back to article Big bimmer bummer: Bavaria's BMW buggies battered by bad bugs

A security audit conducted by Tencent's Keen Security Lab on BMW cars has given the luxury automaker a handy crop of bugs to fix – including a backdoor in infotainment units fitted since 2012. Now that the patches are gradually being distributed to owners, the Chinese infosec team has gone public with its security audit, …

  1. Frenchie Lad

    Are You Surprised

    Always was a Merc man, now I understand why I made the better choice.

    1. Gene Cash Silver badge

      Re: Are You Surprised

      Then perhaps you should read http://www.thedrive.com/news/21003/thieves-steal-mercedes-benz-by-hacking-the-keyless-entry-in-23-seconds

      1. Stork

        Re: Are You Surprised

        At times I think that I don't want anything more advanced than my current (2005) Accord: Navi on DVD, no BT, controls that generally are where I expect them.

        1. Michael Wojcik Silver badge

          Re: Are You Surprised

          At times I think that I don't want anything more advanced than my current (2005) Accord

          My current car is a 2015 Volvo, and after looking at my wife's 2018 Volvo, and what auto manufacturers are eagerly doing, I'm pretty sure I'll never buy another new car.

          There are the huge fucking security holes - and the situation is quite a bit worse than what you'd get from the occasional article like this; and while people are working on improving the situation, it's going to be a long time, if ever before it's significantly better. Then there are the goddamned irritainment systems with their touchscreens, which I loathe; and on some of the vehicles I've driven (rentals and the like), they don't dim the backlighting on those screens along with the instrument panel, so at night you're trying to drive with this idiotic screen shining with the brightness of a thousand suns.

          Then there are the driver-assist features, many of which are desperately annoying and others outright dangerous. No, I don't want "adaptive" cruise control; when I set the speed, that's the speed I want. Not whatever speed the moron ahead of me in the lane happens to be going. Blind spot warning is OK, and backup cameras are a good augmentation to actually turning your head, but I've yet to see a cruising-speed collision-avoidance system that didn't overreact when some numpty switches into my lane a little closer than is polite. Automatically slamming on my brakes does not improve the situation, since there's probably some moron tailgating me.

          And they're too big. And the powertrains are ridiculously overpowered. I use my Volvo wagon to tow a trailer sometimes, and I've passed people while towing it up mountain passes. There's far more output from that engine than I can do anything useful with, and I'm not sanguine about everyone on the road having that sort of acceleration. And here in the US there are few choices if you want a manual transmission, though I can't blame the manufacturers for that - where people will buy manuals, they sell them.

          In many ways contemporary cars are far better than those of twenty, even ten, years ago. They are notably safer. They are generally more comfortable. They do have useful features. Things like A/C are pretty much standard. But I find they have too many excruciatingly annoying misfeatures to justify buying new.

      2. Voland's right hand Silver badge

        Re: Are You Surprised

        Then perhaps you should read Pot calling the kettle black.

        Keyless entry - just say no. All you need is a transmitter relay as demonstrated by a spate of recent thefts around London (apologies for using the beobachter as a reference): http://www.dailymail.co.uk/news/article-4456992/Shocking-moment-car-hackers-steal-60-000-BMW.html

        When I talked to my colleagues in Eastern Europe after reading this they giggled: "Here you do not get an insurance with a factory fitted keyless entry on BMW or Merc until you fit a fully independent passive (not transmitting until you press a button) immobilizer".

        1. Anonymous Coward
          Anonymous Coward

          Re: Are You Surprised

          "Here you do not get an insurance with a factory fitted keyless entry on BMW or Merc until you fit a fully independent passive (not transmitting until you press a button) immobilizer"."

          Same thing happened to the Chelsea Tractor School Run brigade

          https://www.standard.co.uk/news/london/insurers-will-not-cover-new-range-rovers-in-london-unless-you-have-secure-parking-9820186.html

          1. Mage Silver badge

            Re: Are You Surprised

            Also RAV4 has/had flaw on lock securrity.

            What cars could be interfered with via a DAB broadcast even if Radio tuned into "official" multiplex? (It's not cost that stops there being Pirate DAB stations).

            Various exploits via OBD or what ever you call it.

            Tesla.

            Seems we are going backwards on car security.

        2. Mahhn

          Re: Are You Surprised

          So, when at home drop the keys in the new key holder - metal box on the desk. (faraday cage).

          Just like that metal sleeve I keep the CC in, in my wallet.

          METAL!!!!

    2. naive

      Re: Are You Surprised

      Security wise Mercs are indeed better, they mostly are rusted into dust before hacker figured out were the security holes are.

  2. Christian Berger

    Well those companies typically work hard to keep decent programmers out

    For example by having decisions like "we use QNX" dumped onto the programmers because some salesperson came along selling it with bogus arguments, like that it's not "Open Source". In reality that means that your board support package will be closed source and written by highly incompetent programmers.

    Essentially those things will drive any decent programmer out of the company. What'll be left are those who just want the money and don't care about what they are doing. So obviously they don't care about the security of their code.

    1. James 51
      FAIL

      Re: Well those companies typically work hard to keep decent programmers out

      Blackberry own QNX and they use security as a USP so I imagine they do care about the security of their code. If their reputation takes a hit on that, they have nothing else left.

      1. Spamfast

        Re: Well those companies typically work hard to keep decent programmers out

        I rather like QNX - device drivers are so much easier than Linux for example - but as others have intimated the BSPs for most CPUs are seriously shoddy unless you're willing to pretty much rewrite them completely.

    2. Mage Silver badge

      Re: decisions like "we use QNX"

      QNX isn't the problem.

      It's a quite good OS and a pity RIM/Blackberry bought it. Used to be used for storage controllers and real time industrial controllers.

      I'd like to see it either OS, or owned by someone more generic than Blackberry. Would be nice alternative to Linux for I/O based controllers that only optionally have a GUI.

      Linux is OK, but there is too much of a mono-culture.

  3. nagyeger

    firewall

    Excuse me for being stupid... if I was designing something to connect the engine management system to entertainment system - presumably for display purposes? - it would be strictly one way, probably with 1-way, physically separated opto-couplers, so that some kid pouring coke into the entertainment system had zero chance of inflicting, say, 50w of audio signal onto the can-bus.

    Why would anyone want to let the stereo muck about with engine management?

    1. Voland's right hand Silver badge

      Re: firewall

      if I was designing something to connect the engine management system to entertainment system - presumably for display purposes?

      The OBD-II and its GM Tech/Ford predecessors were never intended for that. As a result they cannot display faults properly without two-way interactions. Additionally, there is no authentication, no crypto and very little security. So if you can connect something to the OBD the car security is compromised as a given.

      The solution is to have a dedicated unit connected to the OBD and have a limited modern one way interface using a messaging protocol of choice from that unit to the infotainment. You can implement that in ~ 10£ and do the software in a week with off the shelf components. It is also utterly trivial - you just give the problem to any security geek and that is what they will come up with.

      Unfortunately, this is too "hard", too "expensive" and "does not make sense" for your average car manufacturer - let's face it their computing and security people in their vast majority are clueless.

    2. John Brown (no body) Silver badge

      Re: firewall

      "Why would anyone want to let the stereo muck about with engine management?"

      Especially when you consider that most new cars have two separate displays, the instrument console and the entertainment console, there's even less reason for them to talk to each other. Both can display pretty pictures and text.

    3. TReko Silver badge
      WTF?

      The same thing goes for plane

      Boeing's 787 and Airbus were recently reported to have bugs where the avionics info was visible to the seat-back entertainment systems.

      Why there is any physical link between these two systems worries me.

      1. Anonymous Coward
        Anonymous Coward

        Re: The same thing goes for plane

        "Boeing's 787 and Airbus were recently reported to have bugs where the avionics info was visible to the seat-back entertainment systems."

        What was reported in that incident is not necessarily what happened (not according to my initial knowledge and subsequent digging anyway).

        That said, it was several years ago, plenty of time for the 'seniors' with clue (the proper engineering ones) to be downsized, and the 'seniors' without clue (the ones from the MBA side of things) to wreck even more stuff and risk even more people's lives.

  4. John Smith 19 Gold badge
    Unhappy

    a note on QNX

    QNX was a well regarded OS for embedded apps. It's major features being a very modular architecture, so your custom build could be very lean. because it was built for profit and customers would complain if it was too buggy (given how expensive bug fixes in the field are) the code was reasonably quality.

    It powers the BlackBerry 10 phone and the Ontario states equivalent to the BBC Micro project.

    Car makers. You are now in the IT business.

    Get used to it.

    1. Christian Berger

      the key word here is "was"

      Most of those systems start up rather decent, by people with a vision and knowing what they are doing. However that was in the 1980s and 1990s. Today people who are interested in operating system work don't work on proprietary ones any more as it's not really something that is very fulfilling.

      I've seen that with "Nucleus", once a popular operating system for GSM basebands. You can see the quality gradient from the old core features which are moderately well designed (though a far cry from something like OpenRTOS/FreeRTOS) to things like the USB stack (which would crash immediately with the default settings) and the board support package, which actually had problems you could _see_ in the code without understanding C. Or the JSON generator which had a beginner's bug in it's integer output function.

      1. Anonymous Coward
        Anonymous Coward

        "Today people who are interested in operating system work don't work on proprietary ones any more"

        BS.

        The only reason many don't use "proprietary" ones is just because the "free" ones are cheaper so they can save pennies and charge you more.

        If you believe all the bright minds are working on Linux only, you could find yourself disappointed.

        And you can just look at the dreadful security of IoT stuff to know how Linux plus a bunch of badly written open source libraries and code deliver a security nightmare as well.

        1. Christian Berger

          That's because people rarely look at such things

          Here's for example a talk talking about the many problems of "secure" random number generators in QNX

          https://media.ccc.de/v/34c3-8730-taking_a_scalpel_to_qnx

          With embedded devices it's usually the closed source software the manufacturer puts on it. It's extremely rare to find a bug in, let's say, the TCP/IP stack... whereas even I was able to find a Ping of Death bug in Nucleus within a few minutes of trying some years ago.

  5. Anonymous South African Coward Silver badge

    Code reuse may be a good thing, but then again it is an Extremely Bad Thing, especially if the code is Close Source and not open for review by the public.

    1. Anonymous Coward
      Anonymous Coward

      Yes because open source reuse of code is always secure. Yup, never ever been issues with using random shit code found on Github.

  6. Anonymous South African Coward Silver badge

    BMW = Buggysource Mit Wheels

    1. Fruit and Nutcase Silver badge

      BMW

      Bavarian Motor Malware Works

  7. Kaltern
    Thumb Up

    On a side note - Good Job for the story headline... difficult source material too.

  8. 0laf Silver badge

    [Sigh] I have one.

    These car have the ability to lock and unlock from a phone app.

    I asked if this could be disabled and was told no.

    BMW can dial into the car for remote diagnostics, to set the sat nav for you etc

    1. Anonymous Coward
      Anonymous Coward

      You were told wrong.

    2. Anonymous Coward
      Anonymous Coward

      "I asked if this could be disabled and was told no."

      Translation:

      "Yes, but we can't be arsed. We've sold you the car now fuck off"

    3. Little Mouse

      Did you also ask them whether the indicators could be enabled?

      1. 0laf Silver badge

        No. I'd bought a BMW they're not even on the options list.

  9. Elledan

    Crossing fingers

    It's always fun to see a pile of CVEs for a system you actually did work on for a number of years. Curious to see whether the component I worked on was involved in any way or not.

    Doesn't seem like BMW learned from the plain-text authentication issue BMW's ConnectedDrive system had a number of years ago.

    As for QNX, it's not a bad OS, just horribly proprietary, expensive (got quoted 10,000 Euro/seat) and with incredibly outdated tools and environment (GCC 4.4.2 with Dinkumware STL on 6.5.x). Developing for it reminded me of using a Linux distro from more than ten years ago.

    Wondering whether their Embedded Linux (Yocto-based) infotainment systems are similarly affected.

    1. TReko Silver badge

      Re: Crossing fingers

      Many printers use QNX too.

  10. annodomini2

    Curious...

    However, we found that most of the ECUs still respond to the diagnostic messages even at normal driving speed (confirmed on BMW i3), which could cause serious security issues already. It will become much worse if attackers invoke some special UDS routines (e.g. reset ECU, etc..).

    Curious If they would actually respond to ECU reset with vehicle speed above 0, most don't.

    Yes some read systems still work with the vehicle moving, your OBD reader performing "real time readout" e.g. Torque. Uses these for operation and they are used during development or diagnostics of issues.

    But safety critical features are typically protected.

    I'm not saying they shouldn't be better protected, but this screams journalistic exaggeration to me.

  11. Anonymous Coward
    Anonymous Coward

    Ah, that CANnot bus

    The CAN bus was never designed with authentication in mind and retrofitting is well nigh impossible due to the infrastructure.

  12. Prosthetic Conscience
    Joke

    Can they hack mercs and BMWs so that the Indicators feature is enabled?

    1. Voland's right hand Silver badge

      Can they hack mercs and BMWs so that the Indicators feature is enabled?

      There are bugs inside the crankcase which prevent it. That is the crankcase which is driving it.

  13. Bonzo_red

    Bugs überall

    I thought it was VW which sold bugs.

    1. Alistair
      Coat

      Re: Bugs überall

      @ Bonzo_Red:

      VW does sell Bugs. Thats why Porky still has something to hunt.

      But considering what can be done to my TDI through the OBDII port with the right software, I'm wondering why *anyone* is remotely surprised when things like this flock of bugs show up. (and yes it is one of *those* tdi's)

  14. Robert Helpmann??
    Childcatcher

    Remote Local Access

    Four require physical USB access – you need to plug a booby-trapped gadget into a USB port... That means an attacker has to be inside your vehicle to exploit them.

    No, that is not what it means. It only means the device has to get plugged into the port. Attacks like leaving a rigged USB drive lying next to a target vehicle with a label indicating it has some music on it will definitely snare some hapless individuals.

    Respect the classics!

    1. Anonymous Coward
      Anonymous Coward

      Re: Remote Local Access

      And a huge percentage of people go to non dealers to get their little engine light issues resolved, so there is plenty of opportunity given freely by vehicle owners to breach the defences..

      It's almost like the owners don't realise they are driving a computer with wheels.

      1. Dagg Silver badge
        Devil

        Re: Remote Local Access

        go to non dealers

        And you would trust the dealers! Yea right.

  15. iLurker

    Thanks...

    Still don't understand why car makers ever thought keyless entry, remote wireless diagnostics and all that infotainment stuff was ever a good idea, the risks were obvious form the start.

    I prefer a car with an amp and a set of nice speakers, a connection to my iPhone and bracket to hold it, and a METAL KEY over all that expensive frippery.

    And I can sleep easy knowing it won't be stolen, or hijacked, nor can someone deliberately cause an accident remotely.

    I'll stick to my 1991 Honda Civic, thanks.

    1. Michael Wojcik Silver badge

      Re: Thanks...

      Still don't understand why car makers ever thought keyless entry, remote wireless diagnostics and all that infotainment stuff was ever a good idea

      They help sell cars, which is the business car makers are in.

      1. Ken Hagan Gold badge

        Re: Thanks...

        "They help sell cars, which is the business car makers are in."

        Yes. They help with that, right up to the point where the stories of bugs and hacks reach the mainstream media. I expect most people here have grown up with the fact that the stories we read here are just for us and our friends and family never hear them (unless we re-tell them) but I think that is beginning to change. All the self-driving car hype has made stories about car computers rather more palatable to the wider audience.

  16. Anonymous Coward
    Anonymous Coward

    I wonder if the BMW EULA gives any information about what you may do with their car and for how long?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like