Is BMW’s ConnectedDrive Secure? Kaspersky Lab and IAB Find Out

09 Jul 2014

Kaspersky Lab and IAB, Spain’s leading marketing and digital media company, conducted research to provide an overview of the connected car market and the potential threats. The Connected Cars study is based on analyzing BMW’s ConnectedDrive system. The research shows three main areas of potential vulnerability: privacy, software updates and car-oriented mobile apps.

Although the technology of a connected car can be convenient for drivers, there are also risks that could lead to cyber-attacks, accidents or fraudulent maintenance of the vehicle. The connected car today includes access to social networks, email, smartphone connectivity, route calculation and in-car apps, which brings new risks to drivers and makes analyzing the security of this technology even more important.

There are several potential attack vectors with BMW’s ConnectedDrive system. Since the vehicle is registered on BMW’s website, if the driver’s account credentials become compromised through phishing, keylogging or social engineering tricks, it could result in unauthorized third-party access to user information and to the vehicle itself.

Other potential attack vectors discovered during the study include:

Mobile Application: If the driver activates the mobile remote opening services, it could become vulnerable if the driver’s phone is stolen and the application is not secured. With a stolen phone it would be possible to change database applications and bypass any PIN authentication, making it easy for a cyber-attacker to activate remote services.

Bluetooth Updates: Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB. This file is not encrypted or signed and stores information about the internal systems running on the vehicle. This could give a potential attacker access to the vehicle and could also be modified to run malicious code.

Communications: Some functions communicate with the SIM inside the vehicle using SMS. Breaking into this communication channel makes it possible to send ‘fake’ instructions, depending on the operator’s level of encryption. In a worst-case scenario, a criminal could replace BMW’s communications with his/her own instructions and services.

Vicente Diaz, Principal Security Researcher at Kaspersky Lab, was responsible for developing a proof of concept to analyze the safety implications of connecting these cars to the Internet. He explains, "Connected cars can open the door to threats that have long existed in the PC and smartphone world. For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before.”