Security vulnerabilities in BMW’s ConnectedDrive

​A security flaw that could let hackers unlock car doors

Risk Level: Critical Impact


In the middle of the last year, researchers from a German motoring association (ADAC) discovered a security flaw in BMW’s ConnectedDrive system. The system  allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles as well as alert the emergency services in case of a crash. These app even allow for remote locking and unlocking of the car doors. The researchers were able to unlock the doors of a vehicle remotely by intercepting network traffic from the car to the BMW servers using a fake mobile phone network and use that information to send commands to the car. According to ADAC, hackers would only need a few minutes to open a car from outside without leaving a trace.

Actual Failure



Attacking BMW’s ConnectedDrive

As soon as the owner triggers an unlock in the BMW remote app, the vehicle receives a text message from the BMW servers. The car proceeds to fetch the unlock command from the server and executes it.

  1. Owner triggers unlock in the BMW remote app “Unlock the door”.
  2. Text message “Fetch command”.
  3. The modem in the control unit boots the system.
  4. Data connection via HTTP GET to the BMW servers “Remote Service Command available?”
  5. Data connection: Answering the HTTP GET “Unlock the door”.
  6. Driver-side door is unlocked.

A hacker with a mobile phone base station can open the car door by forging text messages and data connections and sending them to a car without its owner’s knowledge.

According to an ADAC report, ConnectedDrive has the following security vulnerabilities:

  • BMW uses the same symmetric keys in all vehicles.
  • Some services do not encrypt messages in transit between the car and the BMW servers.
  • The car transmits a simple HTTP Get request which is formatted as XML without any encryption with SSL or TLS in transit.
  • The control unit for ConnectedDrive (Combox) discloses the VIN (Vehicle Identification Number) via NGTP error messages.
  • NGTP data sent via text messages is encrypted with the insecure Data Encryption Standard (DES) algorithm that has been considered broken for some time.
  • The Combox does not implement protection to guard against replay attacks.


Up to 2.2 million Rolls-Royce, Mini and BMW vehicles use BMW’s ConnectedDrive were affected by this flaw. The full list of the models is as follows:

  • BMW

    1 Series Convertible, Coupé and Touring (E81, E82, E87, E88, F20, F21)
    2er Active Tourer, Coupé and Convertible (F22, F23, F45)
    3 with Convertible, Coupe, GT, Touring and M3 (E90, E91, E92, E93, F30, F31, F34, F80)
    4p Coupe, Convertible, Gran Coupe and M4 (F32, F33, F36, F82, F83)
    5 Series GT and Touring (F07, F10, F11, F18)
    6 Series Gran Coupe Convertible (F06, F12, F13)
    7 Series (F01, F02, F03, F04)
    I3 (I01), I8 (I12)
    X1 (E84), X3 (F25), X4 (F26) X 5 (E70, F15, F85), X6 (E71, E72, F16, F86), Z 4 (E89)

  • Mini

    Three-door and five-door hatchback (F55, F56)

  • Rolls Royce

    Phantom Coupe and Drophead Coupe (RR1, RR2, RR3)
    Ghost (RR4)
    Wraith (RR5)

No needed for an actual recall of the vehicles as BMW has released a patch and those vehicles that come equipped with the ConnectedDrive sotware will be updated automatically, as soon as the vehicle connects up to the BMW server or the driver calls up the service configuration manually.

BMW has issued a press releases assuring owners of the vehicles of its rapid response to the problem and describing steps that have been taken to fix the security flaw in ConnectedDrive.
File - PDFBMW Press Release

Failure Analysis

According to the BMW press release, the security issues have now been closed. But  if we look at the bigger picture, we will see that in-car-command-control software that require the wireless connection to the server is not properly secured. There should be a common standard in terms of security for auto-makers who install “smart software” onto their vehicles.

There are some questions which remain open, such as why did the company with a reputation initially use the insecure HTTP Protocol? Why does it use algorithm that has been considered broken for some time?

Perhaps when BMW began development of the system the requirements for the system have been defined in accordance with the realities of the time.  Since we have heard about this in media, therefore the requirements were not changed neither in the design phase or the subsequent phases of the system development.  The system has been updated just after a third-party discovered the flaw.  It seems weird that BMW, which can afford skilled developers and proper Quality Assurance (QA) software testing, did not discover the security issue during the system testing phase.  We think that there were not enough code inspections and analysis carried out to detect the flaw.

We also think that the company was aware of the insecure DES message encryption algorithm before to start developing the system.  Developers from the company might have used frameworks that had been built for models prior the ones that are affected by the flaw as the base. Perhaps those frameworks passed the test so they were considered secure at the time they were built and just integrated into the new code. After the system was developed there were a few basic tests on the part which had been already tested.

How to be avoided in the future

Taking all these points into consideration we came to a conclusion that there should also be a strict security monitoring and alert system when there is a network breach.

Source and Reference material


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s