The security flaws have been discovered during a year-long security audit conducted by researchers from Keen Security Lab, a cybersecurity research unit of Chinese firm Tencent, between January 2017 and February 2018.
In March 2018, the team responsibly disclosed 14 different vulnerabilities directly to the BMW Group, which affects its vehicles since at least 2012.
These are the same group of researchers who have previously found multiple vulnerabilities in various in-car modules used by Tesla, that could have been exploited to achieve remote controls on a target car.
Now that BMW started rolling out patches for the vulnerabilities to car owners, the researchers have gone public with a 26-page technical report [PDF] describing their findings, though they avoided publishing some important technical details to prevent abuse.
The researchers said a full copy of their research is expected to appear sometime in early 2019, by which the BMW group entirely mitigates against the vulnerabilities.
The team of Chinese infosec researchers focused on three critical vehicular components—Infotainment System (or Head Unit), Telematics Control Unit (TCU or T-Box), and Central Gateway Module in several BMW models.
- 8 flaws impact the internet-connected Infotainment System that plays music and media
- 4 flaws affect the Telematics Control Unit (TCU) that provides telephony services, accident assistance services, and ability to lock/unlock the car doors remotely.
- 2 flaws affect the Central Gateway Module that has been designed to receive diagnostic messages from the TCU and the infotainment unit and then transfer them to other Electronic Control Units (ECUs) on different CAN buses.
Exploiting these vulnerabilities could allow attackers to send arbitrary diagnostic messages to the target vehicle's engine control unit (ECU), which control electrical functions of the car, and to the CAN bus, which is the spinal cord of the vehicle.
This would eventually allow miscreants to take complete control over the operation of the affected vehicle to some extent.
Another four vulnerabilities require physical or "indirect" physical access to the car.
However, six vulnerabilities can be exploited remotely to compromise vehicle functions, including one conducted over a short range via Bluetooth or over long range via cellular networks, even when the vehicle is being driven.
The team confirmed that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series.
However, researchers said the vulnerabilities uncovered in Telematics Control Unit (TCB) would affect "BMW models which equipped with this module produced from the year 2012."
BMW has confirmed the findings and already started rolling out over-the-air updates to fix some bugs in the TCU, but other flaws will need patches through the dealers, which is why the researchers have scheduled their full technical report to March 2019.
BMW also rewarded Keen Security Lab researchers with the first winner of the BMW Group Digitalization and IT Research Award, describing their research "by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party."