- With its Digitalization and IT Research Award, the BMW Group honors pioneering research in the field of computer engineering. The first award of its kind goes to the Chinese cybersecurity research team Tencent Keen Security Lab, honoring their work in advancing automotive security.
The BMW Group has been an early driver of the digital transformation in the automotive industry, always intent on meeting the continuously changing needs of its customers. With regards to digital transformation, both the BMW Group and the entire automotive industry stand to benefit from the ongoing research in computer engineering. The award honors pioneering research in software development and information technology, specifically in artificial intelligence, big data, internet of things, cybersecurity, connectivity and autonomous driving.
Connectivity and cybersecurity
With BMW ConnectedDrive, the BMW Group has been the leading automaker in intelligent connectivity for 20 years. The expansion of connectivity and services, together with automated driving and e-mobility, is among the key areas of activity the BMW Group has defined in its Strategy NUMBER ONE > NEXT with the aim of driving the transformation. More than ten million connected cars have already been put on the road worldwide. The increasing lineup of connectivity services and features ranges from real-time traffic information, hazard warnings and emergency call systems to the integration of apps and remote services connected to mobile or smart home devices. Security and privacy are two key elements in the BMW Group’s product development process, driving connectivity within and beyond the vehicle. Along with increasing functionality and rapid technological progress in vehicle development, electronics and consumer devices, the complexity of the overall system also increases. In response to what has become a race between technological progress and new, presently unknown attack scenarios, the BMW Group has launched a comprehensive cybersecurity action plan, which includes tests conducted both internally by the BMW Group and with the help of independent institutions. Third parties increasingly play a crucial role in improving automotive security as they conduct their own in-depth tests of products and services.
Tencent Keen Security Lab
Keen Security Lab, a professional security research lab under Tencent Holdings Limited, is a globally renowned and respected security research team whose highly specialized researchers have more than ten years of experience in cybersecurity for PCs and mobile devices. Tencent Keen Security Lab is actively involved in internal research and the development of security enhancement recommendations for the portfolio of online services, including social, payment, games and cloud, provided by its parent company, Tencent Group. Keen Security Lab believes transparency, sharing and industry cooperation are essential to foster a safe and secure world as the Internet becomes increasingly ubiquitous and entrenched in our everyday lives.
In recent years, Tencent Keen Security Lab expanded capabilities in new research areas including connected/intelligent cars, IoT products, cloud computing and virtualization, as well as AI. A major research focus of Tencent Keen Security Lab is automotive security, a field in which the company has partnered up with leading players. The company supports the advancement of security features of intelligent connected cars by publishing substantial research and supporting automakers in technological and technical development matters. Tencent Keen Security Lab believes its research objective and results will be beneficial to improving road safety for hundreds of millions of drivers, passengers and pedestrians in many countries.
“We want to contribute our comprehensive expertise and in-depth understanding of vehicle technologies to improving the development processes and security guidelines in the automotive industry, providing a shared benefit for OEMs and customers,” states Sen Nie, Lead Researcher of Vehicle and IoT Security Research.
The award-winning research
Between January 2017 and February 2018, Tencent Keen Security Lab experts conducted comprehensive tests with various BMW models. In doing so, they focused on head unit and T-Box components of different generations. “BMW belongs to the top 5% in automotive IT-security, which made it a highly challenging task for our sophisticated team,” says Samuel Lv, Director of Tencent Keen Security Lab. After 13 months the team of researchers informed the BMW Group about their comprehensive findings on 14 different vulnerabilities directly (Responsible Disclosure). Nine of the attack scenarios required a physical connection in the car or a location in the direct vicinity of the vehicle. Five attack scenarios were based on a remote connection using the mobile telephone network. After gaining access to the head unit and T-box components, Tencent Keen Security Lab executed specifically developed exploits and in this way was able to gain control of the CAN buses to trigger arbitrary, unauthorized diagnostic vehicle functions remotely. The tests were always run in a controlled environment on the premises of Tencent Keen Security Lab. Identifying, preparing and implementing attack scenarios via mobile network requires comprehensive expertise. Tencent Keen Security Lab team managed to implement these complex and sophisticated exploit chains. The BMW Group is convinced that the study presented constitutes by far the most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party.
Promptly after the internal verification of the findings, the BMW Group’s Automotive Security Team contacted Tencent Keen Security Lab to confirm the findings and started developing measures. Subsequently, these upgrades were rolled out in the BMW Group backend and uploaded to the telematics control units via over the air connection. The BMW Group develops additional software updates, which as usual will be made available for customers at BMW dealerships. With the collaboration of the two parties, the security updates developed by BMW Group improve the security level of BMW’s products and services for the customers’ benefit.
For this outstanding research work, Tencent Keen Security Lab has been selected as the first winner of the BMW Group Digitalization and IT Research Award. “With this award we want to honor the experts who support us in the transformation towards digitalized mobility,” explained Christoph Grote, Senior Vice President Electronics BMW Group, when he presented the award to the research team of Tencent Keen Security Lab at BMW Group China’s offices in Beijing. “We thank Tencent Keen Security Lab for their tremendous effort, their sophisticated research and the highly professional collaboration.” Tencent Keen Security Lab will make a summary of the research findings available. A joint technical report detailing the vulnerabilities, exploit chains and implemented measures will be published by the two parties next year.
In an increasingly digitalized and connected world, security is key. The merging of interfaces between different consumer devices, as well as between devices and their surroundings, generates new advantages for customers and even significant benefits for society. At the same time, however, these interfaces open up the potential of access and manipulation for illegal malicious attacks. Based on the successful cooperation, Tencent Keen Security Lab and the BMW Group are discussing options for joint in-depth research and development activities. Talks on the design of a future cooperation were held at the award ceremony. The joint research will focus on the security of Android embedded systems, and on autonomous driving security and testing. Additionally, consulting services on security in over-the-air software update mechanisms are within the scope of future collaboration.