Report: Chinese researchers unveil security flaws in BMW vehicles
The security gaps were found in the infotainment system with the main unit, the telematics control unit (TCU) and the central gateway module, which connects the main buses and the individual control units (ECU). Among other things, the experts of the Tencent Keen Security Lab succeeded in sending commands to the internal CAN bus via a hacked mobile phone access.
According to the security experts, it was possible to get unauthorized access to the vehicle systems via physical interfaces such as a USB socket or the OBD II plug as well as via Bluetooth or cellphone. To give BMW the opportunity to remedy the situation, the technical details of the gaps will not be published until next year. W
While some of these problems can be fixed by remote software updates over the air, others require a visit to the workshop. According to the study, the gaps are found in numerous BMW models, including the i, X, 3, 5 and 7 series, and the TCU flaw has affected all models that have had this device since 2012.
Modern vehicles have an increasing number of interfaces to the outside world that can be theoretically used to infiltrate malicious code – through multiple mechanisms ranging from text messages and e-mails to connected third-party accessories and even to V2X applications. According to the Keen Security Lab study, it is possible (albeit at great effort) to find and exploit security flaws. For instance, the security experts found that the internal USB interface is configured to search updates on a USB stick once it is plugged into the system. The problem: Not all updates require to be certified by BMW. Thus, hackers can acquire root rights in the Intel system in the main unit (furnished, by the way, by Harman).
Access to the main unit is also possible via the E-Net, an internal Ethernet that is accessible via the OBD-II diagnostic interface of the car. The main unit and the central gateway also communicate with each other via this connection. By reverse engineering, it was possible to circumvent the code signing mechanism and obtain root access to the main unit. Through this entry point, the security researchers were able to identify flaws in the Bluetooth system that connects smartphones with the vehicle’s infotainment system. It was possible to generate a memory error via manipulated messages to the stack. This at least made it possible to crash the stack during pairing without a PIN code, so that the main unit had to reboot. Again, after tough reverse engineering, the researchers were able to exploit a memory error to circumvent the HTTPS encryption system. Which, in turn theoretically enabled them to send random diagnosis messages to access control of ECUs connected to the CAN busses. This could cause serious safety issues such as resetting ECUs during a ride.
According to the article, BMW acknowledged the security flaws; some of them have already been fixed through OTA updates. In other cases, the bug fixes are under development and will be offered to the car owners as soon as they are available.
Related material: Golem article (in German)
More eeNews Europe articles on automotive cyber security:
Infineon leads research project for car IT security
The “Swiss Cheese” Approach to Automotive Security
JLR takes Blackberry security inside
Innovation May Be Outpacing Security in Cars