A Chinese hacking lab finds 14 security vulnerabilities in BMW cars
Security vulnerabilities have been found in BMW cars and that means similar cars are probably vulnerable too. Should you worry?
NOT SO LONG AGO your car didn’t have a single computer or silicon chip in it. Today, every car has considerable computing power and everything is connected to everything else, which means huge potential for security issues. It’s a maxim of the information systems security industry that anything can be hacked, and particularly those things which are connected to the Internet or accessible via standard interfaces or wireless networks. Such as BMW and most other modern cars.
The Tencent Keen Security Lab, based in China has found 14 security vulnerabilities in modern BMW cars, not all of which are fixed. If you want the short version; your modern BMW almost certainly has computing security issues, but the chances of anyone exploiting them are very small indeed.
Now for the detail. First, the Keen lab’s work is specific to BMW cars, but as BMW use the QNX computing system for their cars, as do many others, then you can be sure that equivalent vulnerabilities exist in other cars too.
Second, the report from Keen is indicative of the parlous state of IT security in cars, like the previous reports about the way hackers remotely controlled a Jeep. Car computing security design appears to be considerably less mature than mainstream software engineering. I suspect that’s because car companies are relatively new to the IT security game and used to building cars, not computers. And increasingly, cars are simply motorised computers.
The full report from Keen is here, but its a pretty IT-technical report, so below we’ve taken some excerpts and translated them, with our emphasis in bold:
“Through in-depth analysis, we figured out two approaches to send arbitrary CAN messages on K-CAN Bus “
The CAN is the Controller Area Network which is the interlink on a vehicle between all sorts of systems; anything from the electronic parkbrake to aircon to transmission to electric power steering. The hackers are saying they have figured out how to send control messages to these devices, so in other words, this implies the hackers can control almost any part of the car.
“After reverse engineering the firmware, we found that it’s valid to directly send arbitrary NGTP messages through SMS to trigger various telematics functionalities as equal as through HTTPS, and the encryption/signature algorithms are known to public, also the encryption keys are hardcoded. After some in-depth research, we completely restored the NGTP protocol and used USRP and OpenBTS to simulate a GSM network, then suppressed the TSP signals with a signal suppressor to make the BMW vehicle serviced by our rouge base station. Finally, we can directly send arbitrary NGTP messages to the BMW vehicles to trigger BMW Remote Services.“
The NGTP is the Next Generation Telematics Protocol which is a way for vehicle makers to send data and commands to a vehicle, in this case via SMS messages. As you can see, the hackers found a way to send the commands of their choosing to the vehicle over the air, so remotely. The NGTP is encrypted, as it should be, and while it’s not intrinsically a problem for the algorithm to be known to the public, what is a problem is the hard-coding of the encryption key which should remain absolutely secret. The fact that is it hard coded means that should the key be discovered it would be very difficult to change. This breaks a fundamental security design principle, and is an example of where the carmakers’ security practices are a long way behind where they should be.
“What’s worse, there aren’t any security restrictions to such USB Ethernet Interface, which makes it possible to obtain access to the internal network of the head unit, and then detect many exposed internal services through port scanning.”
Here’s another security fundamental that’s been broken. It seems that the assumption is physical security is sufficient; that is, if you can get physical access to something you must be allowed to use it. That’s utterly wrong. The hackers are saying that there “aren’t any security restrictions” on the USB Ethernet interface, so they can take a look around as they wish. That’s not quite the same as a vulnerability, but it does typify the sort of lax security design typical of carmakers.
“Some content is signed by BMW private keys, while some are not, which gives us a chance to prepare our malformed content in the USB stick and leverage some vulnerabilities existed in the update service to gain control of hu-intel system with root privilege.”
There is something called public key encryption; this is where content, such as a command or a data update, is digitally signed by the originator using a private, secret key. The destination system uses a related public key to verify the integrity of the content before acting on it. And the lab has discovered that not all content is signed by a private key, which opens the door to exploits, as the destination system appears to simply trust the messages it receives. It’s odd that some content is signed and some isn’t; again, this would appear to be lax security practices.
The ‘root privilege’ means the hackers have unauthorised access to the superuser, or god login. Which means they can do whatever they like.
“By chaining the vulnerabilities together, we are able to remotely compromise the NBT. After that, we can also leverage some special remote diagnose interfaces implemented in the Central Gateway Module to send arbitrary diagnostic messages (UDS) to control ECUs on different CAN Buses.“
“With the help of serious vulnerabilities over USB interface and OBD-II interface, attackers can easily use them to install the backdoor in the NBT, and then manipulate the vehicle functions through Central Gateway Module.“
The NBT is the Next Big Thing, BMW’s name for the big update of their iDrive in 2012. The sentence says what you think it says; the car’s functions can be controlled by attackers.
“Technically speaking it’s possible to launch the attack from hundreds of meters even when the car is in the driving mode.”
“Therefore, it’s susceptible [possible] for an attacker to gain remote control to the CAN buses of a vulnerable BMW car by utilizing a complex chain of several vulnerabilities existed in different vehicle components.”
Speaks for itself.
“Using MITM attack between TSP and the vehicle, attackers could remotely exploit the vulnerabilities existed in both NBT and TCB, leading to backdoors being planted in the NBT and TCB. Typically, a malicious backdoor can inject controlled diagnosis messages to the CAN buses in the vehicle.“
A MITM attack is a man-in-the-middle, and a backdoor is a secret, unofficial and unwanted entry point into an IT system. But that’s not the main point, it’s that an attacker can drop messages into the CAN bus, which is the primary vehicle computer control system.
“In this report, we revealed all the vulnerabilities we found in the Head Unit, Telematics Control Unit and Central Gateway Module. The vulnerabilities can be exploited by an attacker via the vehicle’s external-facing I/O interfaces, including USB, OBD-II, and Cellular network. In particular, with the Telematics Control Unit being compromised without any physical access, the attacker can remotely trigger or control vehicular functions over a wide-range distance by sending malicious CAN messages to the BMW vehicle’s internal CAN bus, whenever the car is in parking or driving mode.“
“We do believe these attack chains could be utilized by skilled attackers at a very low cost – with enough research.”
So what’s BMW’s reaction?
There’s a letter dated 21st of May at the end of the Keen report, which you can read in full at this link. Here’s an excerpt:
The rest of the latter basically says; we agree with your findings, emphasises how much skill it took (so owners are reassured, but more on that below), BMW takes security seriously, we’ve fixed some stuff, we’ll fix the rest, and by the way messing around like this is a criminal act.
Keen Lab had many extremely highly skilled technicians working on this case for over a year, with unfettered access to several BMW cars. That level of research and expertise is going to be well beyond that of your average cyber-criminal who is more focused on hacking things other than cars, so the chances of any vulnerability being turned into an exploit and used in the field are small…but not for long.
Most cyber-crime today is carried out by criminals using tools, techniques and services they buy from more technically skilled criminals. You need only surf the dark web to find such tools and services for sale, along with all manner of personal information, hacked corporate systems ready to be controlled, credit cards and much more. It is inevitable that such tools and techniques will be developed for car computing systems, and then we really will have a problem.
Right now there are many highly organised and large-scale cyber criminals who are well-funded and resourced, in effect criminal corporations operating online, beyond borders, and they have industrialised cyber-crime through automation and tools. There are also state-sponsored threat actors, hacking computer systems in their native country’s national interest, and corporate espionage teams. And of course, the stereotypical nerdy teenager in a bedroom. All these threat actors would have an interest in breaching vehicle security.
We are heading for a crunch point in car security; as cars become more connected and sophisticated, the potential for attack becomes greater, as does the payoff for breaching security. That means we are likely to see car security breaches become more and more common, and obviously controlling a car is very dangerous compared to controlling a mobile phone. Let’s hope that the car industry wakes up and starts to take IT security more seriously.
Is my BMW affected?
The cars confirmed by Keen Labs that are vulnerable are the 2017 i3, 2016 X1, 2016 525Li and 2012 730Li. However, as BMW uses much the same software across all their models it is very likely that all similar cars are vulnerable. In addition, some vulnerabilities were found in the QNX car computing system, and that is used in non-BMW vehicles too. So it would be likely that many vehicles are vulnerable. There are also slight differences in the same model car from year to year, and from country to country. These differences may mean cars with small differences are vulnerable, or not. Keen Lab’s report says ” Based on our testing, we confirm that all the vulnerabilities would affect various modern BMW models.”
How likely is a security breach? What could happen?
Not likely at all. The vulnerabilities take a lot of expertise and equipment to discover and exploit. You have a much greater chance of crashing your car, or your mobile phone being hacked. It is one of those “in theory” risks…at the moment. As time goes on, the chances of an exploit increase, so the race is on to fix the problems before that happens.
What should I do?
There’s no much you can do unless you’d like to sell your computer-controlled car for an older model, but that would be a lot less safe in the event of a crash – a far more probable event than hacking – so from a risk management perspective, stick with the modern car. About all you can do is to ensure your car has the latest software updates, available from your dealer.
When did all this happen?
Keen Labs started the BMW security research project in January 2017, and proved their work in February 2018. It then reported the findings to BMW on 25th February 2018. On March 9th BMW confirmed Keen’s work. On March 22nd BMW provided their plans to fix to Keen. The fix plan is being executed and started in April 2018. The exact details of what’s fixed when are not stated; the Keen report says that the “measures are in rollout since mid of April 2018” and that “additional security measures are being developed by BMW in the form of optional software updates”. You’d have to wonder why a security update is optional though.
What’s BMW Australia’s official advice?
Practical Motoring has reached out to BMW to get more information beyond their official announcement. We’ve been told the local PR team is working hard to get a detailed response out of Germany and we’ll update this article when and if we get more information.