BMW backdoors expose IoT flaws on the road

CHINESE infosec researchers working for Keen Security Lab, a cybersecurity research unit operating out of Chinese company Tencent, have discovered multiple vulnerabilities in cars from the BMW group, which have been rolling off production lines since as early as 2012.

Keen Security recently hit the headlines having found similar vulnerabilities in tech modules used by Tesla that potentially might have allowed hackers to take control of compromised vehicles.

The researchers’ 26-page report is available here although their findings have been partially redacted to prevent widespread abuse of the flaws.

BMW has already started rolling out mitigation measures with a series of updates and patches for the in-car systems.

Car manufacturers are keen to differentiate their products by placing them at the forefront of what is possible technologically – although long automotive development cycles mean that car tech, typically, is usually two to four years behind “pure technology” products.

As more tech end up in vehicles, the finished products are increasingly susceptible to attack, as so-called smart devices begin to proliferate right across automobile systems, from drivetrains & brakes to in-car entertainment units.

The vast majority of mainstream automobile manufacturers do not have the funds nor the ability to design their smart technologies from scratch, which exposes the first chink in their cybersecurity armor. Rather than developing integrated circuits and chipsets from scratch – which is prohibitively expensive – manufacturers instead use existing hardware such as system-on-chip readymades which may never have been designed to be “safe,” per se.

Additionally, automobile engineers’ focus tends to be on adding value for drivers and passengers at the lowest possible cost, rather than ensuring watertight cybersecurity.

As mainstream cars’ technology approaches the level required for full autonomy, even the most advanced car manufacturers are discovering that the road down which they travel, metaphorically, is potholed. Recent findings on the Uber fatality in Arizona have found fault in the software rather than in the on-car hardware sensors, suggesting that it is the software manufacturers who may end up liable for injuries or fatalities.

Warning: The video below contains disturbing images.

The flaws in the BMW systems include eight in the internet-connected infotainment system which plays media;
two flaws affecting the central gateway module that handles diagnostic messages; and four issues with the telematics unit. The latter provides cellphone connectivity, automates assistance calls after an accident, and operates door locks remotely.

While some of the flaws would require hackers to gain physical access to USB ports either in the car or under the hood, others can be exploited wirelessly. The issues highlight the susceptibility of the real-world implementation of internet of things (IoT) devices and the difficulties of protecting a wide range of networked “smart” devices in superabundant deployments.

In esoteric settings such as specialist manufacturies, IoT’s cyber resilience may not be much of a concern for the larger population, but given that everyone owns, or aspires to own, a car, IoT cybersecurity suddenly becomes a very pressing issue.

---

---

---