DUDE, WHERE'S MY CAR? New leccy BMWs have flimsy password security – researcher

Motor giant told to try harder with mobe app

Business security measures using SSL

Create havoc, trick BMW into suspending security

Munro reckons that, because the system's design allows miscreants to launch denial-of-access attacks against Connected Drive users, on a wide enough scale, a large attack could prompt BMW into lowering its security defences to prevent thousands from being locked out of their apps:

You could start a distributed attack against the Connected Drive and iRemote users, using the enumeration flaw and social media to discover valid users. [It could] cause enough of a fuss with repeated lockouts for BMW to consider urgent action, potentially removing the lockout function as a temporary measure to keep annoyed drivers from bombarding their call centres.

If they do, immediately brute-force the weak passwords for the known users. Take over their Connected Drive accounts, find their cars, install the iPhone app on your own phone. Locate car with ‘find my car’, unlock it remotely. Then pinch it. Maybe using a flavour of the ODB2 port hack?

Scary stuff, but fortunately an attack along these lines would be "trivial to mitigate", according to Munro. "I hope BMW have considered the above attack already, and have an incident response plan that DOESN’T involve weakening authentication," the security expert told El Reg.

"It’s worth mentioning that BMW heave clearly realised that the Connected Drive app is a security concern. Hence, they have wisely implemented an additional PIN check to access the phone app. If a user is mad enough not to have a [screen unlock] PIN on their device, at least if their phone is stolen their car isn’t completely toast," he added.

Professor Stupples said Munro's research raised a number of valid security points.

iRemote – which Prof Stupples characterised as somewhat "gimmicky" – bundles a substantial amount of functionality.

"If you allow users to choose their own username that weakens security, which is why banks don't allow it. This concept is reasonably well understood in secure application development," he said.

"It would be possible for users to manipulate through social media in order to find user names before trying some sort of brute force password-guessing attack. The iRemote app also goes some way towards allowing man-in-the-middle attacks.

"If they get a password, then hackers could open a car, but the greater worry is that hackers could target handheld devices, particularly Android smartphones, using malware."

Like Munro, the professor credited BMW for its efforts towards making its system secure while still faulting it for unresolved security shortcomings. "BMW have thought through the security of this, but they have a number of weaknesses," the academic concluded.

He added that even without doing anything to the car itself, being able to access the iRemote application would allow crooks to know whether the car owner's home was empty.

According to BMW's figures, it has sold 2,022 i3 electric cars, the focus of Munro's tests, worldwide in the first quarter of 2014. The total number of BMW, Mini and Rolls-Royce branded cars delivered to customers globally went up by 8.7 per cent, year on year, to a new first-quarter record of 487,024 motors, according to its latest financial statement. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it's secure
State attorney demands Apple CEO bows the knee to him
4K-ing excellent TV is on its way ... in its own sweet time, natch
For decades Hollywood actually binned its 4K files. Doh!
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
DARPA-backed jetpack prototype built to make soldiers run faster
4 Minute Mile project hatched to speed up tired troops
Hey, Mac fanbois. HGST wants you drooling over its HUGE desktop RACK
What vast digital media repository could possibly need 64 TERABYTES?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Apple's ONE LESS THING: the iPod Classic disappears
RIP 2001 – 2014. MP3 player beloved of millions. Killed by cloud
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.