New Vehicle Security Research by KeenLab: Experimental Security Assessment of BMW Cars


by Tencent Keen Security Lab

Introduction

The research of BMW cars is an ethical hacking research project. In the research, Keen Security Lab performed an in-depth and comprehensive analysis of both hardware and software on in-vehicle infotainment Head Unit, Telematics Control Unit and Central Gateway Module of multiple BMW vehicles. Through mainly focusing on various external attack surfaces, (including GSM network, BMW Remote Service, BMW ConnectedDrive System, Remote Diagnosis, NGTP protocol, Bluetooth protocol, USB and OBD-II interfaces), Keen Security Lab has gained local and remote access to infotainment components, T-Box components and UDS communication above certain speed of selected multiple BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely.

Vulnerability Findings

After conducting the intensive security analysis of multiple BMW cars’ electronic control units, Keen Security Lab has found 14 vulnerabilities with local and remote access vectors in BMW connected cars. And 7 of these vulnerabilities were assigned CVE (Common Vulnerabilities and Exposures) numbers.
All the following vulnerabilities and CVEs have been confirmed by BMW after we submitted the full report and collaborated with them on technical details:
Table: Vulnerabilities and CVEs in Our Research Confirmed by BMW

Attack Chains

In our research, we have already found some ways to influence the vehicle via different kinds of attack chains by sending arbitrary diagnostic messages to electronic control units. Since we were able to gain access to the head unit and telematics control unit, these attack chains are aimed to implement an arbitrary diagnostic message transmission through Central Gateway Module in order to impact or control electronic control units on different CAN buses (e.g. PT-CAN, K-CAN, etc..).
Figure: Local Attack Chain

Figure: Remote Attack Chain

Vulnerable BMW Models

In our research, the vulnerabilities we found mainly exist in the Head Unit, Telematics Control Unit (TCB), and Central Gateway Module. Based on our research experiments, we can confirm that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series. And the vulnerabilities existed in Telematics Control Unit (TCB) would affect the BMW models which equipped with this module produced from year 2012.
Table below lists the vulnerable BMW models we’ve tested during our research and each with its firmware versions of the specific components.
Table: Vulnerable BMW models in our test

As different BMW car models may be equipped with different components, and even the same component may have different firmware versions during the product lifecycle. So that from our side the scope of the vulnerable car models is hard to be precisely confirmed. Theoretically, BMW models which are equipped with these vulnerable components could be compromised from our perspective if the corrective measures had not already been effectively implemented by BMW.

BMW confirmed, that the found vulnerabilities are present in the infotainment and T-Box components mentioned above. Updates have already been developed and implemented by BMW (see below).

Disclosure Timeline

The research to BMW cars is an ethical hacking research project. Keen Lab follows the “Responsible Disclosure” practice, which is a well-recognized practice by global manufactures in software and internet industries, to work with BMW on fixing the vulnerabilities and attack chains listed in this report.

Below is the detailed disclosure timeline.

January 2017: Keen Lab kicked off the BMW security research project internally.
February 2018: Keen Lab proved all the vulnerability findings and attack chains in an experimental environment.
February 25, 2018: Keen Lab reported all the research findings to BMW.
March 9, 2018: BMW fully confirmed all the vulnerabilities reported by Keen Lab.
March 22, 2018: BMW provided the planned technical mitigation measures for the vulnerabilities reported by Keen Lab.
April 5, 2018: CVE numbers related to the vulnerabilities have been reserved. (CVE-2018-9322, CVE-2018-9320, CVE-2018-9312, CVE-2018-9313, CVE-2018-9314, CVE-2018-9311, CVE-2018-9318)
May 22, 2018: This summary report is released to public.
Early 2019: Keen Lab will release the full technical paper.
BMW informed Keen Security Lab that, for all the attacks via cellular networks BMW has started implementing measures in March 2018. These measures are in rollout since mid of April 2018 and are distributed via configuration updates remotely to the affected vehicles. Additional security enhancements are developed by BMW in form of optional SW updates. These will be available through the BMW dealer network.

Press Release from BMW Group

The BMW Group is convinced that the presented study constitutes the by far most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party. For this outstanding research work, Tencent Keen Security Lab has been selected as the first winner of the BMW Group Digitalization and IT Research Award.

https://www.press.bmwgroup.com/global/article/detail/T0281245EN

Research Summary Report

Please refer the following link to know more about our research:
Experimental Security Assessment of BMW Cars by KeenLab.pdf

Joint Video

About Tencent Keen Security Lab

Figure: Participants of BMW project at Keen Lab
Tencent Keen Security Lab[1] (in abbreviation “Keen Lab”) is a professional security research team, focusing on information security research of both attack and protection techniques, under Tencent Company. In the past years, Keen Lab built security research partnership with global manufactures in software, hardware and internet industries, and achieved a lot of worldwide leading security research results.

Since Year 2015, Keen Lab started research projects in IoT[2] and Connected Vehicle categories and building partnership with manufactures in IoT and car industries. In the Year 2016 and 2017, Keen Lab published the well-known research globally on “Tesla Model S and Model X Remote Hacking” with leveraging “Responsible Disclosure” practice to report the vulnerabilities and attack chains to Tesla[3,4].

[1] https://keenlab.tencent.com/

[2] https://keenlab.tencent.com/zh/2017/04/01/remote-attack-on-mi-ninebot/

[3] https://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/

[4] https://keenlab.tencent.com/en/2017/07/27/New-Car-Hacking-Research-2017-Remote-Attack-Tesla-Motors-Again/