Lab Finds More Than A Dozen Security Faults In BMW Cars

The bugs could be exploited to display false messages to a driver while the car is in motion, says Tencent’s Keen Security Lab

A Chinese security lab has found 14 distinct flaws in BMW’s car computer systems, following a more than year-long investigation.

The bugs and attack methods found by Tencent’s Keen Security Lab could be used, in theory, to take at least partial control of a vehicle while in use.

Nine of the scenarios Keen presented required an attacker to have physical access to a vehicle, but a further five would allow an attack over the vehicle’s mobile internet connection.

Keen carried out the tests with BMW’s backing, under laboratory conditions, from January 2017 to February 2018. The problems involve the company’s i Series, X1 sDrive, 5 Series and 7 Series cars.

security and privacyMalicious update

According to its report, Keen researchers were able to access the head unit or entertainment system, and T-box components such as the telematics control unit and central gateway module.

They were able to seize control of the CAN bus, which connects all of a car’s functions, and trigger diagnostic functions remotely.

Keen found attack methods that involved access to a car with physical USB, Ethernet or OBD-II connections.

“There aren’t any security restrictions to such USB Ethernet interfaces, which makes it possible to obtain access to the internal network of the head unit, and then detect many exposed internal services through port scanning,” Keen said in the report.

One attack method involved creating a malicious update file that was uploaded from a USB stick and compromised a car’s update service, gaining root control of a system that controls multimedia services and BMW ConnectedDrive functions.

Another scenario involved the use of a rogue mobile data transmitter to compromise the entertainment and telematics components.

Remote attack

“It’s possible to launch the attack from hundreds of metres, even when the car is in the driving mode,” Keen wrote.

An attacker could create a backdoor to inject diagnostic messages into the car’s systems, which could then affect the driver’s control of the vehicle.

BMW has developed patches for the most critical issues, which have been rolled out to back-end systems and telematics units through over-the-air updates. Other fixes are to be made available at dealerships.

Keen’s report omits detailed technical information on the exploits while BMW arranges fixes. The company is planning to release more information next year.

BMW awarded Keen the BMW Group Digitalisation and IT Research Award for the discoveries.

The carmaker siad it had launched a “comprehensive” cybersecurity action plan to head off “new, presently unknown attack scenarios”.

“Third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services,” BMW said.

Do you know all about security? Try our quiz!