16th October 2019 Issue no. 479
Your industry news - first
BMW hack - fact or hype?
In recent days BMW have made the headlines. Experts from ADAC (the German Automobile Association) announced that they have managed to 'hack' BMW's ConnectedDrive - but is this true and if so, should we be worried?
- Experts from ADAC (the German Automobile Association) checked BMW's ConnectedDrive and say they have revealed a potential security gap affecting the transmission path via the mobile phone network.
- However, this was not a 'real world' attack motivated by criminal intent - ADAC are on the side of the 'good guys' and were undertaking a strategic review as BMW are a market leader in vehicle networking.
- The security gap is real and demonstrates that OEMs need to look at the full end to end design of their connected services to ensure all potential weaknesses are identified, managed and tested.
To help OEMs meet these challenges, SBD and NCC Group have entered into a strategic partnership to improve automotive cyber security and together we have created the Automotive Secure Development Lifecycle (ASDL) to help vehicle manufacturers and their suppliers mitigate cyber security risks when developing connected cars.
The ASDL incorporates international standards, OEM specific standards and best practice guidance using sound engineering principles. The seven-step process includes system/design architecture, definition of what is being protected, threat modelling, counter measures, best practice guidance, penetration testing and incidence response.
According to the BBC: BMW has patched a security flaw that left 2.2 million cars, including Rolls Royce and Mini models, open to hackers. The flaw affected models fitted with BMW's ConnectedDrive software, which uses an on-board Sim card. The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.
No cars have actually been hacked, but the flaw was identified by German motorist association ADAC. ADAC's researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim. The patch, which would be applied automatically, included making data from the car encrypted via HTTPS (HyperText Transfer Protocol Secure) - the same security commonly used for online banking, BMW said.
"On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network," it said in a statement.
This should have already been in place, said security expert Graham Cluley. "You would probably have hoped that BMW's engineers would have thought about [using HTTPS] in the first place," he wrote on his blog. "If you are worried that your vehicle may not have received the update (perhaps because it has been parked in an underground car park or other places without a mobile phone signal, or if its starter battery has been disconnected) then you should choose "Update Services" from your car's menu."
11th February 2015