Cyber security for connected cars has become a widespread concern over the past years. In years 2016 and 2017, Keen Security Lab has demonstrated two remote attacks against Tesla Model S/X; In March 2018, Keen Security Lab successfully implemented new exploit chains on multiple BMW car models through physical access and a remote approach without any user interaction. At that time, following a responsible disclosure procedure, Keen Security Lab released a security assessment report to make a brief vulnerabilities disclosure, instead of a full disclosure, a standard procedure in the security industry.
The findings have been verified, addressed, and fixes and mitigation have been rolled out. Now we're ready to share the findings together with security experts from BMW Group. In this presentation, we will introduce the system architecture and external attack surfaces of connected cars, then give details about the vulnerabilities including multiple 0-days, which existed in two vehicle components: Infotainment System (a.k.a. Head Unit) and Telematics Control Unit. Keen Security Lab research findings have proven the possibility of arbitrary code execution in the Infotainment System via common external interfaces including USB, Ethernet and OBD-II, and also remote exploitation of the Telematics Control Unit over a fake mobile network with the payload delivered in HTTP and SMS (Short Message Service). Furthermore, Keen Security Lab will also explore the CAN network architecture of BMW cars and analyze how to combine logic flaws in the Gateway to trigger arbitrary, unauthorized diagnostic vehicle functions remotely using CAN buses from both Infotainment System and Telematics Control Unit. Lastly, we will summarize exploit chains and mitigation measures. Together with BMW Group security experts we are going to present details on analysis, validation and roll-out of countermeasures.