by Rainer Link, Senior Threat Researcher, Trend Micro
Security vulnerabilities in your car’s “operating system” might seem impossible, but it’s already becoming a reality for some car manufacturers.
Earlier this year, German auto club ADAC discovered several security vulnerabilities in BMW’s ConnectedDrive system, a problem that’s estimated to affect 2.2 million BMW vehicles worldwide. According to a statement from ADAC, the vulnerable vehicles were prone to abuse of features like remote services (e.g., opening doors remotely), tracking the vehicle’s current location and car speed via real-time traffic information (RTTI), enabling and changing phone numbers on the emergency call function, and intercepting emails via the BMW ConnectedDrive Store.
BMW quickly acted on ADAC’s findings and allegedly corrected the problem, according to a recent BMW press release, which says the security update is carried out automatically as soon as the vehicle connects to the BMW Group server. The statement also mentions that BMW is increasing the security of data transmission in its vehicles, included encrypting data from the car via HTTPS. Details about the actual security flaws and the patching process have not been published.
Questions Raised By Connected Vehicles
BMW’s ConnectedDrive security problem raises several questions, including:
- How often is a connection to the BMW server made automatically?
- Wasn’t HTTPS already in use since 2010?
- Why wasn’t it enabled for the data being sent/received via ConnectedDrive (GSM)?
- What kind of information could be stolen by an attacker with their own GSM base station?
- Does HTTPS mean SSLv3, TLS 1.0/1.1/1.2?
- Does this mean the BMW Group server was not checked before?
- Is it possible that a malicious “firmware” update entered the BMW car then?
- If the update is silent, how would the car owner know that the vulnerability was fixed?
- Does this mean the owner has no control regarding which updates BMW is performing on this system?
While we don’t yet have answers to these questions, what is clear is that the automotive world (for another example check out Czech car maker Skoda, which recently introduced Skoda SmartGate, a Wi-Fi hotspot that can send more than 40 vehicle data points to your smartphone) is moving away from proprietary closed networks to Ethernet/IP-based networks.
In the past, a vehicle was completely isolated from the outside world like a remote island. The radio was just a “stupid” radio and early generation 8-track, cassette tape, and CD players weren’t much “brighter.” In today’s world, however, infotainment systems combine the latest computer technologies and Internet streaming services to create an experience that rivals technologies we’re using at work and in our homes.
When we think of “always-on devices,” tablets and smartphones come to mind first. But, when you consider that the vehicles carrying us (and our connected devices) from place to place are becoming every bit as sophisticated, they deserve this label, too.
Let’s just hope that auto manufacturers will be smart enough to learn from the IT security mistakes that have graced newspaper headlines over the past several years, so they don’t find themselves (pardon the pun) reinventing the wheel (check out Tracking and Hacking: Security & Privacy Gaps Put American Drivers at Risk for more info on this topic). And, if they aren’t able to make the connection between smartphones and smart cars, let’s hope there are a few savvy VARs and MSPs that can adapt their current IT security skills to address this new – and potentially lucrative – business opportunity.