ADAC to BMW: 'Your Fly is Open'

It would be funny if it weren't so serious, shocking if it weren't so completely unsurprising. The German automobile club, ADAC, discovered a simple vulnerability in BMW's ConnectedDrive system that exposed vehicle data and controls. BMW and ADAC cooperatively announced last week that the problem had been corrected.

BMW had failed to implement even the most basic security measure - HTTPS encryption - thereby enabling ADAC to access BMW vehicles with embedded SIMs associated with ConnectedDrive. The access to the SIM was enabled by creating a fake wireless network to which the cars attempted to connect. The fix was made in BMW's back-end system thereby avoiding any need for an update of any software code in its vehicles.

You could call what ADAC did a "hack" or a stunt. It's an approach used by law enforcement and criminals around the world and sufficiently common to be alarming.

(There are those who suggest that the ADAC hack was more complex and that the BMW security shortcomings were more severe - some of which may yet to be resolved. Details here: https://tinyurl.com/o4z3nzs - c't magazin - 'Beemer, Open Thyself! - Security vulnerabilities in BMW's ConnectedDrive')

ADAC detailed the affected vehicles and recommended broader testing of all cars and proper certification for all car makers. No such required testing or certification exists.

"ADAC demands state-of-the-art protection of in-car computer technology against manipulation and illegal access," noted an ADAC representative. "Such protection must be based on standards long since operative in other industries
(e.g. IT industry).

"Moreover, said protection needs to be confirmed by an impartial body, e.g. via Common Criteria certification through the Federal Office for Information Security (BSI) in Bonn, Germany – or related organizations in other countries (refer to www.commoncriteriaportal.org)."

Why ADAC?

Perhaps the most interesting aspect of the entire affair is that ADAC was probing BMW's for diagnostic data identifying scheduled or unscheduled service or repair opportunities. "ADAC commissioned an external expert to analyse the information which vehicles transmit to the manufacturer via BMW Connected Drive when an inspection or repair is due. The objective was to determine whether independent workshops might be at a disadvantage and whether ADAC should step in to protect consumer interests."

So, ADAC discovered the vulnerability in the process of trying to preserve the right to repair privileges of independent repair shops. ConnectedDrive and other such embedded connectivity systems from car makers are perceived as giving OEM dealers an unfair advantage in servicing their cars.

Says ADAC: "Although this was never intended, the investigations revealed security loopholes, prompting the publication of the findings."

BMW was fairly blase about the matter. My contacts at BMW brushed it off as a well-known problem that amounted to nothing more than an oversight. The greatest risk posed by the vulnerability was that it made the cars easier to steal.

There are a few key takeaways to this incident:

1. How did BMW miss this vulnerability?
2. How come BMW's suppliers failed to uncover this vulnerability?
3. How and when will governments take on the responsibility for certifying vehicle security?
4. Shouldn't we resolve the certification of vehicle security before we allow autonomous vehicles onto public roadways?
5. What are the implications for the broader universe of connected things?
6. Are cars a special case requiring a level of certification that is not relevant to other devices?
7. Is ADAC (and by extension all auto clubs in markets around the world) getting into the vehicle security certification business? Is ADAC a whistle-blower? Or is ADAC intending to extend its testing to all connected cars?

The ADAC hack definitely has a your-fly-is-open quality to it. But the implications are serious.

Car makers have repeatedly demonstrated their inability to comprehend the nature and scope of the vehicle security issue. Companies such as Red Bend, Blackberry and OpenSynergy have solutions and those solutions are seeing wider application.

But the scope of the problem is pervasive touching multiple systems and points of access on cars requiring multiple layers of protection. In and of itself this suggests that certifying security will be no easy process. Nevertheless, BMW's open-fly problem reveals a massive industry blindspot that must be corrected.

OnStar Hacking Update:

I have to correct an impression I left in a previous blog that GM's OnStar had never been hacked. OnStar was hacked about five years ago and has since corrected its vulnerability. Details:

https://www.nytimes.com/2011/03/10/business/10hack.html?_r=1&

https://www.autosec.org/pubs/cars-usenixsec2011.pdf

https://www.eweek.com/c/a/Security/GMs-OnStar-Ford-Sync-MP3-Bluetooth-Possible-Attack-Vectors-for-Cars-420601