Automakers have been capitalizing on technological advancements and offering many innovative features in the car. In this fiercely competitive market, it has become essential for them to innovate and offer different solutions to attract customers and gain a loyal customer base. Autonomous car projects have been launched by every major manufacturer. Moreover, the connected cars will be launched in the future as the infrastructure is upgraded. The automobile industry is utilizing various technologies in cars and these technologies need to be secured as the access to hackers can endanger the most important factor of automobiles: safety. If there are technologies that are unsafe and exploited remotely, it will jeopardize lives of drivers and passengers. Checking every system thoroughly before deployment in cars is essential. Even after checking carefully, some vulnerabilities remain in those cars. However, if security researchers discover them and inform the manufacturer, it will be favorable for the safety of drivers and passengers as well as the manufacturer. This is what has happened recently.
Researchers at the Chinese firm Tencent Keen Security Lab discovered total 14 vulnerabilities on the on-board computers of various BMW models. After determining the vulnerabilities, the leading automaker needs to issue patches over-the-air and through dealer networks. These vulnerabilities have affected BMW’s i Series, X1 sDrive, 5 Series, and 7 Series models manufactured since 2012. The telematic controls, infotainment units, and wireless communication systems have been vulnerable for these models. Four of the vulnerabilities needed a physical access to vehicle’s computer, four needed physical USB access to the car, and the remaining six could be exploited remotely. The discovery sent a wave of worry in the automobile firm as they need to roll out patches as soon as possible.
“Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely,” wrote the researchers at Tencent’s Keen Security Lab in a preliminary report. The Chinese firm will release the entire report in 2019.
If a hacker gains a physical access, the Ethernet, USB, and OBD-II ports can be exploited. Because these ports do not have any security restrictions. They could be used to gain access to internet connectivity of head unit and determine exposed internal services. Hackers can also capitalize on vulnerabilities through remote code execution. They can exploit memory corruption vulnerabilities which enabled users to skip signature protection in the firmware and gain access to secure isolation of various system components. Through access to CAN buses, a hacker can remotely access diagnostic functions by taking advantage of a chain of multiple vulnerabilities across various impacted vehicle components.
BMW has awarded the Chinese security team its first ever BMW Group Digitalization and IT Research Award. This award honored Tencent Keen Security Lab’s work in progressing automotive security. “With this award, we want to honor the experts who support us in the transformation towards digitalized mobility,” said Christoph Grote, BMW Group’s senior vice president of electronics. “We thank Tencent Keen Security Lab for their tremendous effort, their sophisticated research and the highly professional collaboration.”
BMW’s cybersecurity team outlined that the third parties play a crucial role in the improvement of automotive security by conducting an extensive analysis of products and services. These discoveries help in finding vulnerabilities and fixing them, which in turn, assures the safety of users. This discovery by Tencent Keen Security Lab is considered a significant one in the ever-evolving automobile industry.