BMW sent a press release out today partially titled BMW Group ConnectedDrive increases data security. This is technically true, but doesn't quite get at the core issue: data security was 'increased' because there had been almost none. The German Automobile Association (ADAC) discovered this when they were able to wirelessly access BMW car systems.
By essentially setting up a false cellular phone network that the cars attempted to access, ADAC was able to access BMW's SIM card-based ConnectedDrive system, which is installed on up to 2.2 million BMWs, Minis, and Rolls-Royces. The accessed ConnectedDrive system allowed the group to access essentially any of the functions available via ConnectedDrive, which includes manipulating HVAC settings, getting information about the car and its condition, and, most alarmingly, unlocking the doors.
This may also be the first instance of a successful car hack that did not involve any direct, physical contact with the car or the car's electronics.
It should be mentioned that ADAC was requested to test the system for security holes by BMW, and held off releasing their findings until BMW had a fix ready to go. So far, no known malicious use of this hole has occurred, and it wouldn't affect any critical driving or car-control systems. Still, it would allow an unauthorized person to open the car, or, if they're just feeling more puckish and less criminal, to do things like make your A/C keep turning on and off until you want to scream.
ADEC even made a little video of their experiment:
The primary reason that ADEC was able to have so much control over the car once initial access was achieved is because none of the data or command streams sent to and from the car used any form of security or encryption. The data uses conventional HTTP protocols and the same sort of connection your cell phone uses, which is why BMW's 'fix' is implementing the same HTTPS protocol that, say, your web browser uses when you order something from Amazon.
BMW describes the fix, which has already been pushed out to affected cars automatically, like this:
The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.
If HTTPS, which is certainly well-known, established, and well understood in the IT world, was already in place for the "service BMW Internet and other functions," the question remains why this very basic security precaution was not used for all ConnectedDrive traffic.
I posed this question to BMW, and am currently awaiting an answer.
ADAC's response to this pretty large security hole is as follows, and sounds a bit more dramatic in machine-translation:
The ADAC demands that computer technology in the car is timely protected from manipulation and illegal access. This protection must be based on standards as they are in other industries (eg. As IT industry) has long been customary. Moreover, this protection by a neutral body needs to be confirmed by about Common Criteria certification of the Federal Office for Information Security (BSI) in Bonn.
Their point that this basic sort of encryption has been standard in the IT world and should have, by default, been implemented here is a very valid one. At this point, we're not certain why BMW did not implement HTTPS encryption (at least) for data being sent to and from the car via public cellular networks. The ConnectedDrive basic hardware is essentially a data-capable cellphone, which are used to send encrypted, sensitive data safely every day.
We'll update this story with BMW's response as soon as we receive it.
According to ADAC, these are the affected vehicles:
All models with ConnectedDrive production from March 2010 to December 8, 2014 , including
BMW
1 Series Convertible, Coupé and Touring ( E81 , E82 , E87 , E88 , F20 , F21 ) 2er Active Tourer , Coupé and Convertible (F22 , F23 , F45 ) 3 with Convertible, Coupe , GT, Touring and M3 ( E90, E91 , E92 , E93 , F30 , F31, F34 , F80 ) 4p Coupe , Convertible, Gran Coupe and M4 ( F32 , F33 , F36 , F82 , F83 ) 5 Series GT and Touring ( F07 , F10 , F11 , F18) 6 with convertible and Gran Coupe ( F06 , F12, F13) 7 Series (F01 , F02 , F03 , F04) I3 ( I01 ) , I8 (I12 ) X1 (E84 ) X3 ( F25) , X4 (F26 ) X 5 (E70 , F15 , F85 ) , X6 (E71 , E72 , F16 , F86 ) , Z 4 ( E89 )
mini
Three-door and five-door hatchback ( F55 , F56 )
Rolls Royce
Phantom Coupe and Drophead Coupe with (RR1 , RR2 , RR3 ) Ghost ( RR4 ) Wrait ( RR5 )
In Germany, 423,000 vehicles are affected ; in Europe 1.2 million and 2.2 million worldwide . Vehicles with production date from 9 December 2014 or later no longer have the manufacturer on these vulnerabilities .
The conversion of the affected vehicles to encrypted communication is carried out by BMW over the air and should be operational by January 31, 2015 largely achieved . It is not a workshop visit required , there will be no hardware or software replaced.
BMW has informed the Federal Motor Transport Authority (KBA ) in their own words .