The very powerful ADAC, the German automobile association researchers, have discovered one unfortunate security flaw in the embedded system BMW ConnectedDrive. This fault concerns all produced vehicles the Group equipped with embedded between March 2010 and December 2014.
Theoretically, it was enough a few minutes to open a BMW, a Mini or… a Rolls-Royce with a mobile phone. BMW ensures that the patch was launched via OTA discreetly and that the vehicles concerned, or 2.2 million vehicles, are now prevent access by car thieves. No callback in concession will only be realized by the manufacturer.
A patch launched prior to the public announcement of the security flaw
The vulnerability publicly revealed by BMW and the ADAC involved 423,000 cars in Germany, 1.2 million in Europe and 2.2 million worldwide. A rather annoying flaw in the constructor that holds including the Rolls-Royce brand. Among the afflicted models of this flaw, the BMW Series 1 to 7, all Mini 3 and 5 doors and Rolls-Royce Phantom, spirit and Wrait.Si at BMW is assured that no function related to the safety of the vehicles was potentially exposed to hackers, the ConnectedDrive gave them access to all functions related to the onboard computer, including unlocking of the doors. To take advantage of this flaw, an attacker would set up a fake GSM network to intercept communications of the on-board system and carry out an attack “man in the middle”. A fault now filled by a security patch that finally implements HTTPS to secure the servers BMW ConnectedDrive system exchanges.
The ADAC has informed German manufacturer and Aussagen das Kraftfahrtbundesamt (KBA), the transport authority) before informing the public, leaving time for BMW to launch its patch. Have the constructor communicated on this security flaw if ADAC had not disclosed the matter to the big day?
Translation : Bing Translator
“BMW fixes security flaw in its in-car software”, Reuters, January 30 2015
“Vom ADAC aufgedeckt – weltweit 2,2 Millionen Fahrzeuge betroffen”, ADAC