Zero Days in BMW Web Portal

Tuesday, July 12, 2016 @ 04:07 PM gHale


Automobile security is becoming more visible these days as there are are two vulnerabilities in BMW’s ConnectedDrive Web portal that can allow an attacker to manipulate car settings related to its infotainment system.

ConnectedDrive is the name of BMW’s in-car infotainment system. The system can end up used as it is, in the car, or via a series of connected mobile apps that allow the driver to manage vehicle settings through their mobile devices. Besides the mobile apps, this service also has a counterpart for the Web.

RELATED STORIES
SUV Hack via Wi-Fi
Radio Attack Breaks into Autos
Vehicles that Communicate through Intersections
Tips on Securing a Vehicle

Benjamin Kunz Mejri, security researcher for Vulnerability Lab, published two Zero Day vulnerabilities in the ConnectedDrive portal that BMW failed to patch for the past five months.

The first issue is a session vulnerability that allows a user to get access to another person’s VIN — Vehicle Identification Number.

VINs are car IDs attached to each user’s account. A VIN code ends up used to back up a car’s ConnectedDrive settings to their account. Changing these settings in the Web portal will also change them on the car and attached apps.

Mejri said his attack allowed him to bypass VIN session validation and use another VIN to access and then edit another user’s car settings.

Some of the settings available through the ConnectedDrive portal include the ability to lock/unlock the vehicle, manage song playlists, access email accounts, manage routes, get real-time traffic information, and so on.

The second issue is an XSS (cross-site scripting) bug on the portal’s password reset page.

This XSS bug can lead to any of the regular complications that come from such Web attacks, such as browser cookie harvesting, subsequent CSRF attacks, phishing attacks, and more.

Mejri said he notified BMW of these two issues in February. Since BMW did not answer Mejri’s bug reports in time, the researcher went public with his findings. An in-depth description of the issues, complete with proof of concept exploit code here for the first issue and here for the second.