Cars are becoming more connected each day and just like with computers, smart phones and other “internet of things” connected devices it makes them targets of hackers. The latest BMWs feature a version of “BMW CONNECTED” that allows the BMW Group’s servers to provide live updates, web connectivity and features such as unlocking or preconditioning of cars. It’s this feature that has been exploited.
The problem was discovered by the Allgemeiner Deutscher Automobil-Club (ADAC), the German motoring association, similar in concept to AAA stateside but more powerful and all encompassing. The discovered attack took advantage of the remote unlocking feature of BMW’s Connected Drive / MINI Connected. It is reported that the hack was accomplished by reverse engineering the telematics software and then emulating a BMW server. The hack was reported directly to BMW so the necessary precautions could be taken.
BMW has closed the hole and is patching 2.2 million cars via an over the air update. The update is reported to now encrypt the data using the HTTPS protocol. It’s a scary thought that the BMW Group programmers did not think to encrypt such a feature to begin with.
While this hack only attacked the lock/unlock feature of the car it begs the question what would happen if another feature was also hacked that could impact driving safety or if this hole allowed the car to also start? The BMW Group and other auto makers need to take notice that cars are now targets of such hacks and that they need to be locked down just like other connected devices.
We can only hope that this is a one off event and that the BMW Group realizes the cars may be vulnerable in other ways and consult with software security firms to tighten up the code- MINI Connected is no longer a marketing tool or side project it is a feature of many cars that can be exploited by those not on the up and up.
The Fix
The conversion of the affected vehicles to encrypted communication is being carried out by BMW as an over the air software update and should be largely operational by January 31st.
Full list of cars affected
BMW
1 Series Convertible, Coupé and Touring (E81, E82, E87, E88, F20, F21) 2er Active Tourer, Coupé and Convertible (F22, F23, F45) 3 with Convertible, Coupe, GT, Touring and M3 (E90, E91, E92, E93, F30, F31, F34, F80) 4 Series Coupe, Convertible, Gran Coupe and M4 (F32 , F33, F36, F82, F83) 5 Series GT and Touring (F07 , F10, F11, F18) 6 with convertible and Gran Coupe (F06, F12, F13) 7 Series (F01 , F02 , F03, F04) I3 (I01), I8 (I12) X1 (E84) X3 (F25) , X4 (F26) X5 (E70 , F15, F85) , X6 (E71, E72, F16, F86), Z4 (E89)
MINI
Three-door and five-door hatchback (F55 & F56)