Skip to main content

CHINESE HACKERS FIND OVER A DOZEN VULNERABILITIES IN #BMW CARS. Chinese security researchers have discovered more than a dozen vulnerabilities in the onboard compute units of BMW cars, some of which can be exploited remotely to compromise a vehicle. The security flaws have been discovered during a year-long security audit conducted by researchers from Keen Security Lab, a cybersecurity research unit of Chinese firm Tencent, between January 2017 and February 2018. In March 2018, the team responsibly disclosed 14 different vulnerabilities directly to the BMW Group, which affects its vehicles since at least 2012. These are the same group of researchers who have previously found multiple vulnerabilities in various in-car modules used by Tesla, that could have been exploited to achieve remote controls on a target car. Now that BMW started rolling out patches for the vulnerabilities to car owners, the researchers have gone public with a 26-page technical report [PDF] describing their findings, though they avoided publishing some important technical details to prevent abuse. The researchers said a full copy of their research is expected to appear sometime in early 2019, by which the BMW group entirely mitigates against the vulnerabilities. The team of Chinese infosec researchers focused on three critical vehicular components—Infotainment System (or Head Unit), Telematics Control Unit (TCU or T-Box), and Central Gateway Module in several BMW models. Here's the list of flaws uncovered by the researchers: 8 flaws impact the internet-connected Infotainment System that plays music and media4 flaws affect the Telematics Control Unit (TCU) that provides telephony services, accident assistance services, and ability to lock/unlock the car doors remotely.2 flaws affect the Central Gateway Module that has been designed to receive diagnostic messages from the TCU and the infotainment unit and then transfer them to other Electronic Control Units (ECUs) on different CAN buses. Exploiting these vulnerabilities could allow attackers to send arbitrary diagnostic messages to the target vehicle's engine control unit (ECU), which control electrical functions of the car, and to the CAN bus, which is the spinal cord of the vehicle. This would eventually allow miscreants to take complete control over the operation of the affected vehicle to some extent. Four flaws require a physical USB access or access to the ODB (On-board diagnostics) port, which means attackers need to be inside your vehicle to exploit them by plugging a malware-laden gadget into the USB port. Another four vulnerabilities require physical or "indirect" physical access to the car. However, six vulnerabilities can be exploited remotely to compromise vehicle functions, including one conducted over a short range via Bluetooth or over long range via cellular networks, even when the vehicle is being driven. The team confirmed that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series. However, researchers said the vulnerabilities uncovered in Telematics Control Unit (TCB) would affect "BMW models which equipped with this module produced from the year 2012." BMW has confirmed the findings and already started rolling out over-the-air updates to fix some bugs in the TCU, but other flaws will need patches through the dealers, which is why the researchers have scheduled their full technical report to March 2019. BMW also rewarded Keen Security Lab researchers with the first winner of the BMW Group Digitalization and IT Research Award, describing their research "by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party."

CHINESE HACKERS FIND OVER A DOZEN VULNERABILITIES IN #BMW CARS.

Chinese security researchers have discovered more than a dozen vulnerabilities in the onboard compute units of BMW cars, some of which can be exploited remotely to compromise a vehicle.

The security flaws have been discovered during a year-long security audit conducted by researchers from Keen Security Lab, a cybersecurity research unit of Chinese firm Tencent, between January 2017 and February 2018.

In March 2018, the team responsibly disclosed 14 different vulnerabilities directly to the BMW Group, which affects its vehicles since at least 2012.

These are the same group of researchers who have previously found multiple vulnerabilities in various in-car modules used by Tesla, that could have been exploited to achieve remote controls on a target car.

Now that BMW started rolling out patches for the vulnerabilities to car owners, the researchers have gone public with a 26-page technical report [PDF] describing their findings, though they avoided publishing some important technical details to prevent abuse.

The researchers said a full copy of their research is expected to appear sometime in early 2019, by which the BMW group entirely mitigates against the vulnerabilities.

The team of Chinese infosec researchers focused on three critical vehicular components—Infotainment System (or Head Unit), Telematics Control Unit (TCU or T-Box), and Central Gateway Module in several BMW models.

Here's the list of flaws uncovered by the researchers:

8 flaws impact the internet-connected Infotainment System that plays music and media4 flaws affect the Telematics Control Unit (TCU) that provides telephony services, accident assistance services, and ability to lock/unlock the car doors remotely.2 flaws affect the Central Gateway Module that has been designed to receive diagnostic messages from the TCU and the infotainment unit and then transfer them to other Electronic Control Units (ECUs) on different CAN buses.
Exploiting these vulnerabilities could allow attackers to send arbitrary diagnostic messages to the target vehicle's engine control unit (ECU), which control electrical functions of the car, and to the CAN bus, which is the spinal cord of the vehicle.

This would eventually allow miscreants to take complete control over the operation of the affected vehicle to some extent.

Four flaws require a physical USB access or access to the ODB (On-board diagnostics) port, which means attackers need to be inside your vehicle to exploit them by plugging a malware-laden gadget into the USB port.

Another four vulnerabilities require physical or "indirect" physical access to the car.

However, six vulnerabilities can be exploited remotely to compromise vehicle functions, including one conducted over a short range via Bluetooth or over long range via cellular networks, even when the vehicle is being driven.

The team confirmed that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series.

However, researchers said the vulnerabilities uncovered in Telematics Control Unit (TCB) would affect "BMW models which equipped with this module produced from the year 2012."

BMW has confirmed the findings and already started rolling out over-the-air updates to fix some bugs in the TCU, but other flaws will need patches through the dealers, which is why the researchers have scheduled their full technical report to March 2019.

BMW also rewarded Keen Security Lab researchers with the first winner of the BMW Group Digitalization and IT Research Award, describing their research "by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party."

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.