BMW security hack - solution now implemented
Discussion
Moderators - might be worth stickying or spinning off into a headline article.
As has been discussed in several threads here - a lot of BMWs were being stolen without key being present.
My understanding is that there are at least 2 related security issues:
1) remote opening of vehicles without key
2) adding new blank key to vehicle via diagnostics port
This solution resolves issue #1.
The german ADAC has now published a detailed description of the hack how the car door was being unlocked remotely.
Regrettably the article is in German, however the details are quite interesting so I'll summarize them in English.
Basically the security hole is in the communication between vehicle and BMW server for the ConnectedDrive functionality, specifically the iOS/Android app which supports remote unlocking of the vehicle. Using a portable GSM basestation, the hacker can force the vehicle into communicating with a spoofed server. The vehicle is then instructed to unlock. In case the Connected Drive functionality has been disabled (or not yet enabled), the vehicle can first be instructed to enable Connected Drive.
Supposedly BMW has now sent a remote update via SMS to all vehicles concerned which implements improved encryption between vehicle and BMW server for Connected Drive. However, if a BMW has been out of GSM network reception (eg underground parking garage or most areas in Wales
) or had its battery disconnected, then the update SMS may not have been received by the vehicle.
It is not possible for the vehicle owner to verify if the vehicle has received this update SMS, however a german hotline number is listed where verification can take place (+49 89 1 25 01 60 10).
Alternatively, a forced update can be triggered via the vehicle menu -> Update Services.
http://www.bmw.com/com/en/owners/service/teleservi...
Impacted are all models with Connected Drive produced between March 2010 until December 8, 2014.
BMW
1-Series including Cabrio, Coupé and Touring (E81, E82, E87, E88, F20, F21)
2-Series Active Touring, Coupe and Cabrio (F22, F23, F45)
3-Series including Cabrio, Coupe, GT, M3 and Touring (E90, E91, E92, E93, F30, F31, F34, F80)
4-Series Coupe, Cabrio, GranCoupe and M4 (F32, F33, F36, F82, F83)
5-Series including GT and Touring (F07, F10, F11, F18)
6-Series including Cabrio and GranCoupe (F06, F12, F13)
7-Series (F01, F02, F03, F04)
I-Series I3 (I01), I8 (I12)
X-Series X1 (E84), X3 (F25), X4 (F26), X5 (E70, F15, F85), X6 (E71, E72, F16, F86)
Z-Series Z4 (E89)
Mini
3-door and 5-door (F55, F56)
Rolls Royce
Phantom including Coupé and Drophead Coupé (RR1, RR2, RR3)
Ghost (RR4)
Wrait (RR5)
In Germany 423.000 vehicles are impacted, in Europe 1.2 million vehicles and worldwide 2.2 million vehicles.
In vehicles produced after December 8, 2014 this security hole as been resolved according to BMW.
As mentioned, existing vehicles with Connected Drive have been automatically updated by BMW via GSM network in the period up to 31 January 2015. No workshop visit is necessary as no hardware or software upgrade are required.
Hope this helps - I'd be happy to thrash out a more detailed article if required.
ETA: added clarification on the keyless theft issues
ETA: added link Update Services
As has been discussed in several threads here - a lot of BMWs were being stolen without key being present.
My understanding is that there are at least 2 related security issues:
1) remote opening of vehicles without key
2) adding new blank key to vehicle via diagnostics port
This solution resolves issue #1.
The german ADAC has now published a detailed description of the hack how the car door was being unlocked remotely.
Regrettably the article is in German, however the details are quite interesting so I'll summarize them in English.
Basically the security hole is in the communication between vehicle and BMW server for the ConnectedDrive functionality, specifically the iOS/Android app which supports remote unlocking of the vehicle. Using a portable GSM basestation, the hacker can force the vehicle into communicating with a spoofed server. The vehicle is then instructed to unlock. In case the Connected Drive functionality has been disabled (or not yet enabled), the vehicle can first be instructed to enable Connected Drive.
Supposedly BMW has now sent a remote update via SMS to all vehicles concerned which implements improved encryption between vehicle and BMW server for Connected Drive. However, if a BMW has been out of GSM network reception (eg underground parking garage or most areas in Wales
) or had its battery disconnected, then the update SMS may not have been received by the vehicle.It is not possible for the vehicle owner to verify if the vehicle has received this update SMS, however a german hotline number is listed where verification can take place (+49 89 1 25 01 60 10).
Alternatively, a forced update can be triggered via the vehicle menu -> Update Services.
http://www.bmw.com/com/en/owners/service/teleservi...
Impacted are all models with Connected Drive produced between March 2010 until December 8, 2014.
BMW
1-Series including Cabrio, Coupé and Touring (E81, E82, E87, E88, F20, F21)
2-Series Active Touring, Coupe and Cabrio (F22, F23, F45)
3-Series including Cabrio, Coupe, GT, M3 and Touring (E90, E91, E92, E93, F30, F31, F34, F80)
4-Series Coupe, Cabrio, GranCoupe and M4 (F32, F33, F36, F82, F83)
5-Series including GT and Touring (F07, F10, F11, F18)
6-Series including Cabrio and GranCoupe (F06, F12, F13)
7-Series (F01, F02, F03, F04)
I-Series I3 (I01), I8 (I12)
X-Series X1 (E84), X3 (F25), X4 (F26), X5 (E70, F15, F85), X6 (E71, E72, F16, F86)
Z-Series Z4 (E89)
Mini
3-door and 5-door (F55, F56)
Rolls Royce
Phantom including Coupé and Drophead Coupé (RR1, RR2, RR3)
Ghost (RR4)
Wrait (RR5)
In Germany 423.000 vehicles are impacted, in Europe 1.2 million vehicles and worldwide 2.2 million vehicles.
In vehicles produced after December 8, 2014 this security hole as been resolved according to BMW.
As mentioned, existing vehicles with Connected Drive have been automatically updated by BMW via GSM network in the period up to 31 January 2015. No workshop visit is necessary as no hardware or software upgrade are required.
Hope this helps - I'd be happy to thrash out a more detailed article if required.
ETA: added clarification on the keyless theft issues
ETA: added link Update Services
Edited by Seek on Sunday 8th February 16:22
Gassing Station | General Gassing | Top of Page | What's New | My Stuff