CybserSecurity News

Tag: BMW

  • Hackers Bypass BMW Defenses Through Subdomain Vulnerability

    Cybernews specialists identified two BMW subdomains vulnerable to an exploit allowing malicious actors to redirect users to harmful websites. This vulnerability, named SAP Redirect, affected SAP NetWeaver Application Server Java web servers, enabling the creation of counterfeit links to malicious sites through BMW subdomains.

    The SAP Redirect vulnerability allows a cybercriminal to forge a redirect link by inserting a string into the subdomains:

    sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite[.]com

    The final URL would appear as:

    https://<…>.bmw.com/sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite[.]com

    Two vulnerable BMW subsystems were used to access internal BMW dealer systems. Exploiting this flaw could lead to targeted phishing or the spread of malware. The vulnerability allowed attackers to redirect users to a malicious site or inject arbitrary content onto a legitimate site by manipulating the URL parameters of the affected SAP system.

    Although not critical, the error opens up numerous opportunities for phishers targeting company employees or customers. For example, an email could be sent pretending to be from management, requesting some action. If a user opens the link and enters their credentials, attackers could gain access to systems for spreading ransomware or other malicious purposes. The vulnerability could also be used for mass phishing campaigns targeting customers.

    Attackers could exploit the flaw to steal credentials or disseminate malware among unsuspecting users. When a victim clicks on what appears to be a legitimate link, they are redirected to the attacker’s site. At this point, malicious JavaScript is executed in the client’s browser, or the user is prompted to enter confidential information.

    Upon discovering the vulnerability, Cybernews researchers reported it to BMW, and it was promptly rectified. It’s noted that the resolved vulnerability did not compromise systems associated with the BMW Group, nor was there any data leakage or improper use of any data. A BMW representative assured that information security is a priority for the BMW Group. The company states that BMW Group employs multi-level security controls for accessing internal systems.

    To prevent vulnerabilities like SAP Redirect, Cybernews recommends applying SAP patches, adhering to secure coding practices, and regularly conducting security assessments to identify and prevent vulnerabilities. Users should also be cautious when clicking on links, even if the domain looks legitimate.

  • BMW expands its exploration of solar, geothermal, and hydrogen technologies

    BMW recently revealed that it will expand energy investment to reduce the need to rely on traditional fuels to operate, and earlier, it was stated that it will continue to explore solar, geothermal, and hydrogen energy technologies to build the world’s first car factory that does not rely on traditional fuels at all.

    BMW XM hybrid concept car

    According to BMW production director Milan Nedelkjovic, BMW plans to increase the proportion of energy used by traditional fuels by adding solar cells and cooperating with the German government’s plan to deliver hydrogen to BMW’s car factory in Leipzig. Outside of Germany, there are plans to build a factory in Debrecen, Hungary, to import solar energy on a large scale, and plans to introduce geothermal heat, so that the car factory can completely get rid of traditional fuels.

    In BMW’s energy use last year, natural gas accounted for 54%, and the entire German auto industry used natural gas for 37%. Recently, affected by the Ukraine-Russia war, Germany is currently under the restriction of the natural gas embargo policy originating from Russia. The impact on the auto industry is obvious, in addition to the shortage of semiconductor components, and therefore BMW plans to seek other alternative energy sources.However, compared with wind power and solar power conversion methods, geothermal energy can obviously drive more stable power conversion. It’s just that the construction cost is relatively high, so at present, most manufacturers still focus on the introduction of solar energy and wind power generation with relatively mature technologies. However, many companies still expect to invest in geothermal and hydrogen power generation to obtain higher power conversion benefits.

  • Some new BMW cars do not support CarPlay and Android Auto for the time being

    In the past year or so, the global chip supply shortage has been all-round, among which automotive chips have been greatly affected, once causing major car brands to reduce production and even shut down some production lines. Since the auto manufacturing industry is a pillar industry in many countries, the impact of the shutdown on the economy will be very large. With the joint efforts of all parties, the supply dilemma of automotive chips has eased, but in order to ensure the automotive production cycle, some automakers are beginning to choose to reduce less important functions and add or switch suppliers to reduce the possible impact of chip supply.
    Android Auto Italian
    “Android Auto phone” by Automotive Rhythms is licensed under CC BY-NC-ND 2.0
    According to Automotive News Europe, in response to an ongoing shortage of automotive chips, BMW has opted to switch chip suppliers to secure production, but at the cost of some new cars that will temporarily not support Apple’s CarPlay and Google’s Android Auto. It is understood that this is caused by the incompatibility of the new supplier’s chips and needs to wait for a software update to run.

    BMW said consumers don’t need to worry either, and that it plans to provide an OTA update by the end of June at the latest.

    BMW did not specify which models would be affected, how many, or where they would be sold, other than to confirm that cars with “6P1” in the production code do not support CarPlay and Android Auto for the time being. Consumers from the U.S., U.K., Italy, Spain, and France are currently reporting that new cars are purchased without these features.

  • IBM, Panasonic, BMW and Mercedes-Benz withdraw from the CES 2022 exhibition

    CES 2022 will be held on January 4 next year. In addition to online activities, there will also be physical exhibitions in Las Vegas. With the recent severe situation of the COVID-19 epidemic, more and more brands choose not to participate in physical exhibitions. T-Mobile, Meta, Lenovo, Amazon, AT&T, Google, General Motors, Intel, Microsoft, AMD, and MSI have made the same decision before.

    Google CES 2022

    Even though there is only less than a week left before the opening of CES 2022, more and more brands have chosen to withdraw from the CES 2022 physical exhibition for similar reasons. According to The Verge report, recently IBM, Panasonic, BMW, and Mercedes-Benz have also announced their withdrawal from the CES 2022 physical exhibition. The absence of these big brands will make the exhibition a lot of colors.

    The head of the Consumer Technology Association (CTA), the organizer of the CES exhibition, said that strong security measures will be taken at the CES 2022 physical exhibition, and the virtual exhibition will be provided to people who do not want to or cannot go to the scene. Its mission remains to convene the industry so that those who cannot participate in person can experience the magic of the CES exhibition. At present, the organizer has received cancellation notices from 42 exhibitors, accounting for 7% of the total. Thousands of small and medium-sized companies rely on CES to conduct business, and the number of official exhibitors has increased to more than 2,200.

    At present, the CES organizers force on-site participants to complete vaccination and recommend COVID-19 testing. At the same time, a rapid test area will be provided on-site.