Profile picture
Charlie Miller @0xcharlie
, 21 tweets, 4 min read Read on Twitter
So @keen_lab just dropped a really awesome paper about hacking BMW cars. Get it here: keenlab.tencent.com/en/Experimenta…. What follows in my analysis (1/21):
Their USB dongle to ethernet trick for local attack is funny because that worked on the Jeep too.
The OBDII to ethernet trick was really unexpected and wild, but in practice the USB attack seems easier for the same level of access.
The bluetooth attack seems pretty limited. Requires headunit to be in pairing mode and also is only a crash and not an exploit I believe although its hard to tell since they didn't provide details (more on that later)
The browser exploit left me with more questions than answers. You need to intercept cellular connections but beyond that does it need user interaction? Is that package standard on all BMW or do you have to pay a service? etc?
Every full cyber physical car attack always has a tricky part where you have to gain the ability to send CAN messages from the remote component. The BMW seems easier than Tesla or Jeep because the gateway here runs QNX on ARM so you can log in and play.
However, the head unit and other remote stuff is only on the K-CAN which doesn't have physical control systems like brakes, steering, etc. This is good design. There is a gateway module which separates it from the PT-CAN network.
The researchers figured out how to send arbitrary UDS CAN messages to the PT-CAN network through the gateway. However, this restriction limits the physical control you can do.
For Jeep/Ford/Toyota with UDS you can't physically control steering/brakes much. The exception is the brakes-no-work attack. But we used standard CAN messages (non-UDS) for most of our physical control injection attacks.
It is unclear how much control they have with only UDS messages in this research or if they are still figuring it out. In theory you could possibly reprogram an ECU on PT-CAN and send standard CAN messages from it.
The biggest result of the research was the ability to send NGTP messages over SMS which led to remote code execution if a car was connected to their rogue base station. This required no user interaction.
This requires "physical proximity", say 100 meters, but is a remote attack which can be chained together to talk to physical controlling ECUs with UDS messages.
Cool attack, its unclear if they got full cyber physical control (i.e. steering/brakes/acceleration) from the full chain. My guess is no or they would have mentioned it.
They decided not to release details. To me, this makes it hard to really judge their work and considering the level of difficulty in pulling it off, doesn't buy much protection.
That is, anyone capable of setting up a base station and writing a remote exploit using NGTP over SMS can probably find a vulnerability in the firmware knowing one is there :)
Me and @nudehaberdasher released full details of all our work and nobody ever used it for malicious purposes and that was three years ago.
BTW, all of my interactions with BMW have not been great. They tell me they don't need help from security researchers and that they'll never share how their security works.
In their response, BMW say the attack is sophisticated and so "BMW Group considers the security level for our customers and produces ensured". Basically their cars are safe as long as nobody smart tries to hack them.
Also this from BMW "BMW Group and Tencent Keen Security Lab agree that any replication of this scenario by a third-party is considered a criminal act, as it requires interfering with the public mobile network"
Remember kids, never try to replicate findings of a security researchers :p
In all @keen_lab again showing why its the leader in offensive car security research. I hope they keep at it and release those details! Great work.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Charlie Miller
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!