Mobile
2/3/2015
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

BMW's Software Security Patch A Sign Of Things To Come

But not all car security flaws can be patched as simply -- or at all.

BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.

The German carmaker updated the software running in models of the BMW, Rolls Royce, and Mini, in response to the German Automobile Association (ADAC)'s discovery that an attacker could hijack or manipulate remote communications to the vehicles' SIM cards. The researchers reportedly were able to unlock the car doors remotely using a spoofed mobile network tower that intercepted mobile traffic to and from the vehicles.

Researchers at ADAC say the weak and unencrypted mobile communications links to the API also could potentially allow attackers to sniff vehicle location, speed, and even email communications over the ConnectedDrive network.

In response to the researchers' findings, The BMW Group said it now uses HTTPS for encrypted mobile communications to ConnectedDrive vehicles, and that no hardware nor any driving-related functions or personal customer data were affected by the security flaws. "The BMW Group has a new configuration to close this gap.  The update is carried out automatically or when the driver manually updates BMW Assist/ConnectedDrive," the company said. "The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol … which had previously been used for the service BMW Internet and other functions," and any communications to the car is authenticated to the BMW Group server before data his the mobile network, the statement said.

The over-the-air patching by BMW demonstrated one way carmakers could handle the inevitable discovery of future security bugs in cars, says Joshua Corman, CTO at Sonatype and a founder of the grass roots I Am The Cavalry effort. "They did an update over the air--no one had to go to the dealer, no one needs to come into the shop. That's a prompt and agile response" to a security issue, he says.

While details of the BMW ConnectedDrive flaws were vague, Corman says software updates indeed should be sent via an encrypted pipe, aka the SSL-based HTTPS. "This is a great response," he says of BMW's approach to the fix. The downside, of course, is that some SSL implementations, such as OpenSSL, have sported security flaws of their own, he notes.

Other cars may not be as patchable as BMW's, either. "Very few companies have the ability to remotely update" their automobile software like BMW has, he says. "It could have been something unpatchable … What if it required different hardware or firmware to fix and it was perpetually exposed for the life of the car?"

Corman helped craft the proposed Five Star Automotive Cyber Safety Program that carmakers can use to shore up the cyber security of their networked vehicles. He says it's still a ***

The five components are:  safety by design, where automakers build automation features with security in mind and employ a secure software development program; third-party collaboration, where automakers establish vulnerability disclosure policies; evidence capture, where automakers log forensic information that could be used in any safety or breach investigation; security updates, where they push software updates to customers efficiently; and segmentation and isolation, where critical systems are kept in a safe sector of the car's network.

[Public safety issues bubble to the top in security flaw revelations. Read Internet Of Things Security Reaches Tipping Point.]

Still unclear is whether BMW actually isolates critical driving functions from Internet browsing or the entertainment system. The company had not yet responded to questions about its cars' network architecture as of this posting. The affected versions of BMW's ConnectedDrive software range from March 2010 to December 2014. ConnectedDrive provides Internet access, navigation, and other networked features via a SIM card installed in the vehicle.

"Is there logical and physical segmentation between critical and non-critical systems? If you compromise the infotainment system, you should not be able to disable the brakes," Corman says.

Concerns over security holes in networked vehicles being used by attackers to cause physical or other damage has intensified in the wake of eye-popping research such as that of renowned security experts Charlie Miller and Chris Valasek.

Valasek, who heads up the vehicle security research practice at IOActive, says the good news is that malicious car hacking hasn't occurred just yet, and researchers are racing to get ahead of the bad guys. "No matter which manufacturer it is who gets hacked the first time, it's going to be an issue for the auto industry in general," Valasek says.

IOActive recently expanded its Vehicle Security Practice, offering secure development lifecycle consulting for automakers as well as penetration testing of vehicles. Valasek says the secure development lifecycle is a key first step to locking down cars from bad hackers, and then a full security assessment. "But a lot of them still don't have the budget and have strong time constraints," he says.

Building new cars with cyber security in mind is key, says Dave Miller, CSO at Covisint, a B2B secure cloud firm with several automotive vendors as clients, including GM's OnStar and Hyundai's BlueLink. "We believe it is important to get this right now, at the beginning, instead of having to retrofit millions of cars," he says. "In this vein, we believe that putting the security infrastructure into the cloud, instead of the vehicle, will allow for the modification of defense strategies as the threat landscape changes."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/7/2015 | 12:25:31 AM
Re: Connected Cars = Hackable Cars
Sounds like the cure for that is to put some black tape over it!  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/6/2015 | 2:05:33 AM
Re: Connected Cars = Hackable Cars
@Whoopty: Indeed, it reminds me of those researchers that figured out how to do the same thing to an HP printer -- and use that vulnerability to SET IT ON FIRE.

Imagine what the bad guys would be able to do to cars with firmware update spoofing!!!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/6/2015 | 2:03:55 AM
Re: Connected Cars = Hackable Cars
Heck, I remember when my mom's old Lincoln that talked to you, over-and-over repeating messages like "The door...is...ajar," was the height of car technology.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:43:53 AM
Re: Connected Cars = Hackable Cars
I've had problems with a few engine sensor lights that go on for no aparent reason (or none that my auto mechanic can figure out). And I'm talking about some old school cars.the IoT is gong to to require a whole new class of auto industry specialists in cybersecurity...
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/4/2015 | 1:02:23 PM
Re: Connected Cars = Hackable Cars
This is getting completely out of control, putting things with a particular function like cars on a network which can be accessed remotely. I'm not a fan of software running in cars, period. But even leaving that argument aside, no reason car software upgrades can't be done thru service center when you bring in for maintenance. At least then you have some control over who/what is changing your software. Don't try and convince me the car mfgrs will get security right when nobody else in the connected world seems to able to.

Somewhat on theme here, I have an older 2004 BMW M3 that, for most part, I just love to drive. But talk about sensor overkill, it constantly has red light on telling me I have flat tire. And that continues even though I put on brand new winter tires/rims for the season. So eventually I'll have to fix the sensor or just be OK with fact I don't need sensor to tell me I have flat tire. I think I'm OK with latter, usually not that difficult to know you have flat tire.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
2/4/2015 | 10:50:38 AM
Re: Connected Cars = Hackable Cars
This is dead on. Wireless patching is a very nice idea, but when someone figures out how to remotely spoof a legitimate firmware update, we're in real trouble, as that gives someone the ability to take control of the car in its entirity. There's a real danger for nefarious individuals to take advantage of it. There needs to be some measure of two factor authentication for all firmware updates. Preferably three. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/4/2015 | 7:21:39 AM
Re: Connected Cars = Hackable Cars
@Joe, you are so right in that this is yet another IoT problem. But this one has some frightening public safety ramifications. Not all car security vulns can be fixed like BMW's with an over-the-air update, which is something to keep in mind. There will always be a backlog of unpatched/vulnerable vehicles on the road, which is the most unsettling aspect here. I like my old-school, non-networked vehicles. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/4/2015 | 2:06:57 AM
Connected Cars = Hackable Cars
It's helpful that the automaker was able to patch the vulnerability in this way, but this connectivity just presents another venue for attack.  If that gets hacked, what then?

The dangers of the IoT age...
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.