German automaker BMW has confirmed it has pushed a software update to its ConnectedDrive suite of remote telematics and navigation solutions to patch a severe security flaw which made it possible for hackers to access and control locking functions of customers’ cars.
The flaw, which lay in the unsecured communications protocol used by ConnectedDrive-enabled cars to communicate with BMW’s dedicated ConnectedDrive servers over a cellular connection, is believed to have affected an estimated 2.2 million BMW, MINI and Rolls-Royce vehicles including the BMW i3 and i8 plug-in cars.
Discovered by the German Automobile Club Allgemeiner Deutscher Automobil-Club (ADAC), the un-patched security flaw allowed hackers to imitate BMW’s own ConnectedDrive servers, allowing ADAC researchers to remotely lock, unlock and remotely query the status of several different models of BMW cars.
“They were able to reverse engineer some of the software that we use for our telematics,” BMW spokseperson Dave Buchko told PCWorld on Friday. “With that, they were were able to mimic the BMW server.”
Although remote telematics and control have been historically used by automakers to allow electric and plug-in hybrid owners the ability to pre-condition their cars, control charging functionality and provide remote unlocking capabilities, the technology is now used in many mainstream models to allow users to enjoy up-to-date maps, find convenient parking and keep track of traffic problems.
According to several reports including the ADAC’s investigation, BMW’s original ConncetedDrive software had relied on plain-text or ‘in-the-clear’ http communication between car and server, making it possible for a man-in-the middle or server spoofing attack. The fix? Switching from the insecure http protocol to the more secure https protocol.
Unlike http, https connections cannot be made without first authenticating the identity of the server, making them harder — but not impossible — to hack.
In an official statement made to Transport Evolved yesterday, Buchko confirmed that BMW has successfully completed the patching of its servers, while an update will be shortly rolled out to all affected vehicles.
As the leading manufacturer in the networking of driver, vehicle and the surrounding environment, the BMW Group is increasing the security of data transmission in its vehicles. This is the company’s response to reports from the German Automobile Association (ADAC). The motorist’s association had identified a potential security gap when data is transmitted. The experts from the ADAC had put the company through a strategic review as market leader in vehicle networking. This check revealed a potential security gap affecting the transmission path via the mobile phone network. BMW Group hardware was not impacted. Access to functions relevant to driving was excluded at all times, and no personal customer data was compromised.
The BMW Group has a new configuration to close this gap. The update is carried out automatically or when the driver manually updates BMW Assist/ConnectedDrive. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.
Updates for all vehicles, including BMW i3s and i8s have begun and will continue until all vehicles receive the update.
Customers with questions should contact BMW Customer Relations at 1-800-831-1117 or email [email protected].
BMW isn’t the first automaker to suffer a security flaw of its remote telematics service. Back in 2011, a flaw with Nissan’s CARWINGS system meant that a carefully-coded website could extract location and speed of any LEAF driver connected to it. Then last year, a team of hackers succeeded in remotely accessing and unlocking a Tesla Model S at a security conference in China.
With more cars than ever before offering connected services using built-in cellular connections to the Internet, we’re doubtful this latest flaw will be the last — but as with any Internet-connected device, there will always be an element of risk for any connected car, regardless of how careful or diligently its parent company is.
For the most part, security risks do seem to be addressed pretty quickly as and when they occur, so to be sure you’re not at risk we have three very simple pieces of advice if you want to benefit from the advantages of having an Internet-connected car.
1) Make sure the password you use to connect your car to its manufacturer’s service is both secure, private, and difficult to break. Using a hard-to-guess, unique, long, randomly-generated password gives you the best protection.
2) Keep your car up-to-date, reading owners forums and manufacturer recalls carefully to ensure your car has the latest, most secure software. Where possible too, apply a critical eye to release notes to make sure that the new update really is better for your car.
3)If your car’s manufacturer offers password-retrieval questions — such as your mother’s maiden name or the name of your first pet — be sure to use unique, made-up information that is hard for others to guess. This helps prevent social engineering attacks.
You can also support us directly as a monthly supporting member by visiting Patreon.com.