BMW fixes security flaw in 2.2 million car software

A security vulnerability in the BMW Connected Drive system allowed security experts to send remote unlocking instructions to the cars.

Modern cars are complex systems composed of several components interconnected by internal networks, each system within these architectures is exposed to the risk of cyber attacks.

Recently the German carmaker BMW has fixed a security flaw that could be exploited by hackers to unlock the doors of the vehicles, it has been estimated that up to 2.2 million BMW, Mini and Rolls-Royce. The company confirmed that officials at German motorist association ADAC had discovered the security flaw, which affects vehicles equipped with the BMW ConnectedDrive software using on-board SIM cards.

“They were able to reverse engineer some of the software that we use for our telematics,” explained Dave Buchko , a BMW spokesman. “With that they were able to mimic the BMW server.”

The system designed by BMW allows the owner of the vehicle to authenticate himself to the car by using a mobile device.

“BMW drivers can use the software and SIM cards to activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.” reported the Reuters.

The security issue is related to the unsecured transmission of data between the driver and the vehicle, by highlighting that it did not impede the car’s critical functions of driving, steering or braking.

“ADAC’s security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card.” continues the news Agency.

BMW confirmed that there were no news of attacks that exploited the flaw recently fixed to compromise the security of a vehicle. The update process will start from vehicles in the US and will be extended to the other countries progressively.

The security update basically implements HTTPS encryption for the connection between the driver’s mobile device and the BMW car. As explained by the experts the encryption will ensure that the car only accepts connections from a server that will present the correct security certificate.

“BMW said it had taken steps to eliminate possible breaches by encrypting the communications inside the car using the same HTTPS (Hypertext Transfer Protocol Secure) standard used in Web browsers for secure transactions such as ecommerce or banking.” report the Reuters.

The update process is automatic, the ConnectedDrive software will be upgraded when the vehicle connects up to the BMW Group server, anyway driver can also manually update their systems.

“The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles,” BMW said. “There was no need for vehicles to go to the workshop.”

The security update released by BMW raises the debate on the security level offered by principal car vendors, we have discussed many times of car hacking and possible consequences of a cyber attacks.

Cybersecurity experts have criticized the approach of the automotive industry to the cyber security, explained the numerous way exploitable by ill-intentioned to compromise a vehicle.

The danger, they say, is that once external security is breached, hackers can have free rein to access onboard vehicle computer systems which manage everything from engines and brakes to air-conditioning.

The possible consequences are really serious, an attacker could remotely harm the driver by compromising a vehicle or by implanting a cheap device that could represent the entry point to the vehicle’s network.

It is time to consider security by design for the automotive industry.

Pierluigi Paganini

(Security Affairs –  BMW, car hacking)