BMW's ConnectedDrive Web portal has two zero-day vulnerabilities, and they can be used by hackers to manipulate car settings related to the multimedia unit.
As you know, BMW's ConnectedDrive is a feature which is operated from the built-in iDrive system, and it allows users to access the Internet, as well as obtain services and other supplementary elements for their cars.
In suitable models, the car could be connected to the user's smartphone to provide more customization options and setting management. The service also has a counterpart for Web browsers, which appear to be the weakest link in the security chain, Softpedia reports.
Benjamin Kunz Mejri, a security researcher for Vulnerability Lab, has published two zero-day vulnerabilities in BMW's ConnectedDrive web portal. The automaker has been notified beforehand, and BMW has known about these issues for the past five months.
If you may be aware of automotive-related terminology, let us explain “zero-day vulnerabilities.” The term zero-day refers to the fact that no fixes or patches have been developed for the matter at hand. In layman's terms, it means there is no fix at the moment.
Now, back to the vulnerabilities. The first issue allows a user to get access to another customers' Vehicle Identification Number. The unique sequence is used by BMW's web service for a back-up of the ConnectedDrive settings.
If someone else were to change the settings, the car and its attached apps will also have them. The security risk here, apart from the ability to change your radio presets and put Justin Bieber on all your playlists, is that the hacker could open your e-mails, manage your routes, and lock/unlock your vehicle.
Since they have your routes, they know where you park your car, and there is a possibility of stealing the vehicle through remote unlock.
The second vulnerability is a cross-site scripting bug to the password reset page, which could lead to phishing attacks, among with other computer-security issues. BMW has not released a statement commenting the situation, but we expect them to fix this matter as soon as possible.
In suitable models, the car could be connected to the user's smartphone to provide more customization options and setting management. The service also has a counterpart for Web browsers, which appear to be the weakest link in the security chain, Softpedia reports.
Benjamin Kunz Mejri, a security researcher for Vulnerability Lab, has published two zero-day vulnerabilities in BMW's ConnectedDrive web portal. The automaker has been notified beforehand, and BMW has known about these issues for the past five months.
If you may be aware of automotive-related terminology, let us explain “zero-day vulnerabilities.” The term zero-day refers to the fact that no fixes or patches have been developed for the matter at hand. In layman's terms, it means there is no fix at the moment.
Now, back to the vulnerabilities. The first issue allows a user to get access to another customers' Vehicle Identification Number. The unique sequence is used by BMW's web service for a back-up of the ConnectedDrive settings.
If someone else were to change the settings, the car and its attached apps will also have them. The security risk here, apart from the ability to change your radio presets and put Justin Bieber on all your playlists, is that the hacker could open your e-mails, manage your routes, and lock/unlock your vehicle.
Since they have your routes, they know where you park your car, and there is a possibility of stealing the vehicle through remote unlock.
The second vulnerability is a cross-site scripting bug to the password reset page, which could lead to phishing attacks, among with other computer-security issues. BMW has not released a statement commenting the situation, but we expect them to fix this matter as soon as possible.