Tencent's Keen Security Lab has revealed a number of vulnerabilities in the onboard compute systems of select BMW vehicles.
Between January 2017 and February 2018, Tencent Keen Security Lab researchers conducted tests with various BMW models, with a focus on the head unit and T-Box components.
After 13 months of research, the team discovered 14 vulnerabilities which could place connected cars at risk of compromise.
The tests were conducted with BMW's backing and in laboratory conditions. Impacted vehicles are included in the automaker's i Series, X1 sDrive, 5 Series, and 7 Series.
In total, as documented in Keen Security Lab's technical report (.PDF), nine of the attack scenarios presented required physical access to the target vehicle, while five were based on using a mobile Internet connection.
The vulnerabilities permitted attackers to access the head unit -- otherwise known as the infotainment system -- and T-box components including the Telematics Control Unit and Central Gateway Module of the vehicles involved in the tests, leading to the creation and deployment of exploit chains designed to seize control of CAN buses.
The exposure of CAN buses to attack is a serious issue considering that these buses connect all of a car's functions. Once the CAN buses were under attacker control, the researchers were able to trigger arbitrary diagnostic functions remotely.
Keen Security Lab also came across memory corruption vulnerabilities, logic errors, bugs which could break secure isolation system areas, and vulnerabilities which could lead to remote code execution.
The team was also able to compromise the car physically through exploiting USB, Ethernet, and OBD-II connections.
"With network drivers, the USB-Ethernet network will be enabled when a USB dongle with some specific chipsets plugged in," the report states. "[The] NBT head unit will act as a network gateway with a fixed IP address (192.168.0.1). What's worse, there aren't any security restrictions to such USB Ethernet Interface, which makes it possible to obtain access to the internal network of the head unit, and then detect many exposed internal services through port scanning."
Furthermore, it was possible to use a USB stick to implement a crafted, malicious update file able to compromise the update service and gain root control of hu-Intel, a system which controls multimedia services and BMW ConnectedDrive functionality.
Once Keen Security Lab's findings were verified, measures were developed to patch some of the most critical issues. These upgrades have been rolled out to backend systems and uploaded to telematics control units via over-the-air (OTA) updates.
Additional software updates will be made available at dealerships.
The current research does omit the most crucial technical elements of exploits in order to prevent cyberattackers abusing weaknesses in BMW security before the company resolves all of the vulnerabilities mentioned.
However, both parties plan to publish a more substantial account of the security flaws, exploit chains, and the ways they have been resolved in 2019.
BMW awarded the researchers the BMW Group Digitalization and IT Research Award for their work.
"In response to what has become a race between technological progress and new, presently unknown attack scenarios, the BMW Group has launched a comprehensive cybersecurity action plan, which includes tests conducted both internally by the BMW Group and with the help of independent institutions," the company said. "Third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services."
Due to the success of the initiative, Tencent Keen Security Lab and BMW are currently discussing options for new cybersecurity research collaboration.
Future research proposals will focus on Google Android embedded vehicle systems, as well as autonomous driving, testing, and the security of OTA update mechanisms.