Flaws in BMW ConnectedDrive Infotainment System allow remote hack

Share this…

A research discovered two zero-day vulnerabilities residing in the official BMW web domain and ConnectedDrive portal that allow remote hack.

Once again IoT devices are affected by a serious flaw that could be exploited by hackers to compromise them, this time we speak of Car Hacking.
Almost any modern connected vehicle uses a drive-by-wire system that relies on electrical or electro-mechanical systems for performing traditional vehicle functions.

This technology replaces the traditional mechanical control systems to manage steering, brakes, and accelerator. Of course, the use of electronic components in modern connected vehicles open the door to hacking attacks.
Recently, the security researcher Benjamin Kunz Mejri has discovered zero-day flaws that affect the official BMW web domain and ConnectedDrive portal. The vulnerabilities are still unpatched exposing used to cyber attacks.

The first flaw in the BMW ConnectedDrive online service web-application is a VIN (Vehicle Identification Number) session vulnerability.

The VIN is the identification code assigned to each vehicle while accessing the service.

The BMW ConnectedDrive is an infotainment system that is installed on some model of the German automaker, it implements various functionalities to provide the users with information and entertainment. It could be used to control car features (i.e. heating, lights) and to manage user’s services like emails.

BMW ConnectedDrive Store

The vulnerability resides in the session management of VIN usage and hackers could exploit it to bypass the secure validation procedures of the VIN remotely using a live session, in this way they can manipulate VIN numbers and configuration settings.

“The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Basically the validation does not allow to add a non exisiting number to the interface configuration to prevent different typ of errors or issues. In case of the adding procedure the request approve via action – add the context.” states the security advisory from the vulnerability-lab. “Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration.”

The post includes a PoC to follow step by step:

  1. Open the web-application of bmw connecteddrive (https://www.bmw-connecteddrive.co.uk/cdp/) and login
  2. Surf to the My Settings module of the service
  3. Start the session tamper and include a new random VIN
  4. Save the requesst and manipulate in the session tamper the add value to create
  5. Continue to process the GET request after it
  6. Now, the module opens and the restriction with the vehicle Identification Number approval is bypassed
  7. Now you can add your own VIN to the interface to create another car with the same VIN
  8. Successful reproduce of the web-application vulnerability that affects the bmw car connecteddrive!

The second vulnerability discovered by the researchers is a client-side cross-site scripting vulnerability that resides in the official BMW online service web-application. The flaw could allow a remote attacker to inject malicious script codes to the client-side of the affected module context.

“A client-side cross site scripting web vulnerability has been discovered in the official BMW online service web-application. The vulnerability allows remote attacker to inject own malicious script codes to the client-side of the affected module context.”states the official advisory. 
“The vulnerability is located in the `t` value (token) of the `passwordResetOk.html` web-application file. Remote attackers are able  to inject own client-side script codes to the `passwordResetOk.html` file. the request method to inject is GET and the vulnerability is located on the client-side of the affected bmw web-service. The attacker injects the payload after the secure token to execute the context in the passwordResetOk.html file. The vulnerability is a classic client-side cross site scripting web vulnerability.”

The security flaws have been reported to BMW in February, unfortunately, there was news about the availability of a fix.