BMW's in-car systems found to contain 14 flaws

Chinese security researchers have found 14 vulnerabilities in the on-board compute units of BMW vehicles, some of which can be remotely exploited to compromise vehicle functions.

The team behind the research. (Credit: Tencent Keen Security Lab)

Tencent Keen Security Lab disclosed the vulnerabilities in a paper overnight [pdf], but said it would not release a full copy of the research until next year, once BMW had fully mitigated against the flaws.

Keen Lab said that seven of the 14 flaw had been assigned CVE numbers, though these were presently undescribed in the CVE database.

The flaws are said to exist in three interconnected modules: the car’s “Infotainment System (a.k.a Head Unit), Telematics Control Unit and Central Gateway Module.”

“All the software vulnerabilities we found can be fixed by online reconfiguration and offline firmware update,” the researchers said.

“Currently, BMW is in progress working on the mitigation plans, and some high priority countermeasures are already in the rollout.”

Keen said the head unit vulnerabilities affected models including BMW’s i Series, X Series, 3 Series, 5 Series, and 7 Series vehicles.

In addition, flaws in the telematics unit impacted vehicles built since 2012.

The flaws were disclosed to BMW in late February following a year-long research effort by Keen Lab.

Countermeasures to combat the most serious flaws are already being deployed by the carmarker.

Exploiting some of these flaws would require “advanced expertise”, BMW noted in a letter included in Keen Lab’s report.

For example, an attacker would need to have control over an in-range mobile base station in order to remotely hack into a vehicle.

"Nine of the attack scenarios required a physical connection in the car or a location in the direct vicinity of the vehicle," BMW said in an extensive statement.

"Five attack scenarios were based on a remote connection using the mobile telephone network.

"Identifying, preparing and implementing attack scenarios via [a] mobile network requires comprehensive expertise."

Nevertheless, BMW indicated it has been deploying “measures ... since mid of April 2018 that are distributed via configuration updates remotely to the affected vehicles,” Keen Lab said.

“Additional security enhancements are developed by BMW in form of optional software updates. These will be available through the BMW dealer network.”

The same researchers have previously found zero-day exploits in various in-car modules used by Tesla.