Chinese researchers discovered 14 vulnerabilities on the on-board computers of a number of BMW vehicles, leading the automaker to begin issuing security patches over-the-air and through dealer networks. These flaws affect the infotainment unit, telematics controls, and the wireless communications systems on BMW’s i Series, X1 sDrive, 5 Series, and 7 Series models dating as far back as 2012. Four of the discovered vulnerabilities require hackers to have physical USB access to the car, while six of the vulnerabilities can be exploited remotely. The last four vulnerabilities require physical access to the car’s computer.
“Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely,” the researchers at at Tencent’s Keen Security Lab wrote in a preliminary report, noting that a full report would be available sometime in 2019 to allow BMW time to patch the flaws.
Additionally, if a hacker has access to the vehicle physically, the USB, Ethernet, and OBD-II ports could also be exploited. Because the USB Ethernet Interface doesn’t have security restrictions, it could be used to access the internet network of the head unit and detect the exposed internal services through port scanning, the report said. Hackers can also use a USB stick to inject malicious code into BMW’s ConnectedDrive by gaining root control of the hu-intel system.
Hackers can also trigger remote code execution if they don’t have access to a vehicle by exploiting memory corruption vulnerabilities that allowed users to bypass signature protection in the firmware and break secure isolation of various system components. (In 2015, a 14-year-old hacked a car with $15 worth of tech using a similar technique.) By gaining access to CAN buses, an attacker can remotely trigger remote diagnostic functions by leveraging a chain of multiple vulnerabilities across several affected vehicle components. Hackers can send arbitrary diagnostics to the engine computer. The danger, according to researchers, is that the engine control unit, or ECU, will still respond to diagnostic messages even at normal driving speeds, and “it will become much worse if attackers invoke some special UDS routines.”
“By chaining the vulnerabilities together, we are able to remotely compromise the NBT [car computer],” researchers said. “After that, we can also leverage some special remote diagnose interfaces implemented in the Central Gateway Module to send arbitrary diagnostic messages (UDS) to control ECUs on different CAN Buses.”
In a statement to ZDNet, the BMW Group noted that the research was conducted in conjunction with BMW’s cybersecurity team, highlighting that “third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services.”