What can carmakers glean from BMW's security patch?
Keywords:ConnectedDrive ADAC security flaws HTTPS API
Some car security flaws can be easily patched, but some are just beyond repair.
BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.
The German carmaker updated the software running in models of the BMW, Rolls Royce and Mini, in response to the German Automobile Association (ADAC)'s discovery that an attacker could hijack or manipulate remote communications to the vehicles' SIM cards. The researchers reportedly were able to unlock the car doors remotely using a spoofed mobile network tower that intercepted mobile traffic to and from the vehicles.
Researchers at ADAC say the weak and unencrypted mobile communications links to the API also could potentially allow attackers to sniff vehicle location, speed and even email communications over the ConnectedDrive network.
In response to the researchers' findings, The BMW Group said it now uses HTTPS for encrypted mobile communications to ConnectedDrive vehicles, and that no hardware nor any driving-related functions or personal customer data were affected by the security flaws.
"The BMW Group has a new configuration to close this gap. The update is carried out automatically or when the driver manually updates BMW Assist/ConnectedDrive," the company said. "The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol ... which had previously been used for the service BMW Internet and other functions," and any communications to the car is authenticated to the BMW Group server before data his the mobile network, the statement said.
The over-the-air patching by BMW demonstrated one way carmakers could handle the inevitable discovery of future security bugs in cars, said Joshua Corman, CTO at Sonatype and a founder of the grass roots I Am The Cavalry effort. "They did an update over the air—no one had to go to the dealer, no one needs to come into the shop. That's a prompt and agile response" to a security issue, he said.
While details of the BMW ConnectedDrive flaws were vague, Corman said software updates indeed should be sent via an encrypted pipe, aka the SSL-based HTTPS. "This is a great response," he said of BMW's approach to the fix. The downside, of course, is that some SSL implementations, such as OpenSSL, have sported security flaws of their own, he notes.
Other cars may not be as patchable as BMWs either. "Very few companies have the ability to remotely update" their automobile software like BMW has, he said. "It could have been something unpatchable ... What if it required different hardware or firmware to fix and it was perpetually exposed for the life of the car?"
Visit Asia Webinars to learn about the latest in technology and get practical design tips.
All rights reserved.Reproduction in whole or in part in any form or medium without the express written permission of UBM Asia Ltd. is prohibited.