Security Researcher Finds Two Vulnerabilities In BMW's ConnectedDrive System

Proof of concept screenshot 1 photo
BMW's ConnectedDrive Web portal has two zero-day vulnerabilities, and they can be used by hackers to manipulate car settings related to the multimedia unit.
As you know, BMW's ConnectedDrive is a feature which is operated from the built-in iDrive system, and it allows users to access the Internet, as well as obtain services and other supplementary elements for their cars.

In suitable models, the car could be connected to the user's smartphone to provide more customization options and setting management. The service also has a counterpart for Web browsers, which appear to be the weakest link in the security chain, Softpedia reports.

Benjamin Kunz Mejri, a security researcher for Vulnerability Lab, has published two zero-day vulnerabilities in BMW's ConnectedDrive web portal. The automaker has been notified beforehand, and BMW has known about these issues for the past five months.

If you may be aware of automotive-related terminology, let us explain “zero-day vulnerabilities.” The term zero-day refers to the fact that no fixes or patches have been developed for the matter at hand. In layman's terms, it means there is no fix at the moment.

Now, back to the vulnerabilities. The first issue allows a user to get access to another customers' Vehicle Identification Number. The unique sequence is used by BMW's web service for a back-up of the ConnectedDrive settings.

If someone else were to change the settings, the car and its attached apps will also have them. The security risk here, apart from the ability to change your radio presets and put Justin Bieber on all your playlists, is that the hacker could open your e-mails, manage your routes, and lock/unlock your vehicle.

Since they have your routes, they know where you park your car, and there is a possibility of stealing the vehicle through remote unlock.

The second vulnerability is a cross-site scripting bug to the password reset page, which could lead to phishing attacks, among with other computer-security issues. BMW has not released a statement commenting the situation, but we expect them to fix this matter as soon as possible.
If you liked the article, please follow us:  Google News icon Google News Youtube Instagram
About the author: Sebastian Toma
Sebastian Toma profile photo

Sebastian's love for cars began at a young age. Little did he know that a career would emerge from this passion (and that it would not, sadly, involve being a professional racecar driver). In over fourteen years, he got behind the wheel of several hundred vehicles and in the offices of the most important car publications in his homeland.
Full profile


Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories