Tencent Keen Security Lab Uncover Vulnerabilities in BMW Connected Car, Receives Award
【Summary】A total of 14 hacks were discovered by the researchers. The vulnerabilities targeted infotainment systems, wireless communication components and telematics controls.
Many connected vehicles on the road today suffer from vulnerabilities that have not been discovered by hackers and cybersecurity specialists. German automaker BMW is currently in the process of addressing such challenges through third-party testing and research.
In a collaborative project with Chinese researchers from Tencent Keen Security Lab, the car manufacturer was able to expose several harmful exploits plaguing its line of luxury vehicles. A total of 14 hacks were discovered by the researchers. The vulnerabilities targeted infotainment systems, wireless communication components and telematics controls.
Vulnerabilities and Exploits
During the project, the researchers used different attack vectors to achieve their goals. Interestingly, only four methods required criminals to have physical access to the USB ports of the vehicle. Another four vulnerabilities exploited the car's computer, which also required physical access by hackers.
Surprisingly, six methods focused on remote access to the unit's internal systems. Such hacking techniques can lead to the exploitation of secure and isolated system components.
"Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely," said researchers from Tencent's Keen Security Lab.
Taking the attacks one step further, criminals could combine various vulnerabilities to create an efficient hacking strategy. Hence, it is crucial for all the findings to be patched in a timely manner.
According to BMW, third-party testing of in-car platforms is a common and crucial practice within the company. The security exercises conducted by the researchers were completed with the automaker's cybersecurity team. Timeline for testing was from January 2017 to February 2018.
Future Updates Needed
BMW is in the process of addressing the vulnerabilities uncovered by the research group. Discussions about the exploits are currently limited, as full details of the hacks won't be published until security updates have been rolled out. So far, only a summary has been released by the research group. The full report will be published in 2019.
"Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships," said the German automaker.
It is important to note that not all BMW models are affected by the vulnerabilities. BMW vehicles affected by exploits surrounding the infotainment system includes the following: BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series and BMW 7 Series. Furthermore, BMW models manufactured from 2012 to present day are affected by vulnerabilities in the Telematics Control Unit (TCB).
Moving forward, the automaker is considering a partnership with Tencent Keen Security Lab for research and development projects related to car security and testing of autonomous vehicles. In the future, BMW plans to conduct cybersecurity tests on Google Android embedded vehicle systems and OTA update protocols.
Michael Cheng is a legal editor and technical writer with publications for Blackberry ISHN Magazine Houzz and Payment Week. He specializes in technology business and digesting hard data. Outside of work Michael likes to train for marathons spend time with his daughter and explore new places.
ISO Releases Drone Standards, Addresses Trespassing and Safety
GAC Unveils the Electrified Aion S
British Columbia Pushes for Zero-emission Vehicles, Sets 2040 Deadline
Ford Open to Driverless Partnerships and Investors
Driverless Startup Apex.AI Completes Series A Round, Raises $15.5 Million
GM Hints at Flying Cars, Talks the Future of EVs
E-scooter Giant Lime to Launch EV Rental Service
Premium E-bike Maker Biomega Debuts Four-passenger EV Concept
- GM, Honda Strike up Partnership to Develop an Autonomous Car
- France Partners with Hitachi and Bosch to Launch Autonomous Trains
- EVgo to Add 100’s More Public DC Fast Chargers in California by the End of 2018
- Ford Proposes Driverless Vehicle Signals for Pedestrian Safety
- Mazda Looks to Electrify 95 Percent of Lineup by 2030
- Major Supplier Johnson Controls Sells its Auto Battery Business for $13.2 Billion
- Electric Car Brand Polestar Announces Plans for a Subscription Service & ‘Polestar Spaces’
- Automotive HUD Startup WayRay Raises $80M in Series C Funding
- Volkswagen CEO Claims Adopting EVs Can Possibly Crash the Automotive Industry
- Waymo’s Commerical Driverless Taxi Service Launches in Arizona