Researchers are warning BMW drivers of two newly discovered vulnerabilities in the car manufacturer’s ConnectedDrive web portal which could allow attackers to interfere with the automobile’s settings.
Discovered by Benjamin Kunz Mejri of Vulnerability Lab, the first flaw is a high risk ‘VIN Session Vulnerability’ which could allow hackers to remotely compromise the web app.
VIN, or vehicle identification number, is a unique number given to identify each and every motor vehicle on the road.
During a VIN adding session, an attacker could exploit the bug to change the settings for other VINs in the web portal.
The second flaw was given a medium risk rating and is a client-side cross-site scripting issue which allows an attacker to inject malicious script to carry out: “session hijacking, non-persistent phishing, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules.”
Thus far BMW seems not to have patched the issues, despite being made aware of them back in February.
Simon Moffatt, EMEA director of Advanced Customer Engineering at ForgeRock, argued that car makers will increasingly need to focus on device, service and user identity management, as their connected cars become an attractive target for hackers.
"The major problem at present is that there is no correlation between the identity of the driver and the identities of the smart systems within the car. It is really important that these connected car infotainment systems have individual identity profiles that can restrict the operations or data made available,” he said.
“In terms of security, this relationship must be established so that only the vehicle’s operator, whose identity is authenticated in advance, can alter the vehicle settings. This means that if a hacker tries to take control remotely, they will not be able to, because their identity won’t be recognized by the vehicle or its systems. In order to do this, an effective identity management platform must be deployed that can link together all of the relevant identities in the correct context."
As connected cars become ever more sophisticated and filled with embedded computing and other hi-tech components, they become a legitimate target for cyber-criminals.
Last year, Charlie Miller and Chris Valasek released a much-publicised research paper in which they demonstrated how hackers could exploit fundamental vulnerabilities in the architecture to remotely control steering, brakes and other functions of a Jeep Cherokee.