The Chinese cybersecurity research team known as Keen Security Lab has disclosed 14 security vulnerabilities affecting a range of BMW vehicles. Eight of the flaws affect the infotainment system, four affect the Telematics Control Unit (TCU), and two affect the Central Gateway Module (CGM). The TCU handles remote communication in the vehicle, such as the ability to unlock the doors remotely. The CGM handles communication between the different subsystems and dispatches the communications appropriately across different Controller Area Network (CAN) buses.
Most vehicle vulnerabilities found in the past have relied on having physical access to the vehicle. These types of vulnerabilities could be triggered by plugging in a malicious USB device or accessing diagnostic ports inside the vehicle. While vulnerabilities requiring physical access can still be dangerous, the risk of compromise is much lower than a remote vulnerability.
In order to identify remote vulnerabilities, the research team setup their own mock GSM cellular network in order to middleman the traffic coming from the vehicle. By capturing and analyzing the traffic from the vehicle they were able to find a flaw in the ConnectedDrive service. This flaw was exploited by the team to gain a root shell on the vehicle’s head unit. The team also attacked the Bluetooth functionality of the head unit to explore different avenues of remote exploitation. While they were not able to gain remote access via Bluetooth, they were able to cause the head unit to reboot at will by sending malformed packets to it. This vulnerability however requires the system to be in pairing mode for successful exploitation.
The flaws discovered in the various subsystems can be chained together to impact the vehicles in a more meaningful way than just requiring a reboot of the head unit. For example one could send arbitrary messages to the vehicles Engine Control Unit (ECU), which is the brain of the vehicles drive system. These vulnerabilities in the hands of sufficiently motivated and technical attackers could possibly result in takeover of the exploited vehicle. The team found that the exploits discovered were able to be triggered even when the vehicle is in motion.
BMW was notified of the vulnerabilities found in advance of the team’s publication of their findings. BMW acknowledged the team’s findings and has begun rolling out fixes to the systems which can be updated via over the air updates. Some systems cannot be patched in this method however and require the vehicles to be brought to a dealer to be updated.