BMW i5 and 5-Series Forum

Post Reply
 
Thread Tools Search this Thread
      01-30-2015, 07:01 AM   #1
Scandic24
Second Lieutenant
Scandic24's Avatar
Sweden
45
Rep
271
Posts

Drives: X4 30d MSport
Join Date: Aug 2010
Location: Sweden

iTrader: (0)

BMW increases ConnectedDrive security after potential security gap reported by ADAC

BIMMERPOST
     Featured on BIMMERPOST.com
BMW Group ConnectedDrive increases data security. Rapid response to reports from the German Automobile Association ADAC.

30.01.2015

Munich.
As the leading manufacturer in the networking of driver, vehicle and the surrounding environment, the BMW Group is increasing the security of data transmission in its vehicles. This is the company’s response to reports from the German Automobile Association (ADAC). The motorist’s association had identified a potential security gap when data is transmitted. The BMW Group has already closed this gap with a new configuration.

The experts from the ADAC had put the company through a strategic review as market leader in vehicle networking. This check revealed a potential security gap affecting the transmission path via the mobile phone network. BMW Group hardware was not impacted. The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles. Access to functions relevant to driving was excluded at all times. There was no need for vehicles to go to the workshop.

The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.

In this way, the BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorised persons from outside or an attempt of this kind is made in the first place.
Appreciate 0
      01-30-2015, 09:27 AM   #2
Ganxxta
Second Lieutenant
Germany
85
Rep
280
Posts

Drives: F32 4er Coupé
Join Date: Oct 2013
Location: Germany

iTrader: (0)

To be honest, the title should have been: "ConnectedDrive hacked", not "increases security"...

Was only a matter of time until somebody would use the remote services through a hack

WTF was BMW thinking to use a not encrypted connection in the first place -.-
Appreciate 0
      01-30-2015, 02:21 PM   #3
b33g33
Give '///M' Hell!
b33g33's Avatar
United_States
129
Rep
1,328
Posts

Drives: Einser Rex
Join Date: Jun 2011
Location: Atlanta, GA

iTrader: (0)

Unhappy Connected Drive vulnerability to hacking



BMW press release reveals German Automobile Association (ADAC) findings that Connected Drive equipped Bimmers and MINIs are susceptible to being accessed by unauthorized cellular users who then have access to all ConnectedDrive features.

BMW has apparently released a fix (not sure if it will be available in the US OTA as the press release indicates).

BMW Press Release: (https://www.press.bmwgroup.com/globa...tem=node__5238)

Quote:
BMW Group ConnectedDrive increases data security. Rapid response to reports from the German Automobile As-sociation ADAC.
30.01.2015Contained media data:
1 Attachment
Munich. As the leading manufacturer in the networking of driver, vehicle and the surrounding environment, the BMW Group is increasing the security of data transmission in its vehicles. This is the company’s response to reports from the German Automobile Association (ADAC). The motorist’s association had identified a potential security gap when data is transmitted. The BMW Group has already closed this gap with a new configuration.
The experts from the ADAC had put the company through a strategic review as market leader in vehicle networking. This check revealed a potential security gap affecting the transmission path via the mobile phone network. BMW Group hardware was not impacted. The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles. Access to functions relevant to driving was excluded at all times. There was no need for vehicles to go to the workshop.
The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.
In this way, the BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorised persons from outside or an attempt of this kind is made in the first place.


ADAC link: http://www.adac.de/infotestrat/techn...spx#tabid=tab1

Quote:
The ADAC has found vulnerabilities in BMW vehicles with the equipment ConnectedDrive. As a result, the cars can be opened after a single preparation via mobile phone within minutes from the outside, without this leaves traces. According to BMW them are over 2.2 million vehicles a number of model series of the Group brands BMW, Mini and Rolls Royce affected (see below).
The ADAC emphasizes that he has not conducted a full safety review of BMW cars or even the entire company. For this was before no job and this is the responsibility of the respective manufacturer.
Finally, analysis on Jalopnik: http://jalopnik.com/millions-of-conn...ata-1682795531
__________________
The 1 series M is the most badass, coolest, sickest BMW to debut since the 1988 M3. The E30 M3 finally has a successor. Please welcome the stupidly fast, wickedly tempered, awkwardly named, possibly perfect little son of a benchmark - Automobile Magazine, August 2011

Appreciate 0
      01-30-2015, 02:34 PM   #4
greekcs
Major
greekcs's Avatar
United_States
790
Rep
1,113
Posts

Drives: 2020 M340i xDrive
Join Date: Jan 2010
Location: Long Island, NY

iTrader: (0)

I'd like to find said hacker and offer them money for a remote start feature.
__________________
2003 11/02 Steel Gray Metallic on Red M3 - SMGII - VF570 - SUPERSPRINT - KW - BBS - CSL ROOF SOLD
2015 09/14 Alpine White on Red 435i xDrive MPPK - Expensive black vinyl with special lettering. SOLD
2020 12/19 Mineral Gray Metallic on Black Vinyl interior M340i xDrive
Appreciate 0
      01-30-2015, 03:18 PM   #5
abirmaher
Colonel
abirmaher's Avatar
United_States
894
Rep
2,421
Posts

Drives: 2018 BMW M2 & 2024 BMW X1 M35i
Join Date: Feb 2010
Location: Fort Lauderdale, FL

iTrader: (14)

Garage List
  [0.00]
2018 BMW M2  [10.00]
Quote:
Originally Posted by greekcs
I'd like to find said hacker and offer them money for a remote start feature.
Hahaha
__________________
Follow my builds:
The Racecar (2018 M2 - M0010): Build Thread | @_m0010
The Daily (2024 X1 M35i - X001M35):Build Thread | @_x001m35
Appreciate 0
      01-30-2015, 04:23 PM   #6
sputman
Private
sputman's Avatar
Canada
22
Rep
85
Posts

Drives: '15 M235i xDrive + '21 Z4 M40i
Join Date: Dec 2014
Location: Burlington, ON

iTrader: (0)

+1... Heck +99 for remote start!

They disable features like variable light distinction for North America, perhaps they could just make remote start a possibility and disable it for Europe.
Appreciate 0
      01-30-2015, 05:01 PM   #7
eeghie
Kind of a big deal
303
Rep
1,676
Posts

Drives: an 1M not often enough
Join Date: Jan 2011
Location: between Unlimited and Hard to Get

iTrader: (0)

Not just BMW, from now, anyone with bad intentions can "assist" you. Hopefully this is the last security glitch.

Hail to pure analogue fun.
Appreciate 0
      01-30-2015, 05:10 PM   #8
Dackelone
European Editor
Dackelone's Avatar
Germany
10822
Rep
22,992
Posts

Drives: N54 e82
Join Date: Feb 2010
Location: Bayern, Germany

iTrader: (1)

Here is the ADAC video... (sorry its in German)

Appreciate 0
      01-30-2015, 06:36 PM   #9
eeghie
Kind of a big deal
303
Rep
1,676
Posts

Drives: an 1M not often enough
Join Date: Jan 2011
Location: between Unlimited and Hard to Get

iTrader: (0)

Quote:
Originally Posted by Dackelone View Post
Here is the ADAC video... (sorry its in German)
Interesting statement in the video is that BMW is said to have been applying the remote updates for this glitch already from 8 december 2014 onwards.

Hopefully this means that all affected cars that had their battery connected and were within mobile range since December '14 are no longer vulnerable?
Appreciate 1
      01-30-2015, 06:42 PM   #10
Dackelone
European Editor
Dackelone's Avatar
Germany
10822
Rep
22,992
Posts

Drives: N54 e82
Join Date: Feb 2010
Location: Bayern, Germany

iTrader: (1)

Quote:
Originally Posted by eeghie View Post
Interesting statement in the video is that BMW is said to have been applying the remote updates for this glitch already from 8 december 2014 onwards.

Hopefully this means that all affected cars that had their battery connected since December '14 are no longer vulnerable?
Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.
Appreciate 0
      01-30-2015, 07:29 PM   #11
aussiem3
Colonel
aussiem3's Avatar
Australia
285
Rep
2,671
Posts

Drives: Goggomobil
Join Date: Jul 2007
Location: Kangaroo land

iTrader: (1)

Garage List
This is all about stakeholders working together and in partnership. Good outcome.
__________________
Appreciate 0
      01-30-2015, 07:48 PM   #12
BrokenVert
Resident Kerbalnaut
BrokenVert's Avatar
United_States
484
Rep
10,703
Posts

Drives: Topless Brute/Hybrid Boogaloo
Join Date: Apr 2009
Location: Fahrvergnügen/NY

iTrader: (0)

Quote:
Originally Posted by Dackelone View Post
Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.
I really dont understand why this isnt the first line of any statement on the issue. BMW did the right thing here. They thought they had a problem, so they worked with an outside entity to confirm. And when the confirmation came they didnt try to bury it. Thats responsible of them.


That being said, it would be nice if the fix didnt simply involve using typical HTTP encryption.
__________________

Appreciate 1
      01-30-2015, 08:18 PM   #13
Diver
Brigadier General
Diver's Avatar
United_States
506
Rep
3,445
Posts

Drives: Black '12 135i - Sold
Join Date: Nov 2010
Location: Texas

iTrader: (0)

Widely reported. The good news is it can be fixed remotely.
__________________
Appreciate 0
      01-30-2015, 10:14 PM   #14
teamwerx
Private First Class
teamwerx's Avatar
32
Rep
178
Posts

Drives: 2015 M4
Join Date: Nov 2014
Location: Badassville

iTrader: (0)

Quote:
Originally Posted by greekcs
I'd like to find said hacker and offer them money for a remote start feature.
So true
Appreciate 0
      01-31-2015, 02:58 AM   #15
ManiacGT
Major
ManiacGT's Avatar
United Kingdom
87
Rep
1,448
Posts

Drives: Z4 sDrive 35i
Join Date: Jan 2011
Location: Manchester, UK

iTrader: (0)

So, March 2010 cars onwards. In other words combox cars. So pre combox cars are also likely insecure but they can't update those remotely like they can combox cars. So anyone with PRE MARCH 2010 NEWER STYLE IDRIVE is likely STILL AT RISK. Nice.
Appreciate 0
      01-31-2015, 03:05 AM   #16
Ulmi
Enlisted Member
6
Rep
43
Posts

Drives: 1M
Join Date: Jun 2011
Location: Munich

iTrader: (0)

Quote:
Originally Posted by Dackelone View Post
Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.
Quote:
Originally Posted by BrokenVert View Post
I really dont understand why this isnt the first line of any statement on the issue. BMW did the right thing here. They thought they had a problem, so they worked with an outside entity to confirm. And when the confirmation came they didnt try to bury it. Thats responsible of them.


That being said, it would be nice if the fix didnt simply involve using typical HTTP encryption.
Do you have any source for your version of the story?
As far as I know, the test was conducted by the ADAC, in order to find out if normal workshop have disadvantages in repairing a vehicle equipped with connected drive.

please don’t turn the story in BMW propaganda style…

„Ein vom ADAC beauftragter Sicherheitsexperte entdeckte eine Lücke“

http://www.heise.de/newsticker/meldu...t-2533601.html
Appreciate 0
      01-31-2015, 10:15 AM   #17
e90-328i
Second Lieutenant
e90-328i's Avatar
Canada
18
Rep
258
Posts

Drives: 2011 328i RWD!
Join Date: Nov 2010
Location: yyz

iTrader: (0)

Quote:
Originally Posted by Ulmi
Quote:
Originally Posted by Dackelone View Post
Yes, BMW AG had ADAC conduct "tests" to see IF the connected drive system could be hacked. And it could!!! Then BMW AG asked ADAC not to public with the results of their findings - until BMW could address their vulnerability. BMW AG has come out with an update/patch on Dec 8th. Now ADAC has started to report their findings - while BMW has "fixed" this security gap.
Quote:
Originally Posted by BrokenVert View Post
I really dont understand why this isnt the first line of any statement on the issue. BMW did the right thing here. They thought they had a problem, so they worked with an outside entity to confirm. And when the confirmation came they didnt try to bury it. Thats responsible of them.


That being said, it would be nice if the fix didnt simply involve using typical HTTP encryption.
Do you have any source for your version of the story?
As far as I know, the test was conducted by the ADAC, in order to find out if normal workshop have disadvantages in repairing a vehicle equipped with connected drive.

please dont turn the story in BMW propaganda style

Ein vom ADAC beauftragter Sicherheitsexperte entdeckte eine Lcke

http://www.heise.de/newsticker/meldu...t-2533601.html
How would I/we know if our car has been updated?
Not that I don't trust car manufacturers,,,, ok, I don't.
__________________
2011 328i RWD Sports 6MT, BMW P/E, aFe Magnum stage 2, AA tune, P3cars gauge, LUX
Appreciate 0
      02-02-2015, 01:21 PM   #18
CP 1///M
Private First Class
Canada
51
Rep
175
Posts

Drives: BSM 1M
Join Date: Aug 2014
Location: Vancouver, BC

iTrader: (0)

Any version number to check for before and after the number in iDrive?
Appreciate 0
      02-02-2015, 07:34 PM   #19
Flying Ace
Lieutenant General
Flying Ace's Avatar
5048
Rep
11,904
Posts

Drives: G05 45e, 997.1 & 991.1 GT3s
Join Date: Jul 2014
Location: SF, CA

iTrader: (5)

The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually.


So this implies that there is some type of auto update for the new security features. However, on my car, I don't use ConnectedDrive at all. I never have and never will as I don't use an iphone device. How do I get an update in this case?
__________________
Appreciate 0
      02-03-2015, 02:15 PM   #20
CP 1///M
Private First Class
Canada
51
Rep
175
Posts

Drives: BSM 1M
Join Date: Aug 2014
Location: Vancouver, BC

iTrader: (0)

Same here - and my car was from out of province so I don't even know if the SIM works anymore as I never tried it
Appreciate 0
      02-05-2015, 12:19 PM   #21
fecurtis
Banned
United_States
3271
Rep
6,299
Posts

Drives: 2014 BMW 335i M-Sport
Join Date: Jan 2014
Location: Arlington, VA

iTrader: (0)

Didn't they already resolve many of these issues with an OTA update last week?

Plus, someone will look at that article and notice that they use "beemer" instead of "bimmer"...
Appreciate 0
Post Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 04:04 PM.




g60
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST