Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars

Posted by timothy on from the ultimate-something-machine dept.

0x2A (548071) writes BMW recently fixed a security hole in their ConnectedDrive software, which left 2.2 million cars open to remote attacks. Security expert Dieter Spaar reverse engineered the system and found some serious flaws [note: if you'd prefer English to German, try this translation], including using the same symmetric keys in all vehicles, not encrypting messages between the car and the BMW backend or using the outdated DES.

6 of 83 comments (clear)

  1. Re: Definition of "Remote Attack" by StevieWonderBoy · · Score: 5, Informative

    6,000 cars were stolen this way in London last year. You are wrong. They are selling kits on the ebay that allow you to clone keys.

  2. Re: Definition of "Remote Attack" by Anonymous Coward · · Score: 2, Informative

    I recall this whole BMW research started when BMWs were getting stolen off the drives of their owners with what appeared to be a box
    This video perhaps?:
    https://www.youtube.com/watch?v=HxVO5OVaCkA

    But this was a long time ago, 2012... and BMW still has major security flaws?!

  3. Re: Definition of "Remote Attack" by drinkypoo · · Score: 3, Informative

    And it's not just BMW, it's for all kinds of makes and models. Hell, you can go to Dealextreme and buy many unlocking tools, just by searching for unlocking tools. And I'm not talking about the kit of stamped spring steel pieces, either.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:This is why I quit web programming by drinkypoo · · Score: 4, Informative

    A company as big as BMW should be able to hire some security experts, so this should be a bit embarrassing for them.

    But the truth of the matter is, doing security is not easy.

    No, the truth of the matter is in your first paragraph. Designing and building a car is not easy. Not making complete fucking moron decisions about security is easy, if you hire someone vaguely competent. BMW decided to skip that step to save a few bucks to ensure nice corporate bonuses, and customers suffered. BMW should be on the hook for each car stolen in this fashion, and have to pay complete replacement value, because they failed to make a good-faith effort at security.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  5. Re: Definition of "Remote Attack" by _merlin · · Score: 3, Informative

    You only need physical access to the Commbox from to a single car to extract encryption keys that can be used to steal many cars. That's the flaw. The cellular base station emulators are readily available.

  6. they used encryption, hmacs, thought they knew by raymorris · · Score: 5, Informative

    >. Not making complete fucking moron decisions about security is easy, if you hire someone vaguely competent. BMW decided to skip that step to save a few bucks to ensure nice corporate bonuses, and customers suffered.

    Their developers encrypted the relevant text messages and used hmac to ensure their authenticity, so they thought it was reasonably secure. It's not that they were INCOMPETENT developers, the issue that none of them were security experts. Because true security, security that can't be broken fairly easily by an expert who then publishes a tool for script kiddies to use, IS hard. BMW's programmers did as much as I'd expect any application programmer to do. It's then time for the security audit, by a truly qualified security person, to catch the kinds of mistakes that the author caught. I work with some very good programmers. Some of them are really good at UI design, some are good at managing large projects, some are very versatile. It's a really good team of professional programmers. I catch security errors they make all the time because I'm the security guy. On the other hand, they have to fix my GUIs to look nice because I'm not good at designing attractive GUIs.