Saturday, February 7, 2015

BMW Fixes Software Flaw That Would’ve Let Hackers Unlock Doors


Cybersecurity experts have been sounding the alarm about cars’ vulnerability to hacking for years. But it seems that every few months, they are able to provide new anecdotal evidence suggesting that the automotive industry’s efforts at securing data transmissions to and from vehicles has produced lackluster results.
Cybersecurity experts have been sounding the alarm about cars’ vulnerability to hacking for years.

The latest report came from German motorist association ADAC. The group’s researchers told BMW about a flaw in its ConnectedDrive software that would have allowed hackers to remotely unlock the car doors. (ConnectedDrive lets drivers control certain vehicle functions —say, locking doors, and warming the cabin on a cold February day—from their smartphones; it also offers a suite of services and apps including real-time traffic information and restaurant reservations.)

According to Reuters, ADAC researchers were able to simulate the existence of a fake phone network. The BMW cars then attempted to access it, allowing hackers to alter functions activated by the car’s SIM card.

BMW issued a release late last week saying that it had fixed the security hole and noting that roughly 2.2 million Rolls-Royce, Mini, and BMW vehicles had been vulnerable.

BMW says it eliminated the security flaw by simply adding encryption. What? That was it? BMW never bothered to lock that particular door (pun intended)?

For its part, the car company said that even if the flaw had been exploited, a hacker would not have been able to hijack control over steering, acceleration, or braking. What it didn’t address was what other sorts of hijinks a cybercrook could get up to once he or she got in the door.