Today we will talk about two vulnerabilities that was discovered by Vulnerability Laboratory core team member "Benjamin Kunz Mejri", the vulnerabilities which are not patched yet! There are two main bugs both related to the BMW online service and web app for ConnectedDrive .
The first vulnerability found in the BMW ConnectedDrive web-application. The vulnerability allows remote attackers to manipulate specific configured parameters to compromise the affected web-application service. A vehicle identification number,commonly abbreviated to VIN, or chassis number, is a unique code including a serial number, used by the automotive industry to identify individual motor vehicles, towed vehicles, motorcycles, scooters and mopeds as defined in ISO 3833.
The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration. The session validation flaw can be exploited with a low-privilege user account, leading to manipulation of VIN numbers and configuration settings such as compromising registered and valid VIN numbers through the ConnectedDrive portal. The settings available through the ConnectedDrive portal include the ability to lock/unlock the vehicle, manage song playlists, access email accounts, manage routes, get real-time traffic information, and so on.
After the successful exploitation to integrate the vin in the portal the attacker can login with the connectedrive ios application. The attacker includes the illegal vin to his account via portal and can access the configuration via mobile application or portal. Thus way an attacker is able to unauthorized access the info-tainment-system of bmw cars to interact without hardware manipulation or cable access.