Over a dozen vulnerabilities uncovered in BMW vehicles
After 13 months of research, the team discovered 14 vulnerabilities which could place connected cars at risk of compromise. The tests were conducted with BMW’s backing and in laboratory conditions. Impacted vehicles are included in the automaker’s i Series, X1 sDrive, 5 Series, and 7 Series.
In total, as documented in Keen Security Lab’s technical report (.PDF), nine of the attack scenarios presented required physical access to the target vehicle, while five were based on using a mobile Internet connection. The vulnerabilities permitted attackers to access the head unit — otherwise known as the infotainment system — and T-box components including the Telematics Control Unit and Central Gateway Module of the vehicles involved in the tests, leading to the creation and deployment of exploit chains designed to seize control of CAN buses. The exposure of CAN buses to attack is a serious issue considering that these buses connect all of a car’s functions.
Once the CAN buses were under attacker control, the researchers were able to trigger arbitrary diagnostic functions remotely. Keen Security Lab also came across memory corruption vulnerabilities, logic errors, bugs which could break secure isolation system areas, and vulnerabilities which could lead to remote code execution. The team was also able to compromise the car physically through exploiting USB, Ethernet, and OBD-II connections.
Furthermore, it was possible to use a USB stick to implement a crafted, malicious update file able to compromise the update service and gain root control of hu-Intel, a system which controls multimedia services and BMW ConnectedDrive functionality.