Slashdot Mirror
How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars
0x2A (548071) writes BMW recently fixed a security hole in their ConnectedDrive software, which left 2.2 million cars open to remote attacks. Security expert Dieter Spaar reverse engineered the system and found some serious flaws [note: if you'd prefer English to German, try this translation], including using the same symmetric keys in all vehicles, not encrypting messages between the car and the BMW backend or using the outdated DES.
Somehow I don't think the definition of "remote attack" is "disassemble the computer, attach all kinds of expensive hardware to analyze communications and firmware, hack into the firmware to retrieve the encryption keys, so only then you can use a base station emulator to trick the car into thinking your remote machine is a BMW firmware server."
The "remote attack" requires physical access, specialized skills, and intense hardware interaction. It is not something that some Romanian skript kiddie can pull off from their mom's basement.
A company as big as BMW should be able to hire some security experts, so this should be a bit embarrassing for them.
But the truth of the matter is, doing security is not easy. Take web programming, for instance. Back when I first learned PHP, I found over and over that whatever design or coding approach seemed most straightforward and intuitive was inherently unsecure. All sorts of escaping and manual insertion of encryption functions are required, and that clutters up the code to the point of making it hard to maintain. I did manage to implement most of it in a common PHP file that I reused over and over again, but there was a huge learning curve, and it was a pain. Since then, people tell me that it's gotten a LITTLE better. For instance, database wrappers generate the SQL queries for you and automatically escape strings. But for the most part, it still sucks.
If there were a single best book to read on cyber security, then perhaps we'd have fewer problems like what BMW had. But in reality, to get good at it, you have to have a vast familiarity with the literature and tools. You do that much reading, you might as well get a PhD. And my friends with PhDs focusing on security are in academia, not industry, so we get more security papers but not more secure devices.
dey be in ur car, haxxin
a data bus & a computer screen for environmental/stereo/window/mirror controls.
I dont think i really need a CPU between the brake pedal & the actual bakes.
Or in the steering wheel.
Usually i scoff at the luddites who resist the computerization of everything. But im with them here. Computerizing all this crap just adds fail points, it adds NOTHING to the usefulness of the car.
Guess ill stick with my late nineties cars for a couple more decades.
The problem you describe is with your tools, where "straightforward" and "intuitive" are inherently insecure. You could start and ditch PHP.
The obvious retort is that it's not the tools, but the bad programmers. Some tools are written by those same bad programmers and it's the bad programmers that keep on using the tools. And it should be them that should ditch those bad tools. Which is what I said in the first place: Ditch the bad tools and pick better ones. In the process, you'll have to become a better programmer too. No help for it, so sorry.
BMWs are expensive, BMW drivers tend to be affluent, affluent people can afford good insurance, replacing a stolen car is expensive, insurance companies will charge a higher premium on easily stolen models, affluent people might choose other cars because of high premiums and reduced sales and bad PR will force BMW to improve their security.
In theory, at least, the market response to easily stolen cars puts pressure on the carmaker to improve security.
So; it was a move to HTTPS...
http://grahamcluley.com/2015/0...
Did they bother to fix heartbleed and POODLE while they were in there, or are they using an old stack, and it's still perfectly posible to implement the attack with a single additional step? In other words is this a "We must take some action!" fix, or is it a "We must take effective action!" fix?
Root cause of the problem seems to be some rigid adherence to specs and dim-witted error recovery process. If one mp3 file has a mismatch between its header declaration and its data section, that mp3 can misbehave. OK I will concede that. But the default action on seeing this mismatch should not be the whole entertainment module to crash, reboot and rescan the 8 GB memory stick all over again for media files. When it crashes and rescans, bluetooth does not work.It reminds me of Digital workstations where none of the the IEEE exception handler I install would work. Their default handler, which is to crash the process and write a coredump would kick-in no matter what I declare as error handler. BMW seems to be using an even more extreme version of this mode.
BMW is our customer, and they buy some engineering design analysis suites that we make in my place of work. I wonder how they will behave if I crash the entire computer every time a BMW engineer feeds an incorrect data to our suites.
I am not surprised it has so much of vulnerabilities. Anything that crashes this much will fall back to single user super user mode and present a console to the attacker sooner or later.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
>. Not making complete fucking moron decisions about security is easy, if you hire someone vaguely competent. BMW decided to skip that step to save a few bucks to ensure nice corporate bonuses, and customers suffered.
Their developers encrypted the relevant text messages and used hmac to ensure their authenticity, so they thought it was reasonably secure. It's not that they were INCOMPETENT developers, the issue that none of them were security experts. Because true security, security that can't be broken fairly easily by an expert who then publishes a tool for script kiddies to use, IS hard. BMW's programmers did as much as I'd expect any application programmer to do. It's then time for the security audit, by a truly qualified security person, to catch the kinds of mistakes that the author caught. I work with some very good programmers. Some of them are really good at UI design, some are good at managing large projects, some are very versatile. It's a really good team of professional programmers. I catch security errors they make all the time because I'm the security guy. On the other hand, they have to fix my GUIs to look nice because I'm not good at designing attractive GUIs.
While I do not work for BMW directly, the company I work for does do projects for BMW. One of the projects I worked on was the iOS app which is part of this ConnectedDrive system.
:)
To be precise, for the 'old' version of the app (My BMW Remote App) for non-i models we started off with this black box library (CD lib) which handled all the communication with the BMW servers.
While I didn't do any protocol analysis or looked at the communication between car and servers, even for this iOS app it was pretty clear to me and my colleagues what the security implications would be if someone were to be able to obtain log-in data just for that part of the communication.
Depending on the market (America, Europe, Japan, etc.) there are some limitations to what one can do with the app (based on the type of account, IIRC), such as from what range one can see where the car is on a map and whether one can unlock doors with the app or not (not allowed in the US market, from what I recall). Where these limitations are enforced I'm not sure. It might be based on the server, in which case this hack would bypass such limitations as well.
At any rate, this security leak does demonstrate quite succinctly how important it is to properly security audit such systems before releasing it into the wild. Even for the current project I do for BMW (related to the headunits), having an active internet connection means that security is essential, including plugging buffer overruns and similar.
Nobody wants to have one's headunit go blank during navigation, in a constant reset cycle or be turned into a spying device, after all
Note that I'm still under NDA for all of these projects, so I can't go into much detail.
Site & blog: http://www.mayaposch.com
Like most companies security is considered a cost, an inconvenience or an after thought. Looks like there is no one who knows anything about security in the entire chain of designers who came up with this design for the cars. They seem to rely on security by obscurity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
PS, though I've been focused on computer security for twenty years, and before that worked as a locksmith and a private investigator, I STILL make mistakes. I STILL looks and things I've done and say "well that was dumb". I'm still learning, even still taking formal classes while I also serve as an expert consultant for build new courses in security.
My IQ tested as - let's just say "well above average" - so if it were easy you'd think I would have figured it out by now.
Everything is hackable... OnStar that has been in millions of GM cars is just as hackable using the EXACT SAME TECHNIQUES.
So if you have a portable cellsite that can spoof a cellular tower the device is looking for, you man in the middle it.
Nothing new here except that a bonehead in programming the whole system is using the same key over and over to make his job easier.
Do not look at laser with remaining good eye.
Which is funny because my 2007 BMW X3 connected with everything including nexus 4 HTC M8 etc...
The problem is BMW is pulling a GM and having their own people make the electronics now and they suck at it. the older Telematics modules were far better, same as the becker/alpine radio systems.
Do not look at laser with remaining good eye.
Agreed, 100%. Further, IF you know what to look for when choosing your expert, rather than hiring them through three levels of middlemen, for a relatively small project you can pay him $500 to have a phone call early in the design phase and show up at a later planning meeting to review the design, then $500 more to review the final code and make adjustments that are minor to do, but have major impact. Of course you can also pay HP $10,000 to send him out. HP will pay TCML $3,000, and TCML will pay the expert who does the work $1,200. Guess how I know THIS. Hint - I didn't read it somewhere.
Also, security isn't just about not getting hacked. Secure systems are systems that continue to operate correctly, even when someone is TRYING to break them. Therefore, the suggestions your security expert makes will improve the reliability of your system in the face of other potential issues, like a flaky cell signal. Making a system keep working even when someone is trying to make it fail means the system is more robust under other circumstances as well.
to drive my old BMW. No need for fancy computers and gadgets in a fucking car.
I have a 2014 X3. The damn thing would not connect to any of my Google Nexus phones via blue tooth. They have a very limited set of handsets they support. They don't seem to test anything other than iPhone and Samsung. Supposed to connect to 4 phones at the same time. The damn module crashes all the time and forgets perviously paired handsets that worked well earlier.
Sorry... I couldn't get past that part. I'm stuck still trying to comprehend why the f**k I'd want or need my phone to connect to my car via bluetooth, regardless of what make/model phone it was? Can I adjust the A/C and heat from the dash? Gas pedal, brake pedal, shift? Pretty sure I don't need my phone for those - in fact I can't imagine *any* situation that my phone connecting to my car while its in motion would be anything *other* than a safety problem, because I shouldn't be looking at a damn phone while driving anyways. And, TBH, my passengers don't need to be connecting to my car either IMHO, nor the random stranger in the car on the road next to me.
My 2006 Prius has no trouble connecting to phones. They are all simple, connect to bluetooth, make a phone call type of connections. BMW tries to connect to the phone, its media storage, call logs, speed dial everything, at least in 2014 version. Four phones at the same time. But they assumed there will be a hard disk all the time.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
That's a good point, and one that I mentioned in my post which appears just above yours, but not my GP post.
Depending on the complexity of the project, budget, and impact, it sometimes make sense to engage the expert at three points:
Early planning (might be a conference call)
Late planning (to validate the design/architecture prior to much coding)
Pre-release (to check for any oversights in the actual coding)
Clearly, you are the only person commenting on Slashdot that makes programming mistakes.
In particular, BMW has a history of similar cockups - just search youtube for various "iDrive problems", "Check engine reset" issues, "Engine stalling" issues, etc. Those software problems go back years. The first iDrive implementation from 2002 using Windows CE was a legendary lemon.
It isn't just BMW, though - http://www.edn.com/design/auto...
I had a Renault Clio and Renault's unreliable electronics is legendary too, even though there it was more a poor design than necessarily bad code. But you will never know - nobody has seen the source code of the firmware in many of the control units. Often not even the manufacturer has it - it is outsourced and subcontracted, even for critical systems like ABS or ECU.
And I am pretty sure that this is industry-wide problem - the same control units are in many cars, especially today with all those shared platforms and alliances between manufacturers.
If someone is thinking about drive-by-wire cars (Nissan, uses a safety clutch to be legal atm, but they have publicly announced a push to go fully by wire http://www.caranddriver.com/fe...) or the recent idea about the OTA updates in this sort of cesspit of horrid and unaccountable code, they must be insane.
The main application for piping your phone through your car audio is that phone calls are clearer, and you get access to your audio books, music, or online newspapers that have an audio stream. In other words, making sure that your car system isn't obsolete 3 years after you buy it requires a tethering mechanism. And bluetooth is the simplest one out there.
Those who can, do. Those who can't, sue.
Serious question: Am I alone in the thought that modern "infotainment" systems built into new cars are generally not useful items to have?
My own horror story involved borrowing a friend's Ford Flex to make a delivery of communications gear that wouldn't fit in my old BMW 325i: I tried, eyes-off-road, to get my then-current Droid 4 to sync with the Ford Sync, only to find that I had to stop the car first. I tried for a total of about 40 minutes. It should've just said "Hey, asshole: Stop the car and try again." Instead, we (it and I) just went through a long series of byzantine loops that had no indicators that seemed to lead toward success before I happened to fiddle with it while actually stops.
So, the stuff barely works. And I wouldn't even have cared, if Ford's POI database had the location of a Wal-Mart built in...a Wal-Mart that had been standing for over a half-decade before the vehicle was built.
And, the price: I myself can do a very elaborate custom install, or pay someone else to do a somewhat basic custom install for that sort of cash.
These days, what merit is there to automotive electronics that is not superceded by a cheap 6" tablet stuck on the dash, tethered to a cheap data plan on a wireless hotspot? Or made to automatically arise from the dash, as a theft deterrent? $3-4k buys a -lot- of 3D printed parts...and maybe the 3D printer to print them.
Plug in a big flash drive and a good DAC with USB OTG, add amplifiers and speakers (there is already room for them, if the factory stuff doesn't exist), and call it a day.
What am I missing? (other than: The rest, as they say, is only software.)
Kid-proof tablet..
They did exactly the same thing with in-dash radio, till finally SAE defined standard connections and after market cassette players flooded the market. One car maker will break ranks, Tesla has already done it, and just install a 10 inch tablet or provide a niche to place Bring-Your-Own-Tablet prominently in the dash. Some standard protocols to allow dedicated buttons in the wheel or the dash to send commands to the tablet... that will become a selling feature of that car model. Soon all manufacturers will be forced to stop trying sell us 1800$ nav packs and 200$ map dvds. Till then we have to put up with this crap. Or with the rise of 3D printing we might get a snap on module for the specific model of the car that accepts a 6inch or a 10 inch tablet and a dedicated buttons for "map/music/play/pause/skip/voice-command-phone/voice-command-map" keyboard to be to be stuck in a convenient place.
Free market will send price signals. Till the signal is heard and reacted on, it sucks to be on the receiving end.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
When I researched a new car last summer, I looked for safety features like collision avoidance, blind spot, adaptive cruise control, lane switch detection. Most of the cars had all kinds of stuff focused on navigation, entertainment, working with smart phones and supporting hands free phones.
I really love the adaptive cruise control in the car I got. It scales down to stop the car when I'm going slow and something jumps out. Yes, more of this kind of software!
The voice phone dialing? My Moto-X cell phone was better. I like receiving the hands free bluetooth, but for everything else, my phone with a wired earpiece was *way* better. I've considered unpairing the bluetooth and going back to the earpiece. I'd rather they didn't waste their time developing it. Heck, it doesn't even sync my phonebook!
The GPS is ok, but I prefer the garmin stand alone I already had. If I pay a subscription the gps can do some lame traffic alerts. I didn't find it worth the $ after the free trial was up. Frankly, anything in a car is *not* going to match what google and other companies can do with cell phones.
Why aren't there things like "If you go 2 mph slower, the next light will be green" or do the speed limit and it will be green. Or speed up, merging onto the interstate at 40 mph is dangerous...