The vulnerability of connected vehicle systems has been a topic that has been marginalized by most automakers, who repeatedly refer to the issue as “having been responded to promptly” and no longer a concern. Far from being the only car company with system security issues, BMW recently found itself having to patch its ConnectedDrive system after the German automobile club, ADAC, discovered a simple vulnerability that allowed remote access to vehicle data and controls.
The club reportedly was looking for evidence of the vehicle’s connected diagnostic system transmitting repair information to the manufacturer in a way that created an unfair advantage to factory repair centers over independent garages. In the process they found that BMW had failed to implement HTTPS encryption on the back end of their system – probably the most basic Internet security move – thus allowing ConnectedDrive to attempt connection to just about anyone willing to spoof the system.
In a statement, BMW insisted that “the online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles. Access to functions relevant to driving was excluded at all times. There was no need for vehicles to go to the workshop.” Furthermore, “The BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorized persons from outside or an attempt of this kind is made in the first place.” We feel better already.
All cars that were built by BMW, Mini and Rolls Royce between March 2010 and December 2014 that feature Connected Drive are affected, representing approximately 2.2 million vehicles according to reports.
How could BMW have missed this vulnerability? With vehicle system hacking being a major concern among consumers, security and certification would seem to be a primary task of connected system managers in the early engineering stages. And many in the vehicle cybersecurity world believe the vulnerability goes beyond the failure to implement an SSL certificate.
Recent auto industry efforts to appoint cybersecurity executives to specifically tackle connected data security are certainly a move in the right direction. However, the security gap that exists today is real. Automakers must ensure that all potential breaches of data security are identified within their connected systems, perhaps in partnership with companies that specialize in such security.
Even with ironclad security implemented along the connected in-car infotainment and automaker’s off-board cloud processing chain, data privacy and security is still not guaranteed as the proliferation of connected gadgets generate mass amounts of data that is loosely managed at best. Vehicle drivetrain, safety and driver assist systems, however, are environments that rate special protections engineered at the earliest stages of design and development, particularly if we are to realize the promise of self-driving vehicles any time soon. Leadership in the area of vehicle security certification standards is also needed.
One note on the promise of “security rivaling that of online banking” (at least according to BMW): Until we begin using multi-factor authentication as a way to gain permission to secured systems, connected cars will be just as vulnerable to unwanted intrusion as e-commerce sites. We think we can do better than that.
Source: BMW promises drivers security to rival online banking in its connected cars – Computer World U.K.