So @keen_lab just dropped a really awesome paper about hacking BMW cars. Get it here: keenlab.tencent.com/en/Experimenta…. What follows in my analysis (1/21):
Their USB dongle to ethernet trick for local attack is funny because that worked on the Jeep too.
The OBDII to ethernet trick was really unexpected and wild, but in practice the USB attack seems easier for the same level of access.
The bluetooth attack seems pretty limited. Requires headunit to be in pairing mode and also is only a crash and not an exploit I believe although its hard to tell since they didn't provide details (more on that later)
The browser exploit left me with more questions than answers. You need to intercept cellular connections but beyond that does it need user interaction? Is that package standard on all BMW or do you have to pay a service? etc?
Every full cyber physical car attack always has a tricky part where you have to gain the ability to send CAN messages from the remote component. The BMW seems easier than Tesla or Jeep because the gateway here runs QNX on ARM so you can log in and play.
However, the head unit and other remote stuff is only on the K-CAN which doesn't have physical control systems like brakes, steering, etc. This is good design. There is a gateway module which separates it from the PT-CAN network.
The researchers figured out how to send arbitrary UDS CAN messages to the PT-CAN network through the gateway. However, this restriction limits the physical control you can do.
For Jeep/Ford/Toyota with UDS you can't physically control steering/brakes much. The exception is the brakes-no-work attack. But we used standard CAN messages (non-UDS) for most of our physical control injection attacks.
It is unclear how much control they have with only UDS messages in this research or if they are still figuring it out. In theory you could possibly reprogram an ECU on PT-CAN and send standard CAN messages from it.
The biggest result of the research was the ability to send NGTP messages over SMS which led to remote code execution if a car was connected to their rogue base station. This required no user interaction.
This requires "physical proximity", say 100 meters, but is a remote attack which can be chained together to talk to physical controlling ECUs with UDS messages.
Cool attack, its unclear if they got full cyber physical control (i.e. steering/brakes/acceleration) from the full chain. My guess is no or they would have mentioned it.
They decided not to release details. To me, this makes it hard to really judge their work and considering the level of difficulty in pulling it off, doesn't buy much protection.
That is, anyone capable of setting up a base station and writing a remote exploit using NGTP over SMS can probably find a vulnerability in the firmware knowing one is there :)
Me and @nudehaberdasher released full details of all our work and nobody ever used it for malicious purposes and that was three years ago.
BTW, all of my interactions with BMW have not been great. They tell me they don't need help from security researchers and that they'll never share how their security works.
In their response, BMW say the attack is sophisticated and so "BMW Group considers the security level for our customers and produces ensured". Basically their cars are safe as long as nobody smart tries to hack them.
Also this from BMW "BMW Group and Tencent Keen Security Lab agree that any replication of this scenario by a third-party is considered a criminal act, as it requires interfering with the public mobile network"
Remember kids, never try to replicate findings of a security researchers :p
In all @keen_lab again showing why its the leader in offensive car security research. I hope they keep at it and release those details! Great work.
