Mobile
2/3/2015
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

BMW's Software Security Patch A Sign Of Things To Come

But not all car security flaws can be patched as simply -- or at all.

BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.

The German carmaker updated the software running in models of the BMW, Rolls Royce, and Mini, in response to the German Automobile Association (ADAC)'s discovery that an attacker could hijack or manipulate remote communications to the vehicles' SIM cards. The researchers reportedly were able to unlock the car doors remotely using a spoofed mobile network tower that intercepted mobile traffic to and from the vehicles.

Researchers at ADAC say the weak and unencrypted mobile communications links to the API also could potentially allow attackers to sniff vehicle location, speed, and even email communications over the ConnectedDrive network.

In response to the researchers' findings, The BMW Group said it now uses HTTPS for encrypted mobile communications to ConnectedDrive vehicles, and that no hardware nor any driving-related functions or personal customer data were affected by the security flaws. "The BMW Group has a new configuration to close this gap.  The update is carried out automatically or when the driver manually updates BMW Assist/ConnectedDrive," the company said. "The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol … which had previously been used for the service BMW Internet and other functions," and any communications to the car is authenticated to the BMW Group server before data his the mobile network, the statement said.

The over-the-air patching by BMW demonstrated one way carmakers could handle the inevitable discovery of future security bugs in cars, says Joshua Corman, CTO at Sonatype and a founder of the grass roots I Am The Cavalry effort. "They did an update over the air--no one had to go to the dealer, no one needs to come into the shop. That's a prompt and agile response" to a security issue, he says.

While details of the BMW ConnectedDrive flaws were vague, Corman says software updates indeed should be sent via an encrypted pipe, aka the SSL-based HTTPS. "This is a great response," he says of BMW's approach to the fix. The downside, of course, is that some SSL implementations, such as OpenSSL, have sported security flaws of their own, he notes.

Other cars may not be as patchable as BMW's, either. "Very few companies have the ability to remotely update" their automobile software like BMW has, he says. "It could have been something unpatchable … What if it required different hardware or firmware to fix and it was perpetually exposed for the life of the car?"

Corman helped craft the proposed Five Star Automotive Cyber Safety Program that carmakers can use to shore up the cyber security of their networked vehicles. He says it's still a ***

The five components are:  safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.

[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]

Still unclear is whether BMW actually isolates critical driving functions from Internet browsing or the entertainment system. The company had not yet responded to questions about its cars' network architecture as of this posting. The affected versions of BMW's ConnectedDrive software range from March 2010 to December 2014. ConnectedDrive provides Internet access, navigation, and other networked features via a SIM card installed in the vehicle.

"Is there logical and physical segmentation between critical and non-critical systems? If you compromise the infotainment system, you should not be able to disable the brakes," Corman says.

Concerns over security holes in networked vehicles being used by attackers to cause physical or other damage has intensified in the wake of eye-popping research such as that of renowned security experts Charlie Miller and Chris Valasek.

Valasek, who heads up the vehicle security research practice at IOActive, says the good news is that malicious car hacking hasn't occurred just yet, and researchers are racing to get ahead of the bad guys. "No matter which manufacturer it is who gets hacked the first time, it's going to be an issue for the auto industry in general," Valasek says.

IOActive recently expanded its Vehicle Security Practice, offering secure development lifecycle consulting for automakers as well as penetration testing of vehicles. Valasek says the secure development lifecycle is a key first step to locking down cars from bad hackers, and then a full security assessment. "But a lot of them still don't have the budget and have strong time constraints," he says.

Building new cars with cyber security in mind is key, says Dave Miller, CSO at Covisint, a B2B secure cloud firm with several automotive vendors as clients, including GM's OnStar and Hyundai's BlueLink. "We believe it is important to get this right now, at the beginning, instead of having to retrofit millions of cars," he says. "In this vein, we believe that putting the security infrastructure into the cloud, instead of the vehicle, will allow for the modification of defense strategies as the threat landscape changes."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/7/2015 | 12:25:31 AM
Re: Connected Cars = Hackable Cars
Sounds like the cure for that is to put some black tape over it!  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/6/2015 | 2:05:33 AM
Re: Connected Cars = Hackable Cars
@Whoopty: Indeed, it reminds me of those researchers that figured out how to do the same thing to an HP printer -- and use that vulnerability to SET IT ON FIRE.

Imagine what the bad guys would be able to do to cars with firmware update spoofing!!!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/6/2015 | 2:03:55 AM
Re: Connected Cars = Hackable Cars
Heck, I remember when my mom's old Lincoln that talked to you, over-and-over repeating messages like "The door...is...ajar," was the height of car technology.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:43:53 AM
Re: Connected Cars = Hackable Cars
I've had problems with a few engine sensor lights that go on for no aparent reason (or none that my auto mechanic can figure out). And I'm talking about some old school cars.the IoT is gong to to require a whole new class of auto industry specialists in cybersecurity...
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/4/2015 | 1:02:23 PM
Re: Connected Cars = Hackable Cars
This is getting completely out of control, putting things with a particular function like cars on a network which can be accessed remotely. I'm not a fan of software running in cars, period. But even leaving that argument aside, no reason car software upgrades can't be done thru service center when you bring in for maintenance. At least then you have some control over who/what is changing your software. Don't try and convince me the car mfgrs will get security right when nobody else in the connected world seems to able to.

Somewhat on theme here, I have an older 2004 BMW M3 that, for most part, I just love to drive. But talk about sensor overkill, it constantly has red light on telling me I have flat tire. And that continues even though I put on brand new winter tires/rims for the season. So eventually I'll have to fix the sensor or just be OK with fact I don't need sensor to tell me I have flat tire. I think I'm OK with latter, usually not that difficult to know you have flat tire.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/4/2015 | 10:50:38 AM
Re: Connected Cars = Hackable Cars
This is dead on. Wireless patching is a very nice idea, but when someone figures out how to remotely spoof a legitimate firmware update, we're in real trouble, as that gives someone the ability to take control of the car in its entirity. There's a real danger for nefarious individuals to take advantage of it. There needs to be some measure of two factor authentication for all firmware updates. Preferably three. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/4/2015 | 7:21:39 AM
Re: Connected Cars = Hackable Cars
@Joe, you are so right in that this is yet another IoT problem. But this one has some frightening public safety ramifications. Not all car security vulns can be fixed like BMW's with an over-the-air update, which is something to keep in mind. There will always be a backlog of unpatched/vulnerable vehicles on the road, which is the most unsettling aspect here. I like my old-school, non-networked vehicles. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/4/2015 | 2:06:57 AM
Connected Cars = Hackable Cars
It's helpful that the automaker was able to patch the vulnerability in this way, but this connectivity just presents another venue for attack.  If that gets hacked, what then?

The dangers of the IoT age...
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.