Chinese Researchers Uncover Critical Security Flaws in BMW’s Onboard Systems
In a comprehensive investigation spanning over a year, researchers from Tencent’s Keen Security Lab have identified serious vulnerabilities within the onboard computing systems of various BMW models. These findings, disclosed in March 2018, reveal over a dozen security flaws that could allow attackers to remotely compromise vehicle functions, raising alarm within the cybersecurity community and the automotive industry.
The security audit, conducted between January 2017 and February 2018, highlights vulnerabilities affecting BMW vehicles produced since at least 2012. The Keen Security Lab team has a history of uncovering similar weaknesses in car systems, including previous findings regarding Tesla’s in-car modules, which could have enabled unauthorized remote access.
Now that BMW has begun releasing patches to address these vulnerabilities, the researchers have made public a detailed 26-page technical report, which outlines their discoveries while intentionally omitting certain specifics to prevent potential exploitation.
The vulnerabilities predominantly target critical components of several BMW models, including the Infotainment System, Telematics Control Unit (TCU), and Central Gateway Module. Their analysis revealed that eight vulnerabilities affect the internet-connected Infotainment System, which handles music and media playback, while four flaws pertain to the TCU, responsible for telephony and emergency assistance functions. Additionally, two vulnerabilities concern the Central Gateway Module, which relays diagnostic information between the car’s various electronic control units (ECUs).
Exploitation of these vulnerabilities could permit attackers to send arbitrary diagnostic messages directly to the vehicle’s engine control unit or the Controller Area Network (CAN) bus, which underpins numerous functions within the vehicle. This level of access could potentially enable unauthorized individuals to exert significant control over key vehicle operations.
Notably, while some vulnerabilities necessitate physical access via USB ports or the On-Board Diagnostics (OBD) port, others can be exploited remotely. Certain flaws can be triggered via Bluetooth or cellular networks, making them particularly concerning, as they could be activated even while the vehicle is in motion. The research indicates that these risks extend across several popular BMW models, including those within the i, X, 3, 5, and 7 Series.
BMW has acknowledged the validity of these findings and has initiated over-the-air updates to rectify some of the identified issues within the TCU. However, other vulnerabilities will require dealer-based patches, prompting the researchers to schedule the release of a more extensive technical report in March 2019.
In recognition of their critical research, Keen Security Lab was awarded the inaugural BMW Group Digitalization and IT Research Award, underscoring the significance and thoroughness of their security assessment. The implications of these vulnerabilities extend beyond a mere technical challenge; they represent a pressing concern for automotive security in an age where connectivity and automation are increasingly prevalent.
As organizations aim to safeguard their digital assets against rising threats, understanding the tactics and techniques utilized in such attacks becomes essential. In this context, the potential tactics employed in exploiting the vulnerabilities may fall under various categories in the MITRE ATT&CK framework, including initial access and privilege escalation, emphasizing the need for vigilance in the protection of connected technologies.