[Cryptography] Security vulnerabilities in BMW's ConnectedDrive

Sat Feb 7 09:44:35 EST 2015

FYI -- I loved the part where if the hacker didn't know the vehicle's VIN, the car sent a helpful error message telling him/her!

Of course, at least in the US, the VIN number is readable through the windshield, and a modern high resolution camera could read these VIN numbers from an overpass on a freeway.

http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html

If the Remote Services are deactivated in a vehicle with ConnectedDrive, the remote opening of the doors would not work.  It is, however, possible to activate Remote Services using the emulated cellular network.

This works similarly to the previous attack.  The car gets sent a text message instructing it to load new configuration data from the BMW servers.  This data gets loaded via a simple HTTP Get request and is formatted as unencrypted XML that is trivial to understand.  The configuration file is not protected against manipulation at all, something that could have been easily solved by signing the data.  This means it was easy, using my emulated network, to first activate Remote Services and then open the doors.

At least the messages sent to a vehicle are checked with regard to which car they are addressed to.  This check is done with a VIN (Vehicle Identification Number) included in the message.  If the VIN does not match the car in question, it will not execute the command it is sent.  This is no hurdle to a potential attacker, though, since the Combox is very helpful in this regard: If it does not receive a valid VIN, it actually sends back an error message that contains the correct VIN in order to identify the sender of the message.

At the time of my initial investigation, ConnectedDrive included six security vulnerabilities:
* BMW uses the same symmetric keys in all vehicles.
* Some services do not encrypt messages in transit between the car and the BMW backend.
* The ConnectedDrive configuration data isn't tanper-proof.
* The Combox discloses the VIN via NGTP error messages.
* NGTP data sent via text messages is encrypted with the insecure DES method.
* The Combox does not implement protection to guard against replay attacks.

Still, what are the options for car owners who are nervous despite the assurances from the manufacturer?  Sadly, ConnectedDrive can't simply be switched off – there is no equivalent to the Airplane Mode offered by mobile phones.

To permanently deactivate ConnectedDrive, a written request and a visit to a service garage is required.  A self-help measure would be to disconnect the Combox or TCB from the antenna.  Depending on the car model, this is easy to do as the control unit can be found under the luggage compartment floor.  Howeverm this also deactivates the automatic emergency calls.