated for release with version 5.

“The editor will endeavour to create a new page and post building experience that makes writing rich posts effortless, and has “blocks’ to make it easy what today might take shortcodes, custom HTML, or “mystery meat’ embed discovery. ” –Matt Mullenweg

It’s been the focus of the vast majority of the work towards WordPress core this year. Given their goals and how it appears to be working so far (they are making a TON of progress), this could drastically change how we build out sites, and how users interact with their content.

 

20170616 Vulnerable Plugins Report and Other News

Just FYI, I’m also posting the weekly list over at WPCampus so that the information reaches more people, specifically in Higher Education.

This week’s list.

Vulnerable Plugins

There are nine unfixed vulnerabilities across five plugins this week.  The vast majority of this week’s unfixed vulnerabilities all come from a single author.  Unfortunately, he reused the same chunk of vulnerable code across all of his plugins.  Specifically, when processing POST data, he did not include a nonce or other check to ensure that user intended to initiate the save action, leaving his code open to a Cross-Site Request Forgery vulnerability.  In addition, there is no validation, filtering or sanitation performed on the data before he saves the information to the database. He then later echoes that data back out to the browser without any escaping leaving the code, and more importantly the user, open to Cross-Site Scripting vulnerabilities.  An attacker could therefore combine these two vulnerabilities to steal an Admin’s session IDs on a target WordPress site.

Other News

Speaking of WPCampus, they just announced this week that WPCampus 2017 will be livestreamed for FREE!!  The lineup looks fantastic this year, with a ton of incredible information.  Even if you don’t work with WordPress, there are numerous sessions that are platform-agnostic.  Go ahead and block off your calendar for Friday, July 14th and make time to tune back in on Saturday, July 15th.  You definitely don’t want to miss this.

HighEdWeb also announced their schedule for the upcoming annual conference in Hartford, CT.  I’ll be doing a pre-conference workshop this year, but will otherwise not be speaking.  Instead I’m serving as co-chair for the Development, Programming and Architecture (DPA) track. And let me just warn you, the DPA track has some amazing talks lined up this year.  You should probably just go ahead and plan on staying in the track for both days.  😀

Even if you aren’t interested in DPA, HighEdWeb is always an amazing conference. I understand budgets are tight, but it is well worth your money, even if you have to pay for trip yourself.  I highly encourage you to go ahead and register today.

20170609 Vulnerable Plugins/Themes Report, WordPress 4.8

Last week’s report.

Sorry for not getting this out on Friday. Last week was… crazy.  And Friday ended up being way busier than I anticipated.

Plugins/Themes

There are four plugins this week (Count per Day, WP Testimonials, Skype Legacy Buttons, WP Posts Carousel) with known issues but no fixes currently available.  WP Testimonials hasn’t been updated for four or five years, so it’s probably safe to say it isn’t going to be updated.  If you’re using it, you should consider finding a replacement.  The other item I want to draw attention to is the Eduma Education Theme.  Since it isn’t the WordPress plugin repository, I’m unsure if you receive an admin notification about the update.  If you’re using Eduma, please make sure you update.

WordPress News

The big news last week was the release of WordPress 4.8 “Evans”.  There were no security fixes in this release (at least not according to the changelog), but it does include 225 bug fixes and numerous user interface improvements.  The biggest one includes the introduction of Image, Video Audio and Rich Text Widgets.  These new widgets will allow your end users to add media and formatted text to widget areas, where before they would have had to know HTML.  They also added a REST API endpoint for the new media widgets, which opens up the possibilities for even more media-focused widgets. If you haven’t already, definitely upgrade.

 

20170602 Vulnerable Plugins Report and Other News

This week’s report.

Vulnerable Plugins

A couple of quick notes on some of the items in this week’s report.  With the plugin eventr, version 1.02.0 through 1.02.2 are definitely vulnerable to the SQL Injection flaws @_larry0 discovered.  What’s particularly interesting is the authored used prepared queries elsewhere in the codebase, even in the same file.  So the author knew about prepared statements, and how to use them but for some reason didn’t in these areas.  In addition, versions 1.01.2 and earlier, while not vulnerable to the vulnerabilities @_larry0 disclosed suffer from other SQL Injection vulnerabilities.  If you’re using this plugin, I would strongly encourage you to remove it and find a different one to replace it.

In regards to the Cross-Site Scripting and File Disclosure vulnerabilities in Tribulant Newsletters (free and pro) disclosed by DefenseCode, while DefenseCode claims they’ve been fixed by the vendor, a quick look through the free version (4.6.5.4) shows that they most definitely have NOT been fixed.  This plugin is riddled with XSS vulnerabilities and the file disclosure is still there as well.  I don’t know if the author originally fixed them when contacted and then somehow accidentally reverted to the old codebase between when s/he released 4.6.5 and the later versions, or if they never actually fixed the issues, but told DefenseCode they had.  Either way, the vulnerabilities still exist. so I’d suggest removing this one and look for a suitable replacement.

UPDATE: While I was writing this post, the author released version 4.6.6 which addresses the Cross-Site Scripting issues.  However, the file disclosure vulnerability still exists, and I’m still seeing at least one other possible stored XSS vulnerability. My recommendation to remove stands.

Other News

WordPress version 4.8 is still on track to be released this coming Thursday, June 8th. To that end, the core team announced the availability of the second Release Candidate for 4.8.  You can grab it here if you’d like to test it out.  As I mentioned previously, 4.8 will include multiple new widget options, as well as a revamped TinyMCE editor.  Be ready to start updating next week.

20170526 Vulnerable Plugins Report

green pasture next to an ocean

This week’s report.

Several critical vulnerabilities this week.  Of note is that all of the critical vulnerabilities are in plugins that have not been updated in more than two years.  While not having an update for two years isn’t a conclusive indicator that a plugin has been abandoned (the version of wpDirAuth from two years ago – 1.7.9 – works just fine in WordPress v4.7.5), it should give you pause.

Before selecting a plugin that hasn’t been updated recently, you should check the forums to see if the developer is still responding to users.  This should also remind all of us that we need to go back every once in awhile and reevaluate the plugins we have installed to make sure they haven’t been abandoned.

20170519 Vulnerable Plugin Report, HackerOne and You’ve Update WordPress, yes?

a beach scene

This week’s report.

Vulnerable Plugins

Only one critical vulnerability this week.  I would suggest removing it until the author finishes his fixes (he’s almost finished). Otherwise, all of the rest of this week’s vulnerabilities have updates immediately available.

WordPress News

The big news this week was the release of 4.7.5 which addressed six security-related issues, and three maintenance items.  Considering this is a security-focused update, if you don’t have the auto-updates enabled, and you haven’t already upgraded, you need to do so as soon as possible.

Unfortunately, 4.7.5 didn’t address CVE-2017-8295 aka the unauthenticated password reset vulnerability.  While I’ve stated previously that this particular vulnerability has a narrow attack surface, it’s still a vulnerability that is actively being targeted and remains in all versions of WordPress.  I find it particularly odd that the core team still hasn’t addressed it considering it should be easy enough to correct: use get_site_url() instead of $_SERVER[‘SERVER_NAME’] in pluggable.php.

The WordPress security team also announced  they now have an official bug bounty program on HackerOne.  They’ve already awarded $3,700 in bounties. Not only does it cover the WordPress project but includes BuddyPress, bbPress, GlotPress, WP-CLI, and all of their associated sites, plus WordCamp.org. Might be a nice little way to contribute to WordPress and make some money on the side. 😀

Other News

If you work in Higher Education and are located in the south-western region of Missouri, don’t miss out on the HighEdWeb Regional conference this Monday, May 22 at 8am.  This will be a hand’s-on workshop where we cover the top web application security risks, and then use them to attack a vulnerable web application.  I promise you it’ll be fun! While it is free, space is limited though, so make sure if you think you might want to go, you need to sign-up ASAP to reserve your spot!

20170512 Vulnerable Plugins Report, WordPress 4.8

Vulnerable Plugins

This week’s vulnerability report.

This week’s report is fairly light, with no major critical issues. Given the report’s light reading, I would encourage you to read Wordfence‘s post from this week on “22 Abandoned WordPress Plugins with Vulnerabilities” as it highlights a major area of concern when it comes to WordPress: communicating to users that a vulnerability exists in a plugin they are using.  Please look over the list and make sure you aren’t using any of the ones listed, and if you are, start looking for alternatives.

WordPress

Last Saturday the WordPress version 4.8 release date was announced: June 8th. Beta 1 should be available later today with the Release Candidate targeted for May 25th.   4.8 is the first major version released in 2017, and is a stepping-stone toward releasing the new Gutenberg editor in WordPress.  In addition it should include a new WYSIWYG widget, and several media widgets.

wpDirAuth

If you use wpDirAuth, please note that I released a fairly substantial upgrade yesterday.  The biggest changes were the addition of several hooks that can be used to modify/extend wpDirAuth to your institution’s specific requirements without having to modify the plugin directly.  I also added a cookie expiration setting into the settings area so you can more easily change the one hour default to something else without having to add code to your theme’s function file.