Fourteen locally and remotely exploitable vulnerabilities in BMW cars are in the process of getting fixed, officials said.
Those fixes are the result of research by Keen Security Lab, a cybersecurity research unit of Chinese company Tencent, conducted on the head unit, the telematics control unit (TCU or T-Box), and the central gateway module in several BMW models.
“Through mainly focusing on the various external attack surfaces of these units, we discovered that a remote targeted attack on multiple Internet-Connected BMW vehicles in a wide range of areas is feasible, via a set of remote attack surfaces (including GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth protocol),” the researchers said in their report. “Therefore, it’s susceptible for an attacker to gain remote control to the CAN buses of a vulnerable BMW car by utilizing a complex chain of several vulnerabilities existed in different vehicle components. In addition, even without the capability of Internet-Connected, we are also able to compromise the Head Unit in physical access ways (e.g. USB, Ethernet and OBD-II). Based on our testing, we confirm that all the vulnerabilities would affect various modern BMW models.”
Over the course of 13 months starting in January 2017, the researchers found 14 vulnerabilities, including seven that have been assigned CVE identifiers.
The researchers published a report describing their findings, but they left out technical details to prevent abuse. A full report is expected to release early next year.
Eight of the flaws impact the infotainment system, four affect the TCU, and two the central gateway module.
Some of the security holes can be exploited to execute arbitrary code and take complete control of the affected component, the researchers said in their report.
The TCU provides telephony services, accident assistance services (e.g. E-Call, B-Call), and the ability to remotely lock/unlock the doors and operate the climate control.
The central gateway module is designed to receive diagnostic messages from the TCU and the head unit and transfer these messages to other Electronic Control Units (ECUs) on different CAN buses.
Exploiting the vulnerabilities found by Keen Lab can allow an attacker to send arbitrary diagnostic messages to ECUs, which control electrical systems in a car, and “influence the vehicle.”
Exploiting some of the vulnerabilities requires physical access to the targeted vehicle, but other attacks can be conducted over a short range via Bluetooth or over long distances via cellular networks, even while the car is being driven. The fact arbitrary diagnostic messages can be sent to ECUs can pose a serious security issue, Keen Lab said.
“Based on our research experiments, we can confirm that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series,” the researchers said in their report. “And the vulnerabilities existed in Telematics Control Unit (TCB) would affect the BMW models which equipped with this module produced from year 2012.”
BMW, which described the research as “by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party,” has confirmed the findings and has already started rolling out patches.
The company made some updates to its backend systems and pushed out over-the-air patches for the TCU. Additional firmware updates designed to mitigate attacks will be made available to customers at dealerships.