Mobile By Ryan Whitwam Feb. 2, 2015 2:29 pm
Increased technological convenience often comes with similarly increased risk, and such is the case with BMW’s ConnectedDrive system. Researchers working for German automobile association (ADAC) recently announced they had devised a way to use ConnectedDrive to unlock doors on a wide variety of BMW, Mini, and Rolls Royce vehicles. There’s a patch rolling out now, but still, whoops.
ADAC discovered the vulnerability around the middle of last year, and immediately informed BMW. Presumably the company was sufficiently motivated to fix the problem — less than a year to develop a security patch for a car is actually pretty fast, as depressing as that sounds. In all, over 2.2 million vehicles were affected *by the attack, which relied on the deployment of a fake cell phone base station.
ConenctedDrive vehicles have their own mobile data connections to enable functions like mapping, concierge, and remote management of one’s own car via a mobile device. The fake base station was able to intercept the unencrypted network traffic sent to the car, then use it to generate new commands. Basically, the car thinks the imposter is the owner. Researchers were able to trick the car into unlocking the doors or lowering the windows as there were no security protocols to prevent this access. BMW is careful to stress that the hack did not expose critical vehicle functionality like braking or steering.
There’s no evidence this vulnerability was being used in the wild, but BMW still managed to develop a ConnectedDrive update rather quickly (again, for a car company). The update should be installed the next time a vulnerable vehicle connects to BMW’s online services. The patch is little more than enabling HTTPS for all connections, which you’d think BMW’s engineers would have done in the first place, but apparently not.
BMW is framing this incident as an example of its commitment to improving security, which I suppose is true enough. However, connecting cars to the internet will always result in additional security woes. Mistakes like failing to implement HTTPS can’t be allowed to happen.
Now read:*BMW’s new armored X5 SUV can stop AK-47 bullets
More...
ADAC discovered the vulnerability around the middle of last year, and immediately informed BMW. Presumably the company was sufficiently motivated to fix the problem — less than a year to develop a security patch for a car is actually pretty fast, as depressing as that sounds. In all, over 2.2 million vehicles were affected *by the attack, which relied on the deployment of a fake cell phone base station.
ConenctedDrive vehicles have their own mobile data connections to enable functions like mapping, concierge, and remote management of one’s own car via a mobile device. The fake base station was able to intercept the unencrypted network traffic sent to the car, then use it to generate new commands. Basically, the car thinks the imposter is the owner. Researchers were able to trick the car into unlocking the doors or lowering the windows as there were no security protocols to prevent this access. BMW is careful to stress that the hack did not expose critical vehicle functionality like braking or steering.
There’s no evidence this vulnerability was being used in the wild, but BMW still managed to develop a ConnectedDrive update rather quickly (again, for a car company). The update should be installed the next time a vulnerable vehicle connects to BMW’s online services. The patch is little more than enabling HTTPS for all connections, which you’d think BMW’s engineers would have done in the first place, but apparently not.
BMW is framing this incident as an example of its commitment to improving security, which I suppose is true enough. However, connecting cars to the internet will always result in additional security woes. Mistakes like failing to implement HTTPS can’t be allowed to happen.
Now read:*BMW’s new armored X5 SUV can stop AK-47 bullets
More...
