Researchers have discovered over a dozen vulnerabilities in the onboard computer units of BMW cars, and some of them can be exploited remotely, by the hackers, to compromise a vehicle.
The cybersecurity flaws have been found during a cybersecurity audit conducted between January 2017 and February 2018.
In March 2018, the audit disclosed 14 different vulnerabilities directly to the BMW Group. These vulnerabilities are affecting BMW vehicles models since at least 2012.
Soon after the disclosure, BMW started releasing patches for the vulnerabilities to car owners.
A full 26-page copy of the report will be publicly available sometime in early 2019, by which the BMW group entirely mitigates against the vulnerabilities.
Flaws have been found in three critical vehicular components: Infotainment System (or Head Unit), Telematics Control Unit (TCU or T-Box), and Central Gateway Module in several BMW models.
We said it before, and we are saying it now: anything can be hacked. Remember that it is essential for every user and company to add extra measures of cybersecurity. Every user must use only the best cybersecurity solution like an antivirus for Windows or antivirus for Mac depending on which OS their device is running. Also, every company must go an extra step to obtain the best cybersecurity measure; this can be done by hiring a cybersecurity firm that will attack purpose the company’s network of revealing its most destructive and dangerous flaws.
This kind of deliberate attacks is done through specialized cybersecurity tests like penetration test and ethical hacking tests.
This is the list of flaws uncovered:
• 8 flaws impact the internet-connected Infotainment System that plays music and media
• 4 flaws affect the Telematics Control Unit (TCU) that provides telephony services, accident assistance services, and ability to lock/unlock the car doors remotely.
• 2 flaws affect the Central Gateway Module that has been designed to receive diagnostic messages from the TCU and the infotainment unit and then transfer them to other Electronic Control Units (ECUs) on different CAN buses.
If a hacker is exploiting these vulnerabilities, he could send arbitrary diagnostic messages to the target vehicle’s engine control unit (ECU), which control electrical functions of the car, and to the CAN bus, which is the spinal cord of the vehicle.
This would eventually end with him having the complete control over the operation of the affected vehicle.
Four flaws require a physical USB access or access to the ODB (On-board diagnostics) port, another four vulnerabilities require physical or “indirect” physical access to the car and six of them can be exploited remotely to compromise vehicle functions, including one conducted over a short range via Bluetooth or over long range via cellular networks, even when the vehicle is being driven.
The vulnerabilities that are present in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series.
However, the vulnerabilities uncovered in Telematics Control Unit (TCB) would affect only the BMW models which are equipped with a module produced from the year 2012.
BMW has confirmed the findings and already started rolling out over-the-air updates to fix some bugs in the TCU, but other flaws will need patches through the dealers.
Because we want you to stay safe and secured in front of all the vulnerabilities, we recommend implementing a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending of which OS are your machines running. We also suggested that every company must hire a specialized cybersecurity firm that will perform various tests like a penetration test and various ethical hacking tests on company’s network to reveal if any network flaws are present.
For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.