See update below
It’s becoming more and more common to hear about hackers getting into automotive systems. Whether it be through the car’s infotainment system or its connected mobile app, hackers are forcing their way into automotive systems and wreaking havoc. Companies like BMW and Audi have famously been trying to be two steps ahead of hackers, by developing their software to keep hackers out and even going as far as to hire hack-research firms to find flaws in their systems, to then later be fixed.
However, this hasn’t stopped researchers from allegedly finding two zero-day vulnerabilities in BMW’s Connected Drive portal. The research group Vulnerability Labs was the one that found these bugs in BMW’s security.
The first flaw found is a VIN session vulnerability. The Connected drive app uses a vehicles VIN (Vehicle Identification Number) to identify individual models. However, a flaw was found in its session management and hackers can bypass validation, gaining access to VIN numbers and configuration settings. This allows the hackers to manipulate information about the VIN, the vehicle and even the owner.
The second flaw found was cross-site scripting vulnerability found on the client side of BMW’s web domain. According to the researchers who found the flaw, this is a “classic” cross-site scripting vulnerability becuase, According ZDNet, ” the security flaw does not need privileged user accounts to be exploited; instead, ‘low user interaction’ is needed through only a payload injection into the vulnerable module.”
Apparently, BMW was made aware of these issues in February of this year and responded in April. So far, there is no evidence of BMW fixing these issues, but that doesn’t mean they haven’t been fixed. They are quite serious, though, as hackers can inject malicious code into BMW’s domains and hijack user accounts, sessions and information.
We’ve reached out to BMW for a comment, but we haven’t received anything back just yet. We’ll update you as we get more information.
BMW has issued the following statement:
Cross-Site-Scripting: Security penetration tests are performed for components and systems at every stage of the development process. Testing for potential security flaws is part of the quality assurance process for IT components. Any vulnerabilities that are identified are corrected at the development stage.
VIN Session Handling: The function VehicleAdd has a multi-level security system in place. The available general information can’t be changed without the vehicle around and don’t have any impact on the drivers’ security.