Wednesday, February 4, 2015

BMW patches boneheaded security bug

Luxury car manufacturer BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.

The issue affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.
Seems that someone could wirelessly unlock the doors.  Rather than fussing around with coat hangers attracting attention to themselves, they could do it from the nearest Starbucks.

And BMW's "Yay, us for patching this so quickly" doesn't impress:
It appears the vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS. Something you would probably have hoped that BMW’s engineers would have thought about in the first place.

Yes, it’s good that BMW has fixed the problem. But frankly I think they’re being a little disingenuous talking about “rapid response” if this issue was first brought to their attention in the middle of last year.
The update happens automatically via ConnectedDrive, which is a good thing.  But still, this is pretty bone headed.


lelnet said...

"The update happens automatically via ConnectedDrive, which is a good thing"

Over-the-air firmware updates pushed out from a central repository without any user involvement or confirmation, to a system so weak it didn't even support SSL until now? A good thing?

Sure that's the answer you want to stick with? :)

Borepatch said...

It's not ideal, but it scales to a world of non-technical owners. It *has* to be automatic.

But your point is a good one, that there are layers upon layers of fail in this situation.