BMW Remote Unlock Wasn’t Using Secure HTTP

Ah, the old HTTP versus HTTPS. If you want to keep people out, that trailing ‘S’ should be the first thing you do, especially if you’re trying to keep people out of a luxury automobile. It turns out that BMW screwed up on that one.

BMW has an infotainment feature called ConnectedDrive which builds your favorite apps and services right into the dashboard. You can even unlock the vehicle using this system which is built around a piece of hardware that includes a GSM modem and permanent SIM card. A security research group recently discovered that the commands sent for this system were being pushed over HTTP, the unencrypted sibling of HTTPS. The firm, hired by German automobile club ADAC, disclosed the vulnerability and an over-the-air upgrade has already been pushed to patch the flaw. The patch is described to have “turned on” the HTTPS which makes us think that it was always meant to be used and just configured incorrectly in the roll-out. We’ll leave you to debate that point in the comments. Seriously, how does something like this happen? It certainly sheds a lot more light on thieves being able to magically unlock high-end cars. Was this how they were doing it?

[Thanks Fabian]

32 thoughts on “BMW Remote Unlock Wasn’t Using Secure HTTP

  1. I’m really tired of people treating HTTPS like it’s a panacea.

    HTTPS, in and of itself, will NOT fix many issues that should not have already been fixed. Simply encrypting the channel, especially if it’s a direct channel, doesn’t really do much.

    Yes, if client AND server certificates are used AND CHECKED (how many systems ignore that part causing MITM to be possible?) then you now have AUTHENTICATION, but that’s a byproduct of using HTTPS (really).

    This is such a sore spot because improperly implemented security is WORSE than no security at all. At least with no security you don’t *expect* to be secure. When you simply “flip on” the HTTPS switch but don’t address all of the best practices for *using* HTTPS, you might as well have just left it turned off.

    So here’s the better question – what OTHER authentication was used, and what does simply “flipping HTTPS on” actually do in this particular case? I’m not saying that it doesn’t but I would suspect that if security was already implemented then all this does is make it (trivially) more difficult to spy on the communications.

          1. And how exactly are we going to decipher the encrypted GSM channel? We’re forgetting that this ‘unsecure’ session has an encrypted wrapper that people don’t just ‘sniff’. I’d be impressed alone if someone could even get a GSM pcap. And before everyone starts smarting about IMSI catchers on SDRs, any observation, much less exploitation, goes waaaaay beyond that…

          2. Steps 2 and 3 are actually pretty easy, even if HTTPS is in use, unless OTHER security precautions are taken into consideration (such as what I have already suggested). MITM attacks on HTTPS work more often than you would suspect. Besides, unless the receiver (i.e. car) is validating client certificates, what’s to stop point 3 at all? As long as you understand the protocol (presuming there is an attack vector in the first place) it’s just as easy to open an HTTP connection as it is to open an HTTPS connection.

  2. Good luck with MITM on a GSM network… A used tow truck or a brick would be cheaper. Ohh yeah, you’d need the brick anyway to get the SIMs Ki anyway before you could pull off the MITM…

    1. ^this^ !! thank you ! … Occams Razor has evidently never been heard of by the
      tunnel visioned geeks here, more concerned with theory and complicated rube goldberg
      contrivances – rather than the simplest solution to a situation.

    2. Why is MITM hard on a GSM network?

      I’ve seen cheap SDR-systems with free software that act as a GSM-base-station. At Burning Man a year or two ago they used the system to make their base station. So at least getting the packets doesn’t seem that hard, depending on where the antenna is located. It might be harder if the SIM only allows the car to connect to specific operators. I don’t know if it is possible to spoof the id of the operator with your own base.
      Do GSM/GPRS/EDGE networks encrypts the IP packets all the way to the APN?

  3. Not sure BMW is out of the woods as Telek eludes to. HTTPS just means you are not speaking on a party line; eg. communication is 1 to 1 only. Authentication is layered over that. Presumably one could glean whatever security secrets used for authenticate app to radio over HTTP and still apply them to the HTTPS interface. Unless the car applies authentication to the keys used for HTTPS itself. Given they overlooked the first issue, they may overlook this too.

    One major US auto-maker insisted that the only allowable public key would be contained in a file on a dedicated partition on the radio flash with a single file called (something like) ‘Public_Cert.key’. And they insisted ‘for security reasons’. /forehead_slap

    1. Alan, why would it be wrong. I’m not an expert on the subject, but the public key could be printed on the enclosure for what it’s worth. Are you concerned about the possibility to change files content? Also I’m not sure what do you mean by “only allowable public key” – are we talking about root certificate here?

  4. does it allow access to the rest of the car’s systems ie the various(two?) (can-bus) networks?
    that would be very bad!

    i would chop the antenna off asap, (if only i could afford one first)
    or just disconnect the battery and sell it ;D

  5. How does it happen?

    How does nearly every piece of software, especially in the entertainment/games world, get shipped incomplete and require immediate patching – sometimes not even functioning correctly even then?

    1. It’s quite simple. Time, money, quality – you can at most pick two for any project. Since most products have a marketing strategy scheduled a long time in advance the time is usually fixed. The budget is also set in a meeting a long time before production start and even if not, it’s usually too late to throw more money on the development when the deadline approaches. That’s two out of the three.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.