Car hacking, BMW - class task
Many BMW models have vulnerabilities regarding security, Zors (2018) states, researchers hack BMW cars and discovered 14 vulnerabilities. The security flaws have been discovered during a year-long experiment carried out by the Chinese security firm between January 2017 and February 2018. Most of them are connected with TCU* or TCB* and UDS*. However, six of them can be developing remotely, via the wireless interface of the vehicle, e.g. Bluetooth and cellular network.
The attack via Bluetooth required a minimum distance between car and telephone and always in pairing mode. An attack via cellular mode can take place from afar. Almost all BMW models are affected by these vulnerabilities, BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series. The most affected cars are models from 2012 onwards.
Both Keen LAB and BMW manufacturers recognize the hacks are complex and out of reach for many attacks.
The LAb report has shown how the attack takes place, namely the contactless attack,
The contactless attack is based on the wireless interfaces of the vehicle. And in such kinds of attack
chains, attackers may impact the vehicle remotely. In this part, the attack chains via Bluetooth and
the cellular network will be illustrated.
experimental environment.
vulnerabilities reported by Keen Lab.
CVE-2018-9320, CVE-2018-9312, CVE-2018-9313, CVE-2018-9314, CVE-2018-9311, CVE2018-9318)
In 2018 BMW has implemented the solution offered by Keen LAB and all vulnerabilities have been fixed.
In conclusion, Keen Lab follows the "Responsible Disclosure" practice, which is a well-recognized practice by global manufactures in software and internet industries, to work with BMW on fixing the vulnerabilities and attack chains. The Chinese organization has discovered !4 vulnerabilities in BMW car security, regarding contactless attacks, Bluetooth Chanel and cellular networks. And all of these vulnerabilities have been fixed.
Zorz, Z., 2020. Researchers Hack BMW Cars, Discover 14 Vulnerabilities - Help Net Security. [online] Help Net Security. Available at: <https://www.helpnetsecurity.com/2018/05/23/hack-bmw-cars/> [Accessed 3 February 2020].
The attack via Bluetooth required a minimum distance between car and telephone and always in pairing mode. An attack via cellular mode can take place from afar. Almost all BMW models are affected by these vulnerabilities, BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series. The most affected cars are models from 2012 onwards.
Both Keen LAB and BMW manufacturers recognize the hacks are complex and out of reach for many attacks.
The LAb report has shown how the attack takes place, namely the contactless attack,
The contactless attack is based on the wireless interfaces of the vehicle. And in such kinds of attack
chains, attackers may impact the vehicle remotely. In this part, the attack chains via Bluetooth and
the cellular network will be illustrated.
- January 2017: Keen Lab kicked off the BMW security research project internally.
- February 2018: Keen Lab proved all the vulnerability findings and attack chains in an
experimental environment.
- February 25th, 2018: Keen Lab reported all the research findings to BMW.
- March 9th, 2018: BMW fully confirmed all the vulnerabilities reported by Keen Lab.
- March 22nd, 2018: BMW provided the planned technical mitigation measures for the
vulnerabilities reported by Keen Lab.
- April 5th, 2018: CVE numbers related to the vulnerabilities have been reserved. (CVE-2018-9322,
CVE-2018-9320, CVE-2018-9312, CVE-2018-9313, CVE-2018-9314, CVE-2018-9311, CVE2018-9318)
- May 22nd, 2018: This summary report is released to the public.
- Year 2019: Keen Lab will release the full technical paper.
In 2018 BMW has implemented the solution offered by Keen LAB and all vulnerabilities have been fixed.
In conclusion, Keen Lab follows the "Responsible Disclosure" practice, which is a well-recognized practice by global manufactures in software and internet industries, to work with BMW on fixing the vulnerabilities and attack chains. The Chinese organization has discovered !4 vulnerabilities in BMW car security, regarding contactless attacks, Bluetooth Chanel and cellular networks. And all of these vulnerabilities have been fixed.
Zorz, Z., 2020. Researchers Hack BMW Cars, Discover 14 Vulnerabilities - Help Net Security. [online] Help Net Security. Available at: <https://www.helpnetsecurity.com/2018/05/23/hack-bmw-cars/> [Accessed 3 February 2020].
Don't forget to add your commentary here too - link it back to the overall project theme. As you complete this post try to make sure you are responding to my comments and applying that to any new posts you add over the next few days before final assessment.
ReplyDelete