Tencent Keen Security Lab Uncover Vulnerabilities in BMW Connected Car, Receives Award
【Summary】A total of 14 hacks were discovered by the researchers. The vulnerabilities targeted infotainment systems, wireless communication components and telematics controls.
Many connected vehicles on the road today suffer from vulnerabilities that have not been discovered by hackers and cybersecurity specialists. German automaker BMW is currently in the process of addressing such challenges through third-party testing and research.
In a collaborative project with Chinese researchers from Tencent Keen Security Lab, the car manufacturer was able to expose several harmful exploits plaguing its line of luxury vehicles. A total of 14 hacks were discovered by the researchers. The vulnerabilities targeted infotainment systems, wireless communication components and telematics controls.
Vulnerabilities and Exploits
During the project, the researchers used different attack vectors to achieve their goals. Interestingly, only four methods required criminals to have physical access to the USB ports of the vehicle. Another four vulnerabilities exploited the car's computer, which also required physical access by hackers.
Surprisingly, six methods focused on remote access to the unit's internal systems. Such hacking techniques can lead to the exploitation of secure and isolated system components.
"Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely," said researchers from Tencent's Keen Security Lab.
Taking the attacks one step further, criminals could combine various vulnerabilities to create an efficient hacking strategy. Hence, it is crucial for all the findings to be patched in a timely manner.
According to BMW, third-party testing of in-car platforms is a common and crucial practice within the company. The security exercises conducted by the researchers were completed with the automaker's cybersecurity team. Timeline for testing was from January 2017 to February 2018.
Future Updates Needed
BMW is in the process of addressing the vulnerabilities uncovered by the research group. Discussions about the exploits are currently limited, as full details of the hacks won't be published until security updates have been rolled out. So far, only a summary has been released by the research group. The full report will be published in 2019.
"Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships," said the German automaker.
It is important to note that not all BMW models are affected by the vulnerabilities. BMW vehicles affected by exploits surrounding the infotainment system includes the following: BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series and BMW 7 Series. Furthermore, BMW models manufactured from 2012 to present day are affected by vulnerabilities in the Telematics Control Unit (TCB).
Moving forward, the automaker is considering a partnership with Tencent Keen Security Lab for research and development projects related to car security and testing of autonomous vehicles. In the future, BMW plans to conduct cybersecurity tests on Google Android embedded vehicle systems and OTA update protocols.
Michael Cheng is a legal editor and technical writer with publications for Blackberry ISHN Magazine Houzz and Payment Week. He specializes in technology business and digesting hard data. Outside of work Michael likes to train for marathons spend time with his daughter and explore new places.
AAA Nevada Launches Driverless Bus Wedding Competition
Flyer: Kitty Hawk Unveils Flying Car for Recreational Use
Phantom Auto Helps Self-driving Cars Get Out of Tricky Situations on the Road
GE Launches AiRXOS to Improve Drone Fleet Management
Alibaba's Ele.me Turns to Drones for Faster Food Deliveries
California Rolls Out Digital License Plates
Colorado to Test Smart Pavement for Road Safety
Daimler Shakes Up Smart Car Top Management in Brand Overhaul
- Ford Testing On-Demand Autonomous Delivery with Postmates in Florida
- Chinese EV Startup Singulato Reveals Details Behind iS6 SUV
- Kia Motors Will Debut 48V Diesel Hybrid Powertrain This Year
- New York Devotes $250 Million to EV Infrastructure
- Stanford Panel Experts Predict Driverless Cars 10 Years Away
- GM’s Super Cruise Autonomous Driving System Coming to Other Models
- Hyundai Mobis Plans to Become a Leader in Autonomous Driving Technology
- Audi Plans to Sell 800,000 EVs and Hybrid Cars by 2025
- Ford to Launch an Independent Driverless Fleet Network by 2021
- Chinese Electric Vehicle Startup NIO Exploring U.S. IPO