Zero-Days in BMW Web Portal Let Hackers Tamper with Customer Cars


July 8, 2016

Two vulnerabilities exist in BMW’s ConnectedDrive Web portal that can allow an attacker to manipulate car settings related to its infotainment system.

ConnectedDrive is the name of BMW’s in-car infotainment system. The system can be used as it is, in the car, or via a series of connected mobile apps that allow the driver to manage vehicle settings through their mobile devices. Besides the mobile apps, this service also has a counterpart for the Web.

Benjamin Kunz Mejri, security researcher for Vulnerability Lab, published yesterday two zero-day vulnerabilities in the ConnectedDrive portal that BMW has failed to patch for the past five months.

Read full story…