Security researcher Benjamin Kunz Mejri has found two vulnerabilities in the BMW ConnectedDrive web portal/web application.
About the vulnerabilities in BMW ConnectedDrive
The first one is a client-side cross site scripting web vulnerability that could be exploited by a remote attacker without a privileged account to inject his own malicious script codes to the client-side of the affected module context. Minimal user interaction is needed for this attack to work.
“Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules,” the Vulnerability Lab research team warned.
The other one is a vulnerability affecting the VIN (Vehicle Identification Number) session validation and approval.
“Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it,” the Vulnerability Lab research team explained. This allows them to tamper with a live session, and could result in the compromise of registered or valid VINs, and the adding of new configuration settings to the cars with those VINs.
These settings are mostly related to the cars’ infotainment system, but could also affect the locking and unlocking of the vehicle.
Have they been fixed?
BMW has been notified of the flaws in February 2016, but has yet to fix them. This is one of the reason why the Vulnerability Lab research team went public with the flaw info and exploit code.
“The BMW zero-day vulnerability that allows VIN session hijacking is yet another example of why an identity-centric approach to connected device management is essential in reducing risk and enhancing user experience,” says Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock.
“Whilst manufacturers focus on end user experience and device connectivity, there needs to be a more joined-up approach to security, including a strong focus on device, service and user identity management,” he noted.
“The major problem at present is that there is no correlation between the identity of the driver and the identities of the smart systems within the car. It is really important that these connected car infotainment systems have individual identity profiles that can restrict the operations or data made available. In terms of security, this relationship must be established so that only the vehicle’s operator, whose identity is authenticated in advance, can alter the vehicle settings. This means that if a hacker tries to take control remotely, they will not be unable to, because their identity won’t be recognised by the vehicle or its systems.”