Chinese security researchers have uncovered a handful of security vulnerabilities in several BMW car models, including a remote exploitation flaw, some of which date back to 2012. Tencent Keen Security Lab discovered 14 flaws affecting some of its carmaker’s high-profile models including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series and BMW 7 Series.
Tencent discovered these flaws during a year-long experiment between January 2017 to February 2018. The security firm published a detailed 26-page technical report on the 14 vulnerabilities after BMW was notified and began rolling out mitigations.
Researchers said the vulnerabilities impacted the infotainment system, Telematics Control Unit (TCU) and central gateway module. To carry out a successful remote hack of a BMW car, the attacker would needs to hack a local GSM mobile network. While testing the attack researchers were able to hack the BMW cars using a USB stick or a remote hack performed using a software-defined radio. Although both Keen security lab and BMW described the attack as , it is not impossible to achieve.
"Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components and UDS communication above certain speed of selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely," Keen Lab researchers said.
Out of the 14 bugs discovered, seven has been assigned standard CVE numbers while other are awaiting CVE assignment.
“All the software vulnerabilities we found can be fixed by online reconfiguration and offline firmware update,” the researchers said. BMW said it has already deployed “configuration updates” using its over-the-air component update system and is currently working on delivering firmware patches for all affected cars. The firmware patches require offline updates that can be implemented when customers bring their cars to authorized service centers.
BMW has acknowledged Tencent Keen Security Lab researchers for the work and named them the first winner of the BMW Group Digitalization and IT Research Award. The researchers said the initial report released is just a technical overview of the flaws, noting that a second detailed report with proof of concept code will be released in 2019.
There have been other instances of security issues affecting the German car maker in the past which include flaws affecting 2G modems used in the cars, an authentication flaw in RemoteLink smartphone app and a zero-day affecting the BMW web portal.