Assessment of BMW Door Lock Security Updates

There has been positive news in automotive cyber safety lately. BMW announced that they have fixed a flaw in over 2.2 million of their cars, silently and remotely. The flaw allowed someone other than the driver to remotely unlock the car, through the ConnectedDrive system. BMW pushed out an update over the mobile data network to the affected vehicles, and detailed further security measures they have taken to protect against accidents and adversaries.

The German Automobile Association (ADAC) investigated the cyber security of several BMW models and discovered six security flaws in the design and implementation of the ConnectedDrive software. They disclosed their research to BMW, who collaborated with ADAC researchers to understand and develop a fix for two of the most critical flaws. BMW remotely updated its customers’ vehicles, adding HTTPS encryption and server authentication checks. BMW then announced the details of what they found, how they fixed it, and what other measures they have already taken to protect the safety of drivers, passengers, other vehicles, pedestrians, etc.

This is a big, positive step forward for cyber safety in automobiles. First, it shows that remote attacks against vehicles are still real threats, as demonstrated in 2010 and 2011 by security researchers. Second, this establishes the benefits of working with third-party technical experts, as well as the willingness of automobile manufacturers to engage security researchers acting in good faith. Third, it demonstrates the clear benefits of secure, remote update capabilities to shorten exposure time, reduce costs, and preserve customer confidence. Fourth, BMW gained credibility with customers and regulators by discussing the steps they have taken. Consequentially, taking cyber security seriously has given BMW a PR boost.

Despite these positive steps, some concerns remain. The problems ADAC researchers discovered – and that BMW subsequently fixed – have been solved for decades. It is concerning that the ConnectedDrive team either did not know about these potential issues or did not apply the fixes at that time. Newer vehicles were found to have better safeguards around ConnectedDrive, but the two improvements pushed out by BMW recently were not among these. The presence of these flaws to begin with, and the continued use of flawed software designs, also raises a question about the thoroughness and adequacy of internal processes and decision-making. Further, BMW did not say how critical car systems (such as braking, steering, and acceleration) are safeguarded from a compromise of the ConnectedDrive or other systems. Perhaps ADAC or other security researchers could investigate those potential issues in a similar way.

The following table is an overview of this story through the lens of I Am The Cavalry’s Five-Star Automotive Cyber Safety Framework, released six months ago. Note that information collected was not complete, so this rating likely does not represent BMW’s full set of cyber safety capabilities.

Framework Capability BMW Capability Demonstrated
Safety by Design No public attestation of Secure Development Lifecycle.
No evidence of a sufficiently robust development process.
-
Third-Party Collaboration Clearly demonstrated their willingness to collaborate with third-party researchers acting in good faith.
Evidence Capture No further information about these vehicles’ ability to capture logs of system or network activity that could potentially expose further security gaps. -
Security Updates Clearly demonstrated their ability to update the ConnectedDrive system in a prompt and agile manner.
Segmentation and Isolation No information provided on the physical or logical isolation measures separating critical systems (braking, steering, etc) from non-critical ones (door locks). -

In summary, BMW demonstrated capabilities aligned to two of the five stars in I Am The Cavalry’s framework. These capabilities allow BMW to draw upon expertise and experience from those in the cyber security field, and facilitate continual improvement more quickly and inexpensively than other approaches. Issues still remain, but we are far ahead of where we were just a few years ago.

References

  • http://www.autoblog.com/2015/02/03/bmws-connected-drive-feature-vulnerable-to-hackers/
  • http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html
  • http://www.adac.de/infotestrat/technik-und-zubehoer/fahrerassistenzsysteme/sicherheitsluecken.aspx​(​German)
  • http://www.bmw.com/com/en/insights/technology/connecteddrive/2013/
  • http://grahamcluley.com/2015/02/bmw-security-patch/
  • http://www.autosec.org/publications.html
  • https://www.iamthecavalry.org/domains/automotive/5star/
  • https://www.press.bmwgroup.com/global/pressDetail.html?title=bmw-group-connecteddrive-increases-data-security-rapid-response-to-reports-from-the-german-automobile&id=T0202503EN
  • http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf

Download a PDF copy of this article, Assessment of BMW Door Lock Security Updates.

Car Hacking Research on OBD II Adapters

A lively thread started today by Wayne Yan on our discussion group. He posted the results of his team’s research into the security of OBD II adapters. You can go to the thread and engage in the discussion, as well as grab the research paper. More videos and information are available from Visual Threat.

The OBD II port is a diagnostic connection to the computer on your car’s engine. Mechanics use this to determine what has been going wrong with the car. When going for your emission’s check, this is the port that gives engine information. Rental car agencies and insurance companies use this to log driving habits.

Several adapters are now coming to market which will enable this diagnostic information transfer to happen over Bluetooth, rather than through a wired connection. That’s a nice feature for long-term use cases, such as logging driving behavior. Except that some of these adapters allow instructions to be transmitted to the car from a remote device. In other words, if you’re driving a rental car with one of these devices, someone else could kill the engine, unlock the doors, open the trunk, etc. It’s only a limited set of instructions, but that should still be enough to make people take notice.

The video below demonstrates some of the research.

 

Position on Disclosure

Over the last couple of weeks we have been working on documenting a position on disclosure. The position explains why research, disclosure and coordination are part of a healthy manufacturing ecosystem. It provides guidance to researchers, manufacturers and other stakeholders on their roles – at a high level – as well as other resources that can be useful.

The position we have outlined is by no means the only perspective that exists. When the consequences of research are human life and public safety it is especially important for I Am The Cavalry to define a set of specific disclosure and coordination guidelines that we feel captures our outlook. This position follows from our belief that those concerned with public safety and human life should take sufficient care to avoid inadvertently putting them at risk.

Down The Rabbithole Cavalry-esque Discussion

For those of you who don’t already listen to it, the Down The Rabbithole (DtR) podcast is a long-running podcast hosted by Raf Los (aka. Wh1t3 Rabbit) and James Jardine. Over the holiday weekend I was catching up on the podcast and ran across a great Cavalry-esque episode I thought I’d draw your attention to.

On the April 7th Newscast Raf and James discussed the downfall of Windows XP and how this will affect life critical systems. They went beyond the superficial issues and talked about the bad assumptions that have led to decision making failures for several years in the computer technology space. The true costs, they mention, won’t be on the Internet, they’ll come when computer security affects humanity. Our inability to accurately predict the future leads to public safety, human life and trust problems.

They also discuss wholly managed devices, such as the Google Nest thermostat. What are the implications of that management? If an update breaks a device what are the ramifications? They also talked about the fact that the updates themselves can be an attack vector, similar to my comments in the BBC article on ghosts in the Internet of Things.

We’re placing ever more trust in those who are behind our connected systems. We are trusting that they are acting in good faith. And we are trusting that their decision making process is sound. Shouldn’t we KNOW that these decisions are worthy of our trust?

BBC Future Story, Featuring The Cavalry

bbc_icon

Last week BBC Future published a piece called Internet of Things: The ‘ghosts’ that haunt the machine. The article discusses the potential long-term network congestion that could come about from noisy IoT devices. The Cavalry gets a mention and a quote, in the context of the potential for takeover of the devices, either by targeting the endpoints or by taking over expired domains for update servers, etc.

Once the ghost machine is taken over, the potential for damage is considerable, says Beau Woods, a founding member of I Am The Cavalry, an organisation focusing on protecting the general public from digital attacks. “What could someone malicious do if they could modify or replace the software on the device? This could range from pranks, like funny photos on a fridge screen, to making profits by inserting advertisements on your television, to interception by digitally eavesdropping on your home network, to disablement through wrecking the software on the device, to doing physical damage by overloading the electronics or burning out a motor. In automobiles, medical devices, public transport, airplanes and other more critical systems the damage could be much more severe.”

The story hit the front page of the BBC website, which gave us some good exposure to a global audience.