Global Sources
EE Times-India
Stay in touch with EE Times India
EE Times-India > T&M

What can carmakers glean from BMW's security patch?

Posted: 06 Feb 2015     Print Version  Bookmark and Share

Keywords:ConnectedDrive  ADAC  security flaws  HTTPS  API 

Some car security flaws can be easily patched, but some are just beyond repair.

BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.

The German carmaker updated the software running in models of the BMW, Rolls Royce and Mini, in response to the German Automobile Association (ADAC)'s discovery that an attacker could hijack or manipulate remote communications to the vehicles' SIM cards. The researchers reportedly were able to unlock the car doors remotely using a spoofed mobile network tower that intercepted mobile traffic to and from the vehicles.

Researchers at ADAC say the weak and unencrypted mobile communications links to the API also could potentially allow attackers to sniff vehicle location, speed and even email communications over the ConnectedDrive network.

In response to the researchers' findings, The BMW Group said it now uses HTTPS for encrypted mobile communications to ConnectedDrive vehicles, and that no hardware nor any driving-related functions or personal customer data were affected by the security flaws.

"The BMW Group has a new configuration to close this gap. The update is carried out automatically or when the driver manually updates BMW Assist/ConnectedDrive," the company said. "The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol ... which had previously been used for the service BMW Internet and other functions," and any communications to the car is authenticated to the BMW Group server before data his the mobile network, the statement said.

The over-the-air patching by BMW demonstrated one way carmakers could handle the inevitable discovery of future security bugs in cars, said Joshua Corman, CTO at Sonatype and a founder of the grass roots I Am The Cavalry effort. "They did an update over the air—no one had to go to the dealer, no one needs to come into the shop. That's a prompt and agile response" to a security issue, he said.

While details of the BMW ConnectedDrive flaws were vague, Corman said software updates indeed should be sent via an encrypted pipe, aka the SSL-based HTTPS. "This is a great response," he said of BMW's approach to the fix. The downside, of course, is that some SSL implementations, such as OpenSSL, have sported security flaws of their own, he notes.

Other cars may not be as patchable as BMWs either. "Very few companies have the ability to remotely update" their automobile software like BMW has, he said. "It could have been something unpatchable ... What if it required different hardware or firmware to fix and it was perpetually exposed for the life of the car?"

1 • 2 Next Page Last Page

Comment on "What can carmakers glean from BMW's ..."
*  You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.


Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

Back to Top