0-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars

Black Hat USA 2019

Presented by: Zhiqiang Cai, Michael Gruffke, Hendrik Schweppe, Aohui Wang, Wenkai Zhang
Date: Thursday August 08, 2019
Time: 12:10 - 13:00
Location: South Seas ABE

Cyber security for connected cars has become a widespread concern over the past years. In years 2016 and 2017, Keen Security Lab has demonstrated two remote attacks against Tesla Model S/X; In March 2018, Keen Security Lab successfully implemented new exploit chains on multiple BMW car models through physical access and a remote approach without any user interaction. At that time, following a responsible disclosure procedure, Keen Security Lab released a security assessment report to make a brief vulnerabilities disclosure, instead of a full disclosure, a standard procedure in the security industry.

The findings have been verified, addressed, and fixes and mitigation have been rolled out. Now we're ready to share the findings together with security experts from BMW Group. In this presentation, we will introduce the system architecture and external attack surfaces of connected cars, then give details about the vulnerabilities including multiple 0-days, which existed in two vehicle components: Infotainment System (a.k.a. Head Unit) and Telematics Control Unit. Keen Security Lab research findings have proven the possibility of arbitrary code execution in the Infotainment System via common external interfaces including USB, Ethernet and OBD-II, and also remote exploitation of the Telematics Control Unit over a fake mobile network with the payload delivered in HTTP and SMS (Short Message Service). Furthermore, Keen Security Lab will also explore the CAN network architecture of BMW cars and analyze how to combine logic flaws in the Gateway to trigger arbitrary, unauthorized diagnostic vehicle functions remotely using CAN buses from both Infotainment System and Telematics Control Unit. Lastly, we will summarize exploit chains and mitigation measures. Together with BMW Group security experts we are going to present details on analysis, validation and roll-out of countermeasures.

Zhiqiang Cai

Zhiqiang Cai is a security researcher from KeenLab of Tencent. With a main focus on vulnerability discovery in connected vehicles, his tasks involve reverse engineering of embedded systems, browser exploitation, security analysis of Bluetooth and vehicle CAN network.

Aohui Wang

Aohui Wang, security researcher in Keenlab Tencent. He focuses on firmware reverse engineering, vulnerability discovery and exploitation and has plenty of experiences on vehicle security testing.

Wenkai Zhang

Wenkai Zhang is a security researcher in Keenlab, Tencent. Wenkai Zhang now focuses on vehicle CAN network testing and ECU firmware analysis in Keen Lab. With plenty of embedded system basic software development experience, he is familiar with ECU hardware design process and vehicle CAN network architecture.

Michael Gruffke

Michael Gruffke has a long experience in the development of BMW ConnectedDrive services and is now an expert in on-board security for the connected vehicle.

Hendrik Schweppe

Hendrik Schweppe has a great deal of experience in classic embedded and IT security and works at BMW Group as manager for penetration testing of the connected vehicle.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats