According to Chinese researchers, a number of BMW vehicles might have up to 14 vulnerabilities in the on-board computers which have prompted BMW to begin issuing security patches over-the-air and through dealer networks. These flaws affect the infotainment unit, telematics controls, and the wireless communications systems on BMW’s i Series, X1 sDrive, 5 Series, and 7 Series models dating as far back as 2012. Four of the discovered vulnerabilities require hackers to have physical USB access to the car, while six of the vulnerabilities can be exploited remotely. The last four vulnerabilities require physical access to the car’s computer.
“Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components, and UDS communication above certain speed [for] selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely,” the researchers at at Tencent’s Keen Security Lab wrote in a preliminary report, noting that a full report would be available sometime in 2019 to allow BMW time to patch the flaws.
The report says that if a hacker gains physical access to the car, the interfaces present inside those BMWs could be exposed. Hackers can also use a USB stick to inject malicious code into BMW’s ConnectedDrive by gaining root control of the hu-intel system.
In a statement to ZDNet, the BMW Group noted that the research was conducted in conjunction with BMW’s cybersecurity team, highlighting that “third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services.”