BMW security hack - solution now implemented
Discussion
Moderators - might be worth stickying or spinning off into a headline article.
As has been discussed in several threads here - a lot of BMWs were being stolen without key being present.
My understanding is that there are at least 2 related security issues:
1) remote opening of vehicles without key
2) adding new blank key to vehicle via diagnostics port
This solution resolves issue #1.
The german ADAC has now published a detailed description of the hack how the car door was being unlocked remotely.
Regrettably the article is in German, however the details are quite interesting so I'll summarize them in English.
Basically the security hole is in the communication between vehicle and BMW server for the ConnectedDrive functionality, specifically the iOS/Android app which supports remote unlocking of the vehicle. Using a portable GSM basestation, the hacker can force the vehicle into communicating with a spoofed server. The vehicle is then instructed to unlock. In case the Connected Drive functionality has been disabled (or not yet enabled), the vehicle can first be instructed to enable Connected Drive.
Supposedly BMW has now sent a remote update via SMS to all vehicles concerned which implements improved encryption between vehicle and BMW server for Connected Drive. However, if a BMW has been out of GSM network reception (eg underground parking garage or most areas in Wales
) or had its battery disconnected, then the update SMS may not have been received by the vehicle.
It is not possible for the vehicle owner to verify if the vehicle has received this update SMS, however a german hotline number is listed where verification can take place (+49 89 1 25 01 60 10).
Alternatively, a forced update can be triggered via the vehicle menu -> Update Services.
http://www.bmw.com/com/en/owners/service/teleservi...
Impacted are all models with Connected Drive produced between March 2010 until December 8, 2014.
BMW
1-Series including Cabrio, Coupé and Touring (E81, E82, E87, E88, F20, F21)
2-Series Active Touring, Coupe and Cabrio (F22, F23, F45)
3-Series including Cabrio, Coupe, GT, M3 and Touring (E90, E91, E92, E93, F30, F31, F34, F80)
4-Series Coupe, Cabrio, GranCoupe and M4 (F32, F33, F36, F82, F83)
5-Series including GT and Touring (F07, F10, F11, F18)
6-Series including Cabrio and GranCoupe (F06, F12, F13)
7-Series (F01, F02, F03, F04)
I-Series I3 (I01), I8 (I12)
X-Series X1 (E84), X3 (F25), X4 (F26), X5 (E70, F15, F85), X6 (E71, E72, F16, F86)
Z-Series Z4 (E89)
Mini
3-door and 5-door (F55, F56)
Rolls Royce
Phantom including Coupé and Drophead Coupé (RR1, RR2, RR3)
Ghost (RR4)
Wrait (RR5)
In Germany 423.000 vehicles are impacted, in Europe 1.2 million vehicles and worldwide 2.2 million vehicles.
In vehicles produced after December 8, 2014 this security hole as been resolved according to BMW.
As mentioned, existing vehicles with Connected Drive have been automatically updated by BMW via GSM network in the period up to 31 January 2015. No workshop visit is necessary as no hardware or software upgrade are required.
Hope this helps - I'd be happy to thrash out a more detailed article if required.
ETA: added clarification on the keyless theft issues
ETA: added link Update Services
As has been discussed in several threads here - a lot of BMWs were being stolen without key being present.
My understanding is that there are at least 2 related security issues:
1) remote opening of vehicles without key
2) adding new blank key to vehicle via diagnostics port
This solution resolves issue #1.
The german ADAC has now published a detailed description of the hack how the car door was being unlocked remotely.
Regrettably the article is in German, however the details are quite interesting so I'll summarize them in English.
Basically the security hole is in the communication between vehicle and BMW server for the ConnectedDrive functionality, specifically the iOS/Android app which supports remote unlocking of the vehicle. Using a portable GSM basestation, the hacker can force the vehicle into communicating with a spoofed server. The vehicle is then instructed to unlock. In case the Connected Drive functionality has been disabled (or not yet enabled), the vehicle can first be instructed to enable Connected Drive.
Supposedly BMW has now sent a remote update via SMS to all vehicles concerned which implements improved encryption between vehicle and BMW server for Connected Drive. However, if a BMW has been out of GSM network reception (eg underground parking garage or most areas in Wales
) or had its battery disconnected, then the update SMS may not have been received by the vehicle.It is not possible for the vehicle owner to verify if the vehicle has received this update SMS, however a german hotline number is listed where verification can take place (+49 89 1 25 01 60 10).
Alternatively, a forced update can be triggered via the vehicle menu -> Update Services.
http://www.bmw.com/com/en/owners/service/teleservi...
Impacted are all models with Connected Drive produced between March 2010 until December 8, 2014.
BMW
1-Series including Cabrio, Coupé and Touring (E81, E82, E87, E88, F20, F21)
2-Series Active Touring, Coupe and Cabrio (F22, F23, F45)
3-Series including Cabrio, Coupe, GT, M3 and Touring (E90, E91, E92, E93, F30, F31, F34, F80)
4-Series Coupe, Cabrio, GranCoupe and M4 (F32, F33, F36, F82, F83)
5-Series including GT and Touring (F07, F10, F11, F18)
6-Series including Cabrio and GranCoupe (F06, F12, F13)
7-Series (F01, F02, F03, F04)
I-Series I3 (I01), I8 (I12)
X-Series X1 (E84), X3 (F25), X4 (F26), X5 (E70, F15, F85), X6 (E71, E72, F16, F86)
Z-Series Z4 (E89)
Mini
3-door and 5-door (F55, F56)
Rolls Royce
Phantom including Coupé and Drophead Coupé (RR1, RR2, RR3)
Ghost (RR4)
Wrait (RR5)
In Germany 423.000 vehicles are impacted, in Europe 1.2 million vehicles and worldwide 2.2 million vehicles.
In vehicles produced after December 8, 2014 this security hole as been resolved according to BMW.
As mentioned, existing vehicles with Connected Drive have been automatically updated by BMW via GSM network in the period up to 31 January 2015. No workshop visit is necessary as no hardware or software upgrade are required.
Hope this helps - I'd be happy to thrash out a more detailed article if required.
ETA: added clarification on the keyless theft issues
ETA: added link Update Services
Edited by Seek on Sunday 8th February 16:22
Sorry if this is obvious but can we trigger this ourselves ...
"10). Alternatively, a forced update can be triggered via the vehicle menu -> Update Services."
Mine is kept at a location with no mobile signal (Home!) so if I drive to a point with a signal can I force the update myself?
Thanks. :-)
"10). Alternatively, a forced update can be triggered via the vehicle menu -> Update Services."
Mine is kept at a location with no mobile signal (Home!) so if I drive to a point with a signal can I force the update myself?
Thanks. :-)
.Seek said:
wilwak said:
Sorry if this is obvious but can we trigger this ourselves ...
"10). Alternatively, a forced update can be triggered via the vehicle menu -> Update Services."
Mine is kept at a location with no mobile signal (Home!) so if I drive to a point with a signal can I force the update myself?
Thanks. :-)
That's how I understand it."10). Alternatively, a forced update can be triggered via the vehicle menu -> Update Services."
Mine is kept at a location with no mobile signal (Home!) so if I drive to a point with a signal can I force the update myself?
Thanks. :-)
I assume there is an "Update Services" option somewhere in the IDrive menu system then??? :-/
Seek said:
In most of the keyless thefts the car was being opened without any damage to the car. That is this issue.
No, it is not this issue, especially as the majority of cars being taken without damage to the car didn't have this functionality anyway. This is NOT how thieves were getting into cars in the long-publicised keyless theft issue.This affects only post March 10 cars whereas the majority of cars pinched using the other method are pre 2010 cars.
It looks like nobody was able to take advantage of this particular issue - ADAC found it, notified BMW and BMW patched it prior to ADAC releasing the report.
Edited by Fox- on Sunday 8th February 16:47
Yes, that is the total number of vehicles fitted with ConnectedDrive functionality for which the vulnerability was applicable.
This is a completely different and totally unrelated issue to the keyless theft issue widely reported on PH and in the UK media over the last 3 years. It generally affects a completely different subset of cars - the keyless theft issue is a problem for E series cars with the card-slot type key introduced to market since 2006. These vehicles mostly did not have the BMW ConnectedDrive functionality in question, people were getting into them silently through a combination of blind spots in the alarms and the comfort opening feature on the door lock (Which is what BMW's patch disables) not through Connected Drive. Most of the stolen vehicles are older than 2010 therefore cannot possibly have been accessed using this security flaw.
They must be considered as two totally separate and unrelated issues.
If you read the ADAC report in full you'll find it's something they accidentally happened upon by chance whilst looking at something completely different - there seems to be no evidence suggest anyone has exploited this vulnerability and the report was not issued until after they had confirmation BMW had patched it.
This is a completely different and totally unrelated issue to the keyless theft issue widely reported on PH and in the UK media over the last 3 years. It generally affects a completely different subset of cars - the keyless theft issue is a problem for E series cars with the card-slot type key introduced to market since 2006. These vehicles mostly did not have the BMW ConnectedDrive functionality in question, people were getting into them silently through a combination of blind spots in the alarms and the comfort opening feature on the door lock (Which is what BMW's patch disables) not through Connected Drive. Most of the stolen vehicles are older than 2010 therefore cannot possibly have been accessed using this security flaw.
They must be considered as two totally separate and unrelated issues.
If you read the ADAC report in full you'll find it's something they accidentally happened upon by chance whilst looking at something completely different - there seems to be no evidence suggest anyone has exploited this vulnerability and the report was not issued until after they had confirmation BMW had patched it.
Edited by Fox- on Sunday 8th February 18:32
Gassing Station | General Gassing | Top of Page | What's New | My Stuff