BMW has fixed a flaw in its in-car software managing vehicle’s internal communication that could have made its 2.2 million vehicles, including Rolls-Royce, Mini and BMWs, vulnerable to hacking
Bavarian Motor Works or BMW from Germany is considered the epitome of luxury and performance.The car maker based in Munich, Bavaria has been into the car business for over a 70 odd years and manufactures high quality luxe cars like Rolls-Royce, Mini cars, BMWs and motorcycles for a world market.
Since BMW is considered one of safest cars you can buy in terms of performance, it has been held as a symbol of reliability. But Allgemeiner Deutscher Automobil-Club (ADAC) thinks not. A team of researchers from ADAC found the the BMW cars were vulnerable to hijacking due to a vulnerability in its wireless system. ADAC researchers discovered that the security vulnerability in BMW’s ConnectedDrive system can imitate BMW servers and send remote unlocking instructions to vehicles making it easier to steal them.
The problem was discovered by the Allgemeiner Deutscher Automobil-Club (ADAC,), a German motoring association, and was verified on several models of BMW cars.
The attack took advantage of a feature that allows drivers who have been locked out of their vehicles to request remote unlocking of their car from a BMW assistance line.
During ADAC software testing, it was found that a loophole in the software could allow thieves to open the car doors / windows after hacking data being transmitted from car network using a replica cellphone base station. Although there was risk of security breach during data transmission, the flaw was not going to impact functions like steering, braking or starting / stopping of engine. Other real problem was that if a hacker gets success in opening car doors, he would get easy access to onboard functions that manage everything in the car.
While ADAC did not present the PoC of the hack but it did mention that the flaw involves the BMW’s ConnectedDrive functionality. BMW makes several smartphone apps, at least one of which, called My BMW Remote in the United States, allows the car owner to lock and unlock the vehicle.
Dave Buchko a BMW spokesman said “They were able to reverse engineer some of the software that we use for our telematics with that they were able to mimic the BMW server.” BMW subsidiaries Rolls-Royce and Mini also use ConnectedDrive. The hack vulnerability could have placed some 2.2 million cars worldwide at jeopardy.
BMW yesterday fixed the security flaw which may have caused several car jackings if left untouched. The German carmakers though not a single case involving ADAC’s PoC method has come to its notice nor have any cars being compromised due to above flaw. However it said that it had patched the flaw. From yesterday the internal communication will now be encrypted using Hypertext Transfer Protocol Secure Standard (HTTPS) which is also used to ensure safe financial transactions.
BMW further stated that its customers need not worry about the flaw or take any action their engineers have released the an automatic update which will fix the flaw as soon as the vehicle connects itself to company’s server.