BMWs Hackable Via Smartphone

Tuesday, February 3, 2015 @ 03:02 PM gHale

For those that drive a BMW beware: A flaw in the remote service of the Connected Drive software platform on 2.2 million vehicles worldwide allows an attacker to unlock the car’s doors from a smartphone.

The cars affected are all those with Connected Drive, manufactured between March 2010 and December 8, 2014. Among them are BMW models (1 through 7 Series, I3, X1), Mini (three and five-door hatchback), and Rolls Royce (Phantom Coupe and Drophead Coupe, Ghost and Wraith).

Car Hacking a Real Threat Today
Hacking a Car Comes Alive
Self-Powered Keyboard Adds Security
Hacking Without the Internet

As cars get more sophisticated and pack more computer technology, this is not the first case of a vehicle suffering exposure to bad guys.

In this case, German automobile club ADAC discovered the vulnerability, saying the doors of the cars can end up unlocked within minutes, without any trace or wrongdoing being left behind.

It appears the flaw is the result of a lack of data encryption between Connected Drive and the servers maintained by BMW. The communication occurs through a cellular modem with an always-present SIM card.

Researchers noticed unencrypted traffic exchange between the car and BMW servers, which allowed them to intercept and modify it. This could occur via base transceiver station (BTS) equipment, which can capture information from GSM devices.

ADAC discovered the vulnerability by chance and reported its findings to the manufacturer, waiting for an update to be ready before publishing the information.

From the details provided by ADAC it is unclear if the security flaw could escalate to where an attacker could take advantage of drive-related functions.

The features of Connected Drive bumped up in 2014, when the builder introduced enhanced navigation tools, connectivity to the smartphone and voice search, along with apps designed to improve the overall experience with the car and prevent driving distractions caused by peeking into the mobile phone.

BMW said they would fix the flaw by January 31 and has already sent the fix to the affected cars. Communication with the vehicles that received the update should now occur in a secure manner as encryption is now on.

Leave a Reply

You must be logged in to post a comment.