430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

BMW fixes security flaw in 2.2 million car software

A security vulnerability in the BMW Connected Drive system allowed security experts to send remote unlocking instructions to the cars. Modern cars are complex systems composed of several components interconnected by internal networks, each system within these architectures is exposed to the risk of cyber attacks. Recently the German carmaker BMW has fixed a security […]

BMW Ocean Lotus

A security vulnerability in the BMW Connected Drive system allowed security experts to send remote unlocking instructions to the cars.

Modern cars are complex systems composed of several components interconnected by internal networks, each system within these architectures is exposed to the risk of cyber attacks.

Recently the German carmaker BMW has fixed a security flaw that could be exploited by hackers to unlock the doors of the vehicles, it has been estimated that up to 2.2 million BMW, Mini and Rolls-Royce. The company confirmed that officials at German motorist association ADAC had discovered the security flaw, which affects vehicles equipped with the BMW ConnectedDrive software using on-board SIM cards.

“They were able to reverse engineer some of the software that we use for our telematics,” explained Dave Buchko , a BMW spokesman. “With that they were able to mimic the BMW server.”

The system designed by BMW allows the owner of the vehicle to authenticate himself to the car by using a mobile device.

“BMW drivers can use the software and SIM cards to activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.” reported the Reuters.

The security issue is related to the unsecured transmission of data between the driver and the vehicle, by highlighting that it did not impede the car’s critical functions of driving, steering or braking.

“ADAC’s security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card.” continues the news Agency.

BMW confirmed that there were no news of attacks that exploited the flaw recently fixed to compromise the security of a vehicle. The update process will start from vehicles in the US and will be extended to the other countries progressively.

The security update basically implements HTTPS encryption for the connection between the driver’s mobile device and the BMW car. As explained by the experts the encryption will ensure that the car only accepts connections from a server that will present the correct security certificate.

“BMW said it had taken steps to eliminate possible breaches by encrypting the communications inside the car using the same HTTPS (Hypertext Transfer Protocol Secure) standard used in Web browsers for secure transactions such as ecommerce or banking.” report the Reuters.

BMW Connected Drive flaw 2

The update process is automatic, the ConnectedDrive software will be upgraded when the vehicle connects up to the BMW Group server, anyway driver can also manually update their systems.

“The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles,” BMW said. “There was no need for vehicles to go to the workshop.”

The security update released by BMW raises the debate on the security level offered by principal car vendors, we have discussed many times of car hacking and possible consequences of a cyber attacks.

Cybersecurity experts have criticized the approach of the automotive industry to the cyber security, explained the numerous way exploitable by ill-intentioned to compromise a vehicle.

The danger, they say, is that once external security is breached, hackers can have free rein to access onboard vehicle computer systems which manage everything from engines and brakes to air-conditioning.

The possible consequences are really serious, an attacker could remotely harm the driver by compromising a vehicle or by implanting a cheap device that could represent the entry point to the vehicle’s network.

It is time to consider security by design for the automotive industry.

Pierluigi Paganini

(Security Affairs –  BMW, car hacking)