Researchers find easily-exploitable vulnerabilities in BMW's in-car systems

News by Jay Jay

Security researchers at Tencent's Keen Security Lab have revealed that Internet-connected systems in several BMW cars feature vulnerabilities that allow malicious actors to hack into such vehicles via a set of remote attack surfaces.

Security researchers at Tencent's Keen Security Lab have revealed that Internet-connected systems in several BMW cars feature vulnerabilities that allow malicious actors to hack into such vehicles via a set of remote attack surfaces such as GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth.

They noted that while attackers could gain remote access to the CAN buses of vulnerable BMW cars by exploiting a complex chain of several vulnerabilities in different vehicle components such as infotainment systems or the Telematics Control Units, they could also compromise the Head Unit in several BMW models via USB drives or Ethernet.

"Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components and UDS communication above certain speed of selected
BMW vehicle modules and been able to gain control of the CAN buses with the execution of
arbitrary, unauthorised diagnostic requests of BMW in-car systems remotely," they announced in a research paper that detailed existing vulnerabilities in several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series.

In all, the researchers found fourteen vulnerabilities in these models that could be exploited in real time by sending arbitrary diagnostic messages to the ECUs. While eight of the fourteen vulnerabilities affected the in-vehicle infotainment system which is also known as the NBT Head Unit, four of them affected the Telematics Control Unit that controls tracking of a vehicle, and two vulnerabilities affected the wireless communication hardware.

However, they added that these flaws could be fixed by online reconfiguration and offline firmware update and BMW has already rolled out several high priority countermeasures to secure some affected models and will roll out fixes for the remaining vulnerabilities in due course.

Among the most critical of such vulnerabilities is one that affects the Telematic Communication Box (TCB) which is one of the few platforms that support the functioning of the BMW ConnectedDrive System. The TCB establishes connections to the GSM and UMTS networks and also performs other functions such as enhanced emergency call, remote door unlocking, climate control, BMW TeleService diagnosis, including TeleService help, and BMW TeleService Call. 

According to the researchers, an attacker can launch a Man in the Middle attack and remotely exploit the vulnerabilities in both NBT and TCB even when the car is in motion. Such an attack can be launched from a distance of several hundred metres and results in backdoors being planted in the NBT and TCB.  

Considering that the in-vehicle infotainment system relies on Bluetooth connectivity, an attacker can also affect the availability of the head unit without authentication when the Bluetooth is the pairing mode, provided that the attacker is close enough to connect to the infotainment system via Bluetooth. At the same time, an attacker can also exploit serious vulnerabilities in USB interface and OBD-II interface to install a backdoor in the NBT and then manipulate the vehicle functions through the Central Gateway Module.

Commenting on the discovery of several vulnerabilities in the on-board compute units of BMW vehicles, Natan Bandler, CEO and co-founder of Cy-oT told SC Media UK that while people mostly worry about the security around a car's central computer unit, most of the vulnerabilities seem to come from theoretically innocent areas such as the entertainment system. "It's always the innocent items, the ones that are invisible and the ones that we tend to neglect that are the easiest way in for a hacker," he said.

"We need to think from the point of view of the attacker. They're looking for the path of least resistance; areas that are uncovered, neglected and that no one cares about, and entertainment systems are exactly this.

"People rely on trusting the ‘things' themselves. It's true for enterprises and it's also true for cars. Yes, you can maintain your updates and patches on your car's entertainment system and systems in your office, but that's something that will only keep the script kiddies away from your car or your enterprise.

"If you really want to be protected, you need a security system that doesn't rely on the software or hardware of the equipment itself. It should monitor everything that you have around you and track if someone is trying to hack you. You can't simply trust the system itself. To be secure, you must have a dedicated security system in parallel," he added.

In an opinion piece for SC Media UK, Giles Kirkland, a car expert and blogger at Oponeo, said that there is a need for fast, low-level security measures to be incorporated in the design and build of all microchips, running alongside further measures incorporated into the firmware and software in today's connected cars. 

At the same time, manufacturers should develop real-time detection systems that continuously monitor the connected systems fitted to the vehicle and ensure that any unusual activity is reported and prevented. They should also develop trusted vehicle-to-vehicle communication systems as well as protocols for firmware updates to enable a vehicles software security to be updated through over-the-air transmissions.

"Understanding the threat is key to making these connected cars secure; external connections are a must, they're needed for information, manufacturing data, diagnostics, data gathering, external connections for some functionality, driver profiles … the problem with connected vehicles is just that – they're connected to many different aspects of our lives," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews