Security experts are not only concerned that researchers found weaknesses inside the company's Connected Drive remote-services system. They're worried about how the hackers gained entry.
German researchers spoofed a cell-phone station and sent fake messages to a SIM card within a BMW's telematics system. Once inside, they locked and unlocked car doors. Other researchers have demonstrated it's possible to hack into a car and control its critical functions, but what separates this latest exploit from others is that it was conducted remotely.
In an industry that's just coming to grips with the security threats posed by connectivity in cars, the possibility of a remote breach has been an ominous prospect. The fact it has now occurred may mean a landmark threshold has been crossed.
"It's as close as I've seen to a genuine, remote attack on telematics," said Mike Parris, head of the secure car division at SBD, a UK-based automotive technology consulting company. "At this point, the OEMs are trying to play a game of catch up."
Previous researchers in the automotive cyber-security field have launched remote attacks that are similar in nature, though not the same.
In 2010, academics at California-San Diego and the University of Washington demonstrated they could remotely control essential functions of a car, but they needed to be within close proximity of the vehicle. In November 2014, researchers at Argus Cyber Security remotely hacked cars with an aftermarket device called a Zubie plugged into their diagnostic ports. But the remote attack was predicated on the Zubie dongle having physically been installed in the car.
With the BMW hack, researchers compromised the car without needing physical access or proximity.
The German Automobile Association, whose researchers conducted the BMW study, said it infiltrated the system "within minutes" and left undetected, a feat that raises the possibility that a hacker could do the same in a real-world scenario.
Messages Were Sent Unencrypted
Security analysts described the BMW infiltration as a "man in the middle" attack. Researchers mimicked a cellular base station and captured traffic between the car and the BMW Connected Drive service, which drivers can access and control via an app on their cell phones. When they looked at the underlying code contained in that traffic, they found it unencrypted, so they copied the "unlock" command and replayed it to an unsuspecting vehicle.
"Your mobile phone would think it's talking to a normal station, but in fact, it wasn't," Parris said. "What I think happened was they decided they wanted to offer this unlock service, and if anybody thought they might need to encrypt this, they just ultimately decided to rely on the security of the mobile network."
While OEMs have been tight-lipped about their security procedures and cringing at the prospect of being hacked, experts said it'd be a mistake to look at this as an isolated incident or one-company problem.
"This Connected Drive system is one of many similar systems, so I can't take it out of the equation that other vendors might be influenced," said Yoni Heilbronn, an executive with Argus Cyber Security, the Israeli company that performed the Zubie hack. "It remains to be seen."
Threat Small-Scale In Nature, At Least For Now
If there's reason for reassurance, it's that a criminal would have needed to infiltrate one car at a time; the affected 2.2 million cars in the BMW fleet couldn't have been unlocked en masse. Organized crime syndicates with eyes on luxury cars like BMWs might have the patience and sophistication to snag the codes for individual cars, as they've done with key fobs before, but it would be a laborious and slow-going process. A common car thief probably couldn't pull it off.
Fortunately for BMW drivers, it was white-hat security researchers – not hackers with criminal or nefarious intent – who discovered the problem. The German Automobile Association, known by the acronym ADAC, tells Autoblog it first stumbled across the security gap while examining another issue. When it delved further into its discovery, it shared its findings with BMW and withheld a public announcement until after the company could issue a software patch that addressed the security gap.
While ADAC said cars in Europe have received the over-the-air software update, BMW has not yet commented on the number of cars affected in the United States or whether they've received the patch.
Telematics Make An Attractive Target
Though the patch strengthens security by encrypting future communications, Parris is concerned the fix doesn't go far enough. Even encrypted, it's still may be possible for a hacker to capture the codes and replay them to the unsuspecting vehicle.
"This is clearly a good step forward, but it doesn't address the underlying issue, which is what we saw years ago with the electronic key fobs when they were first introduced," he said. "You don't have to know what the signal was, you just had to replay the signal back. It was a weakness, and that's why they moved to rolling codes. Every time you press your fob now, a different code gets sent. So in this case, even though it's HTTPS, you've still got a problem."
Experts warn the telematics units are attractive targets for cyber attackers because they both communicate with the outside environment and, at least in some cars, connect with parts of a car's internal network that control critical safety functions like braking, steering and acceleration.
ADAC researchers didn't make the leap onto that side of the network. In a written release, BMW noted, "access to functions relevant to driving was excluded at all times."
But ADAC stressed it "has not conducted a full safety review of BMW cars." This study focused specifically on gaining remote access and using a Connected Drive feature. In other words, it's possible that the only reason researchers didn't gain control of critical driving functions was because, in this case, they didn't try.