The team from Tencent’s Keen Security Lab tested several car models over a year, focusing on the Head Unit, Telematics Control Unit and Central Gateway Module.
“Through mainly focusing on the various external attack surfaces of these units, we discovered that a remote targeted attack on multiple internet-connected BMW vehicles in a wide range of areas is feasible, via a set of remote attack surfaces (including GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth protocol),” the report noted.
“Therefore, it’s susceptible for an attacker to gain remote control to the CAN buses of a vulnerable BMW car by utilizing a complex chain of several vulnerabilities existing in different vehicle components. In addition, even without the capability of internet-connected, we are also able to compromise the Head Unit in physical access ways (e.g. USB, Ethernet and OBD-II). Based on our testing, we confirm that all the vulnerabilities would affect various modern BMW models.”
Attacks that lead to remote control of the CAN bus could enable third parties to interfere with steering, brakes, accelerator and other key physical functions of the vehicle.
Affected models including the BMW i Series, X1 sDrive, 5 Series, and 7 Series. The researchers reported their findings to BMW in February and the manufacturer has been rolling out mitigations remotely and via optional software updates from dealerships since then.
Natan Bandler, CEO of Cy-oT, argued the research shows that connected car vulnerabilities often arise in overlooked areas such as the info-tainment system.
“It’s always the innocent items, the ones that are invisible and the ones that we tend to neglect that are the easiest way in for a hacker,” he argued.
“We need to think from the point of view of the attacker. They’re looking for the path of least resistance; areas that are uncovered, neglected and that no one cares about, and entertainment systems are exactly this.”