Tencent Keen Security Lab Uncover Vulnerabilities in BMW Connected Car, Receives Award
【Summary】A total of 14 hacks were discovered by the researchers. The vulnerabilities targeted infotainment systems, wireless communication components and telematics controls.
Many connected vehicles on the road today suffer from vulnerabilities that have not been discovered by hackers and cybersecurity specialists. German automaker BMW is currently in the process of addressing such challenges through third-party testing and research.
In a collaborative project with Chinese researchers from Tencent Keen Security Lab, the car manufacturer was able to expose several harmful exploits plaguing its line of luxury vehicles. A total of 14 hacks were discovered by the researchers. The vulnerabilities targeted infotainment systems, wireless communication components and telematics controls.
Vulnerabilities and Exploits
During the project, the researchers used different attack vectors to achieve their goals. Interestingly, only four methods required criminals to have physical access to the USB ports of the vehicle. Another four vulnerabilities exploited the car's computer, which also required physical access by hackers.
Surprisingly, six methods focused on remote access to the unit's internal systems. Such hacking techniques can lead to the exploitation of secure and isolated system components.
"Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely," said researchers from Tencent's Keen Security Lab.
Taking the attacks one step further, criminals could combine various vulnerabilities to create an efficient hacking strategy. Hence, it is crucial for all the findings to be patched in a timely manner.
According to BMW, third-party testing of in-car platforms is a common and crucial practice within the company. The security exercises conducted by the researchers were completed with the automaker's cybersecurity team. Timeline for testing was from January 2017 to February 2018.
Future Updates Needed
BMW is in the process of addressing the vulnerabilities uncovered by the research group. Discussions about the exploits are currently limited, as full details of the hacks won't be published until security updates have been rolled out. So far, only a summary has been released by the research group. The full report will be published in 2019.
"Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships," said the German automaker.
It is important to note that not all BMW models are affected by the vulnerabilities. BMW vehicles affected by exploits surrounding the infotainment system includes the following: BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series and BMW 7 Series. Furthermore, BMW models manufactured from 2012 to present day are affected by vulnerabilities in the Telematics Control Unit (TCB).
Moving forward, the automaker is considering a partnership with Tencent Keen Security Lab for research and development projects related to car security and testing of autonomous vehicles. In the future, BMW plans to conduct cybersecurity tests on Google Android embedded vehicle systems and OTA update protocols.
Michael Cheng is a legal editor and technical writer with publications for Blackberry ISHN Magazine Houzz and Payment Week. He specializes in technology business and digesting hard data. Outside of work Michael likes to train for marathons spend time with his daughter and explore new places.
Ford's New AV Subsidiary Offers Opportunities for Investors
Wipro Forges Partnership with Genesys to Boost Autonomous Vehicle Projects
Apple Files Patent for Augmented-reality Windshield
Virginia to Install EV Charging Stations Using Funds from VW Settlement
Drive.ai Unleashes Colorful, Flashy Self-driving Vans for Trials in Texas
Waymo Tests Price Points for Driverless Rides
Boeing to Open Autonomous Aircraft and Vehicles Research Facility at MIT
Autonomous Flight Startup Xwing Raises $4M in Seed Funding Round
- Tesla Model 3 Breaks into Top 10 U.S. Passenger Car Sales in July
- Didi Investing $1 Billion Into its Auto Service Platform
- Volkswagen to Build two EVs in the US
- New York City Votes to Limit the Number of Uber & Lyft Vehicles
- Largest U.S. Grocery Chain Begins Autonomous Delivery Service in Arizona
- Aurora Labs Raises $8.4 Million for its 'Self-Healing' Automotive Software
- Baidu Crosses Major Milestone in Driverless Bus Production
- New York City Looking to Cap the Number of Uber & Lyft Vehicles
- The Motley Fool Names 5 Industries Autonomous Cars Will Drastically Impact
- Uber Puts its Self-Driving Volvos Back Out On Pittsburgh Streets, ‘With Drivers’