Skip to main content

BMW racing to patch 14 security vulnerabilities found in its cars

2019 BMW X4 (European version)
Image used with permission by copyright holder

Chinese researchers discovered 14 vulnerabilities on the on-board computers of a number of BMW vehicles, leading the automaker to begin issuing security patches over-the-air and through dealer networks. These flaws affect the infotainment unit, telematics controls, and the wireless communications systems on BMW’s i Series, X1 sDrive, 5 Series, and 7 Series models dating as far back as 2012. Four of the discovered vulnerabilities require hackers to have physical USB access to the car, while six of the vulnerabilities can be exploited remotely. The last four vulnerabilities require physical access to the car’s computer.

“Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely,” the researchers at at Tencent’s Keen Security Lab wrote in a preliminary report, noting that a full report would be available sometime in 2019 to allow BMW time to patch the flaws.

Recommended Videos

Additionally, if a hacker has access to the vehicle physically, the USB, Ethernet, and OBD-II ports could also be exploited. Because the USB Ethernet Interface doesn’t have security restrictions, it could be used to access the internet network of the head unit and detect the exposed internal services through port scanning, the report said. Hackers can also use a USB stick to inject malicious code into BMW’s ConnectedDrive by gaining root control of the hu-intel system.

Hackers can also trigger remote code execution if they don’t have access to a vehicle by exploiting memory corruption vulnerabilities that allowed users to bypass signature protection in the firmware and break secure isolation of various system components. (In 2015, a 14-year-old hacked a car with $15 worth of tech using a similar technique.) By gaining access to CAN buses, an attacker can remotely trigger remote diagnostic functions by leveraging a chain of multiple vulnerabilities across several affected vehicle components. Hackers can send arbitrary diagnostics to the engine computer. The danger, according to researchers, is that the engine control unit, or ECU, will still respond to diagnostic messages even at normal driving speeds, and “it will become much worse if attackers invoke some special UDS routines.”

“By chaining the vulnerabilities together, we are able to remotely compromise the NBT [car computer],” researchers said. “After that, we can also leverage some special remote diagnose interfaces implemented in the Central Gateway Module to send arbitrary diagnostic messages (UDS) to control ECUs on different CAN Buses.”

In a statement to ZDNet, the BMW Group noted that the research was conducted in conjunction with BMW’s cybersecurity team, highlighting that “third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services.”

Chuong Nguyen
Silicon Valley-based technology reporter and Giants baseball fan who splits his time between Northern California and Southern…
Update Google Chrome now to patch this critical security flaw
A MacBook with Google Chrome loaded.

You might want to update your Google Chrome web browser right away. Google recently issued a critical security update for Chrome, patching up 11 security issues, including two zero-day vulnerabilities that were exploited in the wild.

Released on September 13, Google first listed the patched vulnerabilities on the Chrome Releases blog. Full details are being withheld for security reasons, as Google wants a majority of users to update first.

Read more
Your Dell laptop might have a security vulnerability. Here’s how to fix it.
dell new inspiron laptops take xps design lineup 2021  1

After a security research firm discovered a security vulnerability that could give hackers access to your laptop, Dell is taking action with a fix. Impacting hundreds of millions of laptops across more than 380 models (including XPS, and Alienware) released since 2009, there are now more ways than one for you to address the urgent issue.

At the heart of this problem is a driver that Dell's laptops use to handle firmware updates. According to a Dell support page, this driver comes packaged with Dell Client firmware update utility packages and software tools, and a vulnerability within it can "lead to escalation of privileges, denial of service, or information disclosure."

Read more
Nvidia warns owners of its GPUs about a dangerous security vulnerability
Promotional photo of an Nvidia GeForce RTX 3090 graphics card.

Nvidia is warning GPU owners to update their graphics card drivers after the company discovered several high-level security vulnerabilities. ThreatPost reports that Nvidia found bugs in its virtual GPU software and the display driver that's required for the graphics card to function.

Nvidia has a table showing the drivers for its different product lines across Windows and Linux, but it doesn't really matter. It seems GeForce, Quadro, and Tesla drivers are vulnerable across Windows and Linux, so it's best to update your graphics driver regardless.

Read more