A security researcher has disclosed two zero-day vulnerabilities in the online service web applications of the German luxury automobile company BMW. The first issue exists in the web application for BMW ConnectedDrive, a suite of services which includes real-time traffic updates, on-board app connectivity, and other functions built into each automobile.
It affects the session management of the adding procedure for a vehicle identification number (VIN), a unique code including a serial number which helps identify individual motor vehicles. BMW uses a VIN to back up a vehicle's ConnectedDrive settings. By tampering with the active information during a live VIN adding session, a remote attacker can bypass the secure validation of a VIN to add a new configuration. That allows the bad actor to gain access to and change the ConnectedDrive settings for other VINs in the web portal. Doing so affects the settings in whichever cars are associated with those VINs. This vulnerability is estimated as a "high" security risk with a CVSS base score of 6.0. The second issue, a client-site cross-site scripting web vulnerability, resides in BMW's general web application. It allows a remote attacker to inject malicious script into a web application file. Benjamin Kunz Mejri, a security researcher at Vulnerability Lab who discovered the two zero-day issues, explains that bad actors can exploit the second vulnerability to launch a number of secondary attacks:
"The security risk of the non-persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the persistent input validation web vulnerability requires no privileged web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules."
Mejri notified BMW of both flaws back in February. As of this writing, the automobile company has yet to patch the vulnerabilities. News of these security issues follow close to one year after three Chrysler Jeep owners filed a lawsuit against Chrysler and Harman International, the maker of the Uconnect dashboard computer, after two security researchers successfully exploited a vulnerability in uConnect to hijack a 2014 Jeep.
