Two unpatched vulnerabilities in BMW's ConnectedDrive web portal create a mechanism to manipulate car settings, a security researcher warns.

The first (and more serious) vulnerability creates a means for a hacker to access another driver’s Vehicle Identification Number (VIN) before changing in-car settings such as lock/unlocking the vehicle, accessing email accounts, managing routes and real-time traffic information as managed through BMW's In-Car Infotainment Systems. The second (lesser) issue involves a reflective cross-site scripting bug on BMW’s ConnectedDrive portal password reset webpage.

Both flaws were uncovered by security researcher Benjamin Kunz Mejri of Vulnerability Laboratory, who went public with two advisories (here and here).

El Reg has put in a request for comment on the flaws to BMW but is yet to hear back from the German carmaker. We’ll update this story as and when we hear more.

Kunz Mejri explained: “The VIN ID is connected to the configuration of the cars. After the first login you have to add a valid VIN to access the configuration. The manipulation allows to bypass the validation approval of the VIN and to access your configuration. At the end an attacker is able to fully (unauthorised) access the configuration of another BMW car user.”

The cross-site scripting flaw also needs addressing, according to Kunz Mejri.

“The XSS is at the location of the secure token that is approved for each login requested,” he explained. “An attacker can send a valid token with this payload to exploit the BMW portal account users." The bug has been estimated to be of medium severity.”

The security issues with BMW’s connected car technology follow earlier issues with its kit and just weeks after security shortcoming in the Mitsubishi Outlander were exposed by security researchers at Pen Test Partners.

Independent security experts argue that a re-think in vehicle security architectures is overdue.

Simon Moffatt, EMEA director of advanced customer engineering at identity and access management firm ForgeRock, commented: “The BMW zero-day vulnerability that allows VIN session hijacking is yet another example of why an identity-centric approach to connected device management is essential in reducing risk and enhancing user experience. As more and more objects join the Internet of Things, high-end items such as connected cars will become increasingly attractive targets for hackers.

“Whilst manufacturers focus on end user experience and device connectivity, there needs to be a more joined-up approach to security, including a strong focus on device, service and user identity management,” he added. ®