Save as PDF

Security assessment

BMW cars with more than a dozen flaws

Published 2018-06-18

Tencent’s Keen Security Lab (China) found 14 vulnerabilities with local and remote access vectors in BMW cars. The Chinese engineers were able to send CAN frames, which impacted CAN-connected ECUs.

(Photo: Keen Security Lab)

The Chinese researchers Lab analyzed both hardware and software on the in-vehicle infotainment head, the telematics control, and the central gateway units of several BMW models. Finally, they could send CAN frames with local and remote access vectors, which caused a mal-function of ECUs.

The IVI system was one of the “doors” to enter the CAN-based in-vehicle networks (Photo: Keen Security Lab)

“In our research, we have already found some ways to influence the vehicle via different kinds of attack chains by sending arbitrary diagnostic messages to electronic control units. Since we were able to gain access to the head unit and telematics control unit, these attack chains are aimed to implement an arbitrary diagnostic message transmission through the central gateway module in order to impact or control ECUs on different CAN networks (e.g. PT-CAN, K-CAN, etc.),” explained the researchers.

The Keen Security Lab engineers followed the “Responsible Disclosure” practice. They informed BMW about the findings before the research summary was reported. Early 2019, the laboratory will release the full technical paper on the detected vulnerabilities. BMW has selected the Chinese researchers as the first winner of the BMW Group Digitalization and IT Research Award.

The IVI system was one of the “doors” to enter the CAN-based in-vehicle networks (Photo: Keen Security Lab)

Between January 2017 and February 2018, the security experts conducted comprehensive tests with various BMW models. In doing so, they focused on head unit and T-Box components of different generations. “BMW belongs to the top 5 % in automotive IT-security, which made it a highly challenging task for our sophisticated team,” said Samuel Lv, Director of Tencent Keen Security Lab.

After 13 months the team of researchers informed the BMW Group about their comprehensive findings on 14 different vulnerabilities directly. Nine of the attack scenarios required a physical connection in the car or a location in the direct vicinity of the vehicle. Five attack scenarios were based on a remote connection using the mobile telephone network. After gaining access to the head unit and T-box components, the researchers executed specifically developed exploits and were able to gain control of the CAN networks to trigger arbitrary, unauthorized diagnostic vehicle functions remotely. The tests were always run in a controlled environment on the premises of the laboratory. The BMW Group is convinced that the study presented constitutes by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party.

The first winners of the BMW Group Digitalization and IT Research Award (Photo: BMW)

Promptly after the internal verification of the findings, the BMW Group’s Automotive Security Team contacted the Chinese experts to confirm the findings and started developing measures. Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships. With the collaboration of the two parties, the security updates developed by BMW Group improve the security level of BMW’s products and services for the customers’ benefit.

hz