BMW increases ConnectedDrive security after potential security gap reported by ADAC

[Scandic24]

     Featured on BIMMERPOST.com

BMW Group ConnectedDrive increases data security. Rapid response to reports from the German Automobile Association ADAC.

30.01.2015

Munich. As the leading manufacturer in the networking of driver, vehicle and the surrounding environment, the BMW Group is increasing the security of data transmission in its vehicles. This is the company’s response to reports from the German Automobile Association (ADAC). The motorist’s association had identified a potential security gap when data is transmitted. The BMW Group has already closed this gap with a new configuration.

The experts from the ADAC had put the company through a strategic review as market leader in vehicle networking. This check revealed a potential security gap affecting the transmission path via the mobile phone network. BMW Group hardware was not impacted. The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles. Access to functions relevant to driving was excluded at all times. There was no need for vehicles to go to the workshop.

The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.

In this way, the BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorised persons from outside or an attempt of this kind is made in the first place.

[Ganxxta]

To be honest, the title should have been: "ConnectedDrive hacked", not "increases security"...

Was only a matter of time until somebody would use the remote services through a hack

WTF was BMW thinking to use a not encrypted connection in the first place -.-

[b33g33]

BMW press release reveals German Automobile Association (ADAC) findings that Connected Drive equipped Bimmers and MINIs are susceptible to being accessed by unauthorized cellular users who then have access to all ConnectedDrive features.

BMW has apparently released a fix (not sure if it will be available in the US OTA as the press release indicates).

BMW Press Release: (https://www.press.bmwgroup.com/globa...tem=node__5238)

Quote:

BMW Group ConnectedDrive increases data security. Rapid response to reports from the German Automobile As-sociation ADAC.
30.01.2015Contained media data:
1 Attachment
Munich. As the leading manufacturer in the networking of driver, vehicle and the surrounding environment, the BMW Group is increasing the security of data transmission in its vehicles. This is the company’s response to reports from the German Automobile Association (ADAC). The motorist’s association had identified a potential security gap when data is transmitted. The BMW Group has already closed this gap with a new configuration.
The experts from the ADAC had put the company through a strategic review as market leader in vehicle networking. This check revealed a potential security gap affecting the transmission path via the mobile phone network. BMW Group hardware was not impacted. The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles. Access to functions relevant to driving was excluded at all times. There was no need for vehicles to go to the workshop.
The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.
In this way, the BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorised persons from outside or an attempt of this kind is made in the first place.

ADAC link: http://www.adac.de/infotestrat/techn...spx#tabid=tab1

Quote:

The ADAC has found vulnerabilities in BMW vehicles with the equipment ConnectedDrive. As a result, the cars can be opened after a single preparation via mobile phone within minutes from the outside, without this leaves traces. According to BMW them are over 2.2 million vehicles a number of model series of the Group brands BMW, Mini and Rolls Royce affected (see below).
The ADAC emphasizes that he has not conducted a full safety review of BMW cars or even the entire company. For this was before no job and this is the responsibility of the respective manufacturer.

Finally, analysis on Jalopnik: http://jalopnik.com/millions-of-conn...ata-1682795531

[greekcs]

I'd like to find said hacker and offer them money for a remote start feature.

[abirmaher]

Quote:

Originally Posted by greekcs

I'd like to find said hacker and offer them money for a remote start feature.

Hahaha

[sputman]

+1... Heck +99 for remote start!

They disable features like variable light distinction for North America, perhaps they could just make remote start a possibility and disable it for Europe.

[eeghie]

Not just BMW, from now, anyone with bad intentions can "assist" you. Hopefully this is the last security glitch.

Hail to pure analogue fun.

[Dackelone]

Here is the ADAC video... (sorry its in German)

[eeghie]

Quote:

Originally Posted by Dackelone

Here is the ADAC video... (sorry its in German)

Interesting statement in the video is that BMW is said to have been applying the remote updates for this glitch already from 8 december 2014 onwards.

Hopefully this means that all affected cars that had their battery connected and were within mobile range since December '14 are no longer vulnerable?

[Dackelone]

Quote:

Originally Posted by eeghie

Interesting statement in the video is that BMW is said to have been applying the remote updates for this glitch already from 8 december 2014 onwards.

Hopefully this means that all affected cars that had their battery connected since December '14 are no longer vulnerable?

Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.

[aussiem3]

This is all about stakeholders working together and in partnership. Good outcome.

[BrokenVert]

Quote:

Originally Posted by Dackelone

Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.

I really dont understand why this isnt the first line of any statement on the issue. BMW did the right thing here. They thought they had a problem, so they worked with an outside entity to confirm. And when the confirmation came they didnt try to bury it. Thats responsible of them.


That being said, it would be nice if the fix didnt simply involve using typical HTTP encryption.

[Diver]

Widely reported. The good news is it can be fixed remotely.

[teamwerx]

Quote:

Originally Posted by greekcs

I'd like to find said hacker and offer them money for a remote start feature.

So true

[ManiacGT]

So, March 2010 cars onwards. In other words combox cars. So pre combox cars are also likely insecure but they can't update those remotely like they can combox cars. So anyone with PRE MARCH 2010 NEWER STYLE IDRIVE is likely STILL AT RISK. Nice.

[Ulmi]

Quote:

Originally Posted by Dackelone

Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.

Quote:

Originally Posted by BrokenVert

I really dont understand why this isnt the first line of any statement on the issue. BMW did the right thing here. They thought they had a problem, so they worked with an outside entity to confirm. And when the confirmation came they didnt try to bury it. Thats responsible of them.


That being said, it would be nice if the fix didnt simply involve using typical HTTP encryption.

Do you have any source for your version of the story?
As far as I know, the test was conducted by the ADAC, in order to find out if normal workshop have disadvantages in repairing a vehicle equipped with connected drive.

please don’t turn the story in BMW propaganda style…

„Ein vom ADAC beauftragter Sicherheitsexperte entdeckte eine Lücke“

http://www.heise.de/newsticker/meldu...t-2533601.html

[e90-328i]

Quote:

Originally Posted by Ulmi

Quote:

Quote:

Do you have any source for your version of the story?
As far as I know, the test was conducted by the ADAC, in order to find out if normal workshop have disadvantages in repairing a vehicle equipped with connected drive.

please dont turn the story in BMW propaganda style

Ein vom ADAC beauftragter Sicherheitsexperte entdeckte eine Lcke

http://www.heise.de/newsticker/meldu...t-2533601.html

How would I/we know if our car has been updated?
Not that I don't trust car manufacturers,,,, ok, I don't.

[CP 1///M]

Any version number to check for before and after the number in iDrive?

[Flying Ace]

The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually.


So this implies that there is some type of auto update for the new security features. However, on my car, I don't use ConnectedDrive at all. I never have and never will as I don't use an iphone device. How do I get an update in this case?

[CP 1///M]

Same here - and my car was from out of province so I don't even know if the SIM works anymore as I never tried it

[fecurtis]

Didn't they already resolve many of these issues with an OTA update last week?

Plus, someone will look at that article and notice that they use "beemer" instead of "bimmer"...