Hearing about vulnerabilities in your car’s operating system might seem strange. But it’s now something we all need to get used to.
Last January 30, several security loopholes in BMW’s ConnectedDrive system, that could allow potential thieves to unlock doors and track car data using a mobile device, as the security gap may affect the transmission path via the mobile phone network were revealed. This was uncovered during a privacy assessment conducted by the German auto club ADAC, and is believed to affect 2.2 million BMW vehicles worldwide.
According to a statement from ADAC, the vulnerable vehicles were prone to abuse of features like Remote Services (opening doors remotely), tracking the vehicle’s current location and car speed via real-time traffic information (RTTI), enabling and changing phone numbers on the emergency call function, and reading emails via the BMW Online feature in the BMW ConnectedDrive Store.
BMW quickly acted on this finding and have sent out the update to address them. According to their press release, the update is carried out automatically as soon as the vehicle connects up to the BMW Group server and can also be triggered manually. The statement said that they are increasing the security of data transmission in their vehicles as they issued a patch, which would be applied automatically, included encrypting data from the car via HTTPS. Details about the actual security flaws and the patching process have not been published.
(Theoretically) Hacking a Connected Vehicle?
We need to ensure that we don’t jump into conclusions about the actual exploitation of these vulnerabilities without first knowing its full details. The issues raised in the BMW ConnectedDrive security flaws pose a few questions:
- How often is a connection to the BMW server made automatically?
- Wasn’t HTTPS already in use since 2010? Why wasn’t it enabled for the data being sent/received via ConnectedDrive (GSM)? What kind of information could be stolen by an attacker with their own GSM base station?
- Does HTTPS mean SSLv3, TLS 1.0/1.1/1.2? Does this mean the BMW Group server was not checked before? Is it possible that a malicious “firmware” update entered the BMW car then?
- And if the update is silent, how would the car owner know that the vulnerability was fixed? Does this mean the owner has no control what updates BMW is performing on this system?
Getting answers to these questions would definitely shed more light on the severity of the vulnerabilities.
Now, moving away from GSM to Wi-Fi, I will now use Skoda as an example for a theoretical hacking scenario without an actual analysis. Skoda, a Czech carmaker owned by the Volkswagen group recently introduced the car model Skoda SmartGate, which allows certain apps to download car data over Wi-Fi.
The Skoda SmartGate system contains what is in effect a Wi-Fi router that devices can connect to to access car data. The default password is the vehicle identification number (VIN) of the car, which in some countries, can be easily found at the front window. However, WiFi is only on when ignition is on, and SmartGate is an optional equipment, i.e. you have to pay extra for this when buying the car.
According to the owner’s manual (specifically on pages 100-1001), the WiFi network name is “SmartGate_<last-six-digits-of-VIN>.” SmartGate seems to run a web server on http://192.168.123.1/ which provides information of the car and allows some configuration of the SmartGate system. It allows for example to change the default WiFi password, but the password seems to allow only letters (A-Z) and number (0-9), the minimum length is 8 characters, the maximum length is 17 characters. This follows the specification of a VIN, which cannot be longer than 17 characters (given the fact, that a WPA/WPA2 password can be up to 63 letters, it could be considered as a rather short password). SmartGate seems to allow connections without any password, if security is set to “open”, but we strongly advise not to do so.
To locate the car you’re interested in, you can wait until the driver turns on the ignition to see if the Wi-Fi network comes up. Or, you simply ask erWin, or the Electronic Repair and Workshop Information service from Skoda Auto, as it’s able to show the complete configuration/complete list of equipment of a car by entering the VIN.
You need to be registered for that and to query the system for an hour you need to spend 5 EURs. Of course, you need to be in range of that particular car. So is stalking a Skoda car for fun and (probably no) profit something to worry about? It is theoretically possible.
While we’re on this topic, let me mention two other things which popped into my mind when reading the story about BMW ConnectDrive:
First, like in most other industries, the automotive world is moving away from dedicated /specialized/closed networks/bus systems (like CAN bus) to Ethernet/IP-based networks within the car. In the past, the car was completely “isolated”, think of an island which has no connection to the outside world. Nowadays, the car is connected to the outside world via GSM/IP protocol. You can see this from slide 8 of this official BMW presentation, titled Ubiquitous Networking In- and Outside The Vehicle With Ethernet & IP.
Secondly, in the past, radio was just a “stupid” radio. But now, modern infotainment systems are considered computers as well (and, are, of course, integrated more or less in the car network.). Did you know that the Mazda Connect infotainment system allows to connect to it via SSH, even as the “root” user? The password jci seems to be the first lower-case letters of Johnson Controls Inc., the OEM for Mazdas Connect infotainment system.
The modern car is not just a mechanical machine, it is also a computer that is online as much as a smartphone or PC is. Therefore, it is something that users will have to protect moving forward, and car manufacturers should move to secure their products before any real-world attacks become apparent.
Update as of February 6, 2015, 07:12 AM PST
This blog entry was written when the full details were not yet released to the public. Full details on the BMW ConnectedCar vulnerabilities are available now at the following link: http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html
Update as of February 7, 2015, 21:42 PM PST
Note that modifications have been made to this entry. We added a paragraph detailing the owner’s manual for clarification.