Keen Security Lab researchers have discovered fourteen vulnerabilities affecting a variety of BMW car models.
The flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles’ CAN bus.
About the vulnerabilities
To exploit some of the flaws and install a backdoor in the infotainment system, the attacker must have physical access to the target car’s external-facing I/O interfaces (USB and OBD-II). But six of vulnerabilities can be exploited remotely, via the wireless interfaces of the vehicle (Bluetooth and cellular network).
The Bluetooth attack requires attackers to be in close range of the vehicle to affect the availability of the Internet-connected infotainment system without authentication, but the can succeed only when the Bluetooth is in pairing mode.
On the other hand, a contactless attack via the cellular network allows attackers to operate from afar.
“If the TCB has fallen into a rouge base station, attackers can extend the attack distance to a wide- range distance with the help of some amplifier devices. Technically speaking it’s possible to launch the attack from hundreds of meters even when the car is in the driving mode,” the researchers noted.
“Using MITM attack between TSP and the vehicle, attackers could remotely exploit the vulnerabilities existed in both NBT and TCB, leading to backdoors being planted in the NBT and TCB. Typically, a malicious backdoor can inject controlled diagnosis messages to the CAN buses in the vehicle.”
The researchers found the vulnerabilities in the infotainment system of several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series. The flaws in the Telematics Control Unit (TCB) affect the BMW models produced from year 2012 onwards.
They have shared their research with BMW Group, and the company’s Automotive Security Team confirmed their findings and started developing fixes.
“Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships,” the company explained, and noted that Tencent Keen Security Lab and the BMW Group are “discussing options for joint in-depth research and development activities” that will focus on the security of Android embedded systems and on autonomous driving security and testing.
The researchers have agreed not to publish the specifics of the vulnerabilities until all the security updates are pushed out and implemented, so other researchers focusing on automotive security have found it difficult to offer to-the-point comments on the findings.
Nevertheless, Charlie Miller, who’s known for remotely exploiting vulnerabilities in Chrysler’s 2014 Jeep Cherokee, noted that some of the exploits look cool.
The biggest result of the research was the ability to send NGTP messages over SMS which led to remote code execution if a car was connected to their rogue base station. This required no user interaction.
— Charlie Miller (@0xcharlie) May 22, 2018
The Tencent Keen Security Lab research paper sumarizing their research can be found here. The full technical vulnerabilities report will be released in 2019.