Since we do pretty much everything on the web nowadays – order food, tell people what terrible parents they are, masturbate – it only makes sense that we’ll use the familiar web browser to hack people’s cars. Thanks to a pretty significant vulnerability found by a security researcher on BMW’s ConnectedDrive web portal, it appears that web-based car hacking is possible.
Two flaws were found by security researcher Benjamin Kunz Mejri of Vulnerability Laboratory, one more serious than the other. The more serious vulnerability would allow someone to get access to another car’s VIN, which would give them the ability to lock or unlock the vehicle associated with the VIN number, as well as access the car owner’s email accounts and other infotainment system data.
Here’s how Vulnerability Laboratory describes the vulnerability in their advisory:
A session validation approval web vulnerability has been discovered in the official BMW ConnectedDrive online service web-application.
The vulnerability allows remote attackers to manipulate specific configured parameters to compromise the affected web-application service.
VIN := vehicle Identification Number
A vehicle identification number, commonly abbreviated to VIN, or chassis number, is a unique code including a serial number, used by the automotive industry to identify individual motor vehicles, towed vehicles, motorcycles, scooters and mopeds as defined in ISO 3833.
The vulnerability is located in the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Basically the validation does not allow to add an non existing number to the interface configuration to prevent different type of errors or issues. In case of the adding procedure the request approve via action - add the context.
Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration.
The security risk of the session validation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.
Exploitation of the session validation web vulnerability requires a low privileged web-application user account and no user interaction.
Successful exploitation of the vulnerability results in a compromise of registered or valid vehicle identification numbers via connected drive.
That’s a pretty good-sized hole, and one that could cause some real issues if not patched.
The other vulnerability, described in this advisory, is less severe, but still significant. It’s described technically as something that
allows remote attacker to inject own malicious script codes to the client-side of the affected module context
... which, in more layman’s terms, means that via the ConnectedDrive’s password reset webpage, there is the potential for a hacker or some similar sort of technically-minded dickhead to inject potentially malicious code into BMW’s portal.
BMW has yet to comment publicly on the vulnerabilities, and we’ve reached out to them for a comment as well. It’s likely they’re already working on or have a fix, but if and when we find out more details, we’ll update.
If you own a BMW new enough to work with their ConnectedDrive system, you may as well go to the hardware store and get one of those screw-on fence latches and some padlocks.
Better safe than sorry, right?
(Thanks, Jesse!)