Identification Security Blog

Opinion: The ConnectedDrive hack could have been prevented

Just a couple weeks ago BMW made headlines when a security research group of the German automobile club ADAC discovered a major security gap in the ConnectedDrive feature. The optional system builds your favourite apps and services into the dashboard of your vehicle and offers additional features like social media integration, Google information for navigation and remote control enabling you to unlock/lock your car or to switch on heating/AC in the vehicle.


Facebook App in the BMW ConnectedDrive (image: BMW)

The researchers from ADAC reportedly created a fake mobile phone network and tricked nearby cars to connect to it. This enabled them to unlock the doors of the car. According to BMW the team had “reverse engineered some of the software that we use for our telematics. With that they were able to mimic the BMW server.”


BMW ConnectedDrive remote control on a Samsung Gear Smartwatch (image: BMW)

Recently we published a post in which we stated that security needs to become an attractive feature of applications and devices which customers want to buy and pay for. In addition we mentioned the benefits of combining hard- and software security technology.
In case of the ConnectedDrive, which is designed with hardware including GSM and a permanent SIMcard, the first mistake was to use HTTP instead of HTTPS encryption for the communication between car and smartphone of the owner. This has been fixed quickly with a software update of the approx. 2 million cars. However one might think: if it’s that easy why wasn’t it implemented in the first place!?

With all the great features of the ConnectedDrive in mind the engineers probably might have forgotten the other, “less exciting” stuff, had no more budget or no more time. The outcome was a very sophisticated system with security issues. If customers as well as the designers would have thought of security features as something attractive and vital for such a system this might have been prevented.

Further it is concerning that it was possible for the research team to read the master key as it was stored in the flash memory. A state-of-the-art solution should use security hardware e.g. a security chip which stores the key safely. Session keys which are generated based on multiple parameters could further improve the security of such an system.
A common challenge that even high-tech companies like BMW seem to have is to create teams with hard – and software engineers who work closely together in order to develop and implement security features in communication systems as this increases costs and overall complexity.


Hardware can help to increase the security of an application significantly

Security chips in combination with EBV’s design support make advanced hardware security solutions accessible even for smaller and medium sized companies.
For help with your next design and tips on how to secure an application contact our EBV Identification team here.