Security Vulnerabilities in BMW ConnectedDrive Portal

[mcvaughan]

Not sure if this has been posted or not, but here goes:

http://thehackernews.com/2016/07/bmw...sj0ao09g1z.qpe

[tdavis42]

Hope they patch this ASAP could turn into something more. This is the curse of an always connected car.

They better come out with at least a stop gap if they don't have software ready to be deployed.

http://jalopnik.com/bmws-can-now-be-...nen-1783371533

[jaye944]

actually this is not as silly as it sounds

I got copped the other day for speeding and I SWEAR I was only doing 100;
cop reckoned I was doing 150

damn car was hacked I tried to tell him, wouldnt believe me

[OutlawX3M]

Quote:

Originally Posted by mcvaughan

Not sure if this has been posted or not, but here goes:

http://thehackernews.com/2016/07/bmw...sj0ao09g1z.qpe

So just trying to shed some light on this one as I work in the IT security field.

So this is a "hack" of the website not the actual vehicle. It's a small distinction since the website connects to the vehicle and offers a path to initiate actions yet one to keep in mind. The weak link in this example is the website, no one has demonstrated a vulnerability via the vehicle itself (yet).

That said, because the website can interact with the vehicle, this is serious and I'm surprised that BMW didn't take a better approach.

I'm wondering what can be done via the Infotainment system on a BMW? I'm not fully versed in the architecture of BMW's control systems/modules to know. Maybe it is critical.... or treat it as critical until we know more?

It all depends on what BMW has exposed via APIs (application programming interfaces) within the infotainment system. In other words, a hacker can only do what's allowed to be done through commands available within the compromised system.

So if the infotainment system doesn't connect to the modules that control the brakes, engine etc, they haven't really done much have they? If it does, like in the case of the Jeep hack, well then we're sunk.

It's the greatest challenge of the "internet of things" and something the auto industry is focusing on. I work for a company that provides solutions for just this type of situation including the internet of things. There's one major auto manufacturer already using our solution to protect their vehicles (they even demo'd using a key fob like Apple Pay - not that I'd want to but hey, cool).

One day we'll get 2 factor access -- the key fob and your smartphone for instance. You'll need both to access the vehicle. Or the key fob is only valet mode unless you have your phone... fingerprint readers on the steering wheel? Why not. The sky's the limit.

I'm hoping BMW gets onboard with us soon... I understand they are looking to replace their existing solution and ours has made the final 2.