According to the security researcher, Benjamin Kunz Mejri from Vulnerability Labs, there are two main bugs both connected to the BMW online service web app for ConnectedDrive.
ConnectedDrive is the name of BMW’s in-car infotainment system. The system can be used as it is, in the car, or via a series of connected mobile apps that allow the driver to manage vehicle settings through their mobile devices. This service also has a equivalent for the Web, in addition to the mobile apps.
The first flaw found in the BMW ConnectedDrive online service web-application is a VIN (Vehicle Identification Number) session vulnerability. The VIN is the identification code assigned to each vehicle while accessing the service. The bug is found within the session management of VIN usage, and remote attackers can bypass the secure validation procedures of the VIN remotely using a live session. In this way, they can manipulate registered and valid VIN numbers and configuration settings through the ConnectedDrive portal.
“The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Basically the validation does not allow to add a non existing number to the interface configuration to prevent different type of errors or issues. In case of the adding procedure the request approve via action – add the context.” states the security advisory from the vulnerability-lab.
“Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration.”
The second vulnerability discovered by the researchers is a client-side cross-site scripting (XSS) vulnerability that resides in the official BMW online service web-application. The flaw could allow a remote attacker to inject malicious script codes to the client-side of the affected module context, potentially leading to session hijacking, phishing campaigns, or diverting users to malicious domains.
“A client-side cross site scripting web vulnerability has been discovered in the official BMW online service web-application. The vulnerability allows remote attacker to inject own malicious script codes to the client-side of the affected module context,” states the official advisory.
“The vulnerability is located in the t
value (token) of the passwordResetOk.html
web-application file. Remote attackers are able to inject own client-side script codes to the passwordResetOk.html
file. The request method to inject is GET and the vulnerability is located on the client-side of the affected BMW web-service. The attacker injects the payload after the secure token to execute the context in the passwordResetOk.html file. The vulnerability is a classic client-side cross site scripting web vulnerability.”
Mejri first disclosed the security flaws to the German automaker in February 2016. BMW responded to the reports in April. Since, BMW failed to answer Mejri’s bug reports in time and there is no evidence that these issues have been patched, the researcher went public with his findings on July 7.