BMW fixes security flaw, halts potential hacker threat

Flaw with ConnectedDrive could allow hackers access to on-board user authentication

Published: February 7, 2015, 10:30 PM
Updated: April 28, 2018, 9:36 PM

CES 2015 - BMW, long the holdout for its push-twist-nudge iDrive knob will not only make its display screens and software responsive to touch, but also be able to recognize gestures done a fair distance away from the dash as well.

BMW is addressing a glitch with its ConnectedDrive system that made the vehicle susceptible to theft by hackers. It highlighted a theory that has been proposed by security experts for some time as cars get more connected to outside sources.

The security flaw came to light in testing by the German Automobile Association (ADAC), which had been studying BMW’s onboard systems in light of the automaker’s leading edge networking capabilities. BMW is not aware of any real world cases involving the flaw.

If you’ve seen those films where hackers sneak in to a secure system by a “back door,” that’s basically the way hackers could circumvent a BMW’s security measures and go as far as stealing the vehicle.

The ConnectedDrive system links a vehicle to the BMW server to allow such emergency procedures as remotely unlocking the doors if the owner is locked out of the vehicle. It also connects to local networks to download real-time traffic and weather data. It uses onboard SIM (Subscriber Identification Module) cards to recognize the vehicle user and move data to BMW personnel authorized to carry out some of the functions remotely.

ADAC found that hackers could theoretically create a fake mobile phone network to which the vehicle would attempt to connect, and in so doing access data on the SIM cards, at which point they could carry out some of the vehicle functions such as unlocking the doors (which would then disable the vehicle’s security system).

None of the hardware was at risk, nor were driving functions such as the various electronic driving aids found on most of today’s cars (for those concerned that hackers will be able to remotely sabotage a vehicle driving in autonomous mode).

The bug-fix was carried out remotely via connection to the secure BMW Group servers, and there was no need for cars to go into the shop. The fix involves switching data transmission over to the secure Hypertext Text Transfer Protocol (HTTPS), which is also used for banking transactions and many sensitive data-transfer transactions online. The vehicle also confirms the identity of the BMW Group server before initiating any data transfer via the mobile phone network.

Experts say that as vehicles get increasingly more connected, problems such as these will become more frequent. Already there have been reports of high-tech thieves tapping into onboard systems to mimic the keyless transponders some of today’s vehicles use. They can then open a vehicle’s doors and disable the security systems, and drive the vehicle away without the use of a physical key or the high-tech key-fob owners are told never have to leave their pockets.