DUDE, WHERE'S MY CAR? New leccy BMWs have flimsy password security – researcher
Motor giant told to try harder with mobe app
Create havoc, trick BMW into suspending security
Munro reckons that, because the system's design allows miscreants to launch denial-of-access attacks against Connected Drive users, on a wide enough scale, a large attack could prompt BMW into lowering its security defences to prevent thousands from being locked out of their apps:
You could start a distributed attack against the Connected Drive and iRemote users, using the enumeration flaw and social media to discover valid users. [It could] cause enough of a fuss with repeated lockouts for BMW to consider urgent action, potentially removing the lockout function as a temporary measure to keep annoyed drivers from bombarding their call centres.
If they do, immediately brute-force the weak passwords for the known users. Take over their Connected Drive accounts, find their cars, install the iPhone app on your own phone. Locate car with ‘find my car’, unlock it remotely. Then pinch it. Maybe using a flavour of the ODB2 port hack?
Scary stuff, but fortunately an attack along these lines would be "trivial to mitigate", according to Munro. "I hope BMW have considered the above attack already, and have an incident response plan that DOESN’T involve weakening authentication," the security expert told El Reg.
"It’s worth mentioning that BMW heave clearly realised that the Connected Drive app is a security concern. Hence, they have wisely implemented an additional PIN check to access the phone app. If a user is mad enough not to have a [screen unlock] PIN on their device, at least if their phone is stolen their car isn’t completely toast," he added.
Professor Stupples said Munro's research raised a number of valid security points.
iRemote – which Prof Stupples characterised as somewhat "gimmicky" – bundles a substantial amount of functionality.
"If you allow users to choose their own username that weakens security, which is why banks don't allow it. This concept is reasonably well understood in secure application development," he said.
"It would be possible for users to manipulate through social media in order to find user names before trying some sort of brute force password-guessing attack. The iRemote app also goes some way towards allowing man-in-the-middle attacks.
"If they get a password, then hackers could open a car, but the greater worry is that hackers could target handheld devices, particularly Android smartphones, using malware."
Like Munro, the professor credited BMW for its efforts towards making its system secure while still faulting it for unresolved security shortcomings. "BMW have thought through the security of this, but they have a number of weaknesses," the academic concluded.
He added that even without doing anything to the car itself, being able to access the iRemote application would allow crooks to know whether the car owner's home was empty.
According to BMW's figures, it has sold 2,022 i3 electric cars, the focus of Munro's tests, worldwide in the first quarter of 2014. The total number of BMW, Mini and Rolls-Royce branded cars delivered to customers globally went up by 8.7 per cent, year on year, to a new first-quarter record of 487,024 motors, according to its latest financial statement. ®