Not long ago BMW announced that it will be offering a new award to those making important progress in the field of digitalization and IT, starting this year. Well, the moment has come for the first recipient to claim it, the guys from Keen Security Lab being the lucky winners of the first ever BMW Group Digitalization and IT Research Award, honoring pioneering research in the field of computer engineering.
Security and privacy are two key elements in the BMW Group’s product development process, driving connectivity within and beyond the vehicle. Along with increasing functionality and rapid technological progress in vehicle development, electronics and consumer devices, the complexity of the overall system also increases.
In response to what has become a race between technological progress and new, presently unknown attack scenarios, the BMW Group has launched a comprehensive cybersecurity action plan, which includes tests conducted both internally by the BMW Group and with the help of independent institutions. Third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services.
Keen Security Lab, a professional security research lab under Tencent Holdings Limited, is a globally renowned and respected security research team whose highly specialized researchers have more than ten years of experience in cybersecurity for PCs and mobile devices. Tencent Keen Security Lab is actively involved in internal research and the development of security enhancement recommendations for the portfolio of online services, including social, payment, games and cloud, provided by its parent company.
In recent years, Tencent Keen Security Lab expanded capabilities in new research areas including connected/intelligent cars, IoT products, cloud computing and virtualization, as well as AI. A major research focus of Tencent Keen Security Lab is automotive security, a field in which the company has partnered up with leading players. The company supports the advancement of security features of intelligent connected cars by publishing substantial research and supporting automakers in technological and technical development matters.
Between January 2017 and February 2018, Tencent Keen Security Lab experts conducted comprehensive tests with various BMW models. In doing so, they focused on the head unit and T-Box components of different generations. “BMW belongs to the top 5% in automotive IT-security, which made it a highly challenging task for our sophisticated team,” says Samuel Lv, Director of Tencent Keen Security Lab.
After 13 months the team of researchers informed the BMW Group about their comprehensive findings on 14 different vulnerabilities directly (Responsible Disclosure). Nine of the attack scenarios required a physical connection in the car or a location in the direct vicinity of the vehicle. Five attack scenarios were based on a remote connection using the mobile telephone network.
After gaining access to the head unit and T-box components, Tencent Keen Security Lab executed specifically developed exploits and in this way was able to gain control of the CAN buses to trigger arbitrary, unauthorized diagnostic vehicle functions remotely. The tests were always run in a controlled environment on the premises of Tencent Keen Security Lab. Identifying, preparing and implementing attack scenarios via mobile network requires comprehensive expertise.
Promptly after the internal verification of the findings, the BMW Group’s Automotive Security Team contacted Tencent Keen Security Lab to confirm the findings and started developing measures. Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships.
For this outstanding research work, Tencent Keen Security Lab has been selected as the first winner of the BMW Group Digitalization and IT Research Award. “With this award we want to honor the experts who support us in the transformation towards digitalized mobility,” explained Christoph Grote, Senior Vice President Electronics BMW Group, when he presented the award to the research team of Tencent Keen Security Lab at BMW Group China’s offices in Beijing.
Based on this successful cooperation, Tencent Keen Security Lab and the BMW Group are discussing options for joint in-depth research and development activities. Talks on the design of a future cooperation were held at the award ceremony. The joint research will focus on the security of Android embedded systems, and on autonomous driving security and testing. Additionally, consulting services on security in over-the-air software update mechanisms are within the scope of future collaboration.