ADAC, the German equivalent of the AA or the RAC, hired a security expert to see how safe its cars were: the results were not good news for the auto-manufacturer. The anonymous expert found that the company was using DES encryption within its in-car system despite the well-known flaws that have been found in the technology. The experiment, revealed in German security publication, C't, showed how a determined hacker could intercept signals between car and BMW back-end and allow the door to be opened without a key.
That wasn't all: the security guru also discovered that BMW was using the symmetric keys in all its vehicles, that, in some models, there was no encryption in transition, that the internal Combox reveals the Vehicle Identification Number (VIN) through its use of NGTP technology and that the Combox has no protection against repeat attacks.
The security expert points out that there are fixes to most of these issues. For example: Facilities to implement encryption in transit are available, but are only used by some ConnectedDrive services. Additionally, the manufacturer individualises the control systems in question by programming in the VIN, so it should be possible to also program unique keys for every vehicle.
The disclosures will be particularly embarrassing for BMW, which claims to be one of the most advanced manufacturers when it comes to car telematics. The company was approached for comment on this story but did not return calls.
According to Ross Dyer, UK technical director at security company Trend Micro, “security can't be an afterthought any longer and companies should work to a ‘privacy by design' approach.”
Clive Longbottom, senior analyst at Quocirca, has been looking at the implications of the Internet of Things. He says that it's not just an issue for BMW, other manufacturers have had problems too.
“Jaguar Land Rover has also had problems, Audis were a major target – not sure if Audi has dealt with it now. And at the lower end, Ford has had issues, and vans such as Mercedes and Transits have also had keyless entry systems broken. He says that the issue with BMW vulnerability shows that to have a connected car is one thing – it allows problems to be monitored centrally – but says: “ the use of two-way interaction is where the real problems start.”
He points out the real possibility that at some point in the future, a cyber-criminal could take over control of a car remotely, with all the security implications which that brings.
Dyer says that manufacturers and users alike should be thinking more seriously about the issue; “questions we should ask ourselves include, how soon will it be before my brand new car is hacked and stopped from functioning unless I pay a ransom? This is not a far-fetched scenario at all and those producing internet connected products must take Security seriously and recognise there is a cyber-war raging.”
According to C't, BMW is already looking at fixing the specific issues with ConnectedDrive and newer models will be protected. The consolation for customers, however, is that the BMW hack was not a straightforward brute force attack: it required some highly specialised electronics skills and in-depth knowledge of security techniques.
While there are concerns over connected devices, we're not likely to see Del Boy selling car hacker toolkits down Peckham Market for some time yet.