BMW ConnectedDrive Services security vulnerability tracking analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201558859
Type myhack58
Reporter 佚名
Modified 2015-02-07T00:00:00


3 6 0 the network attack and Defense laboratory for the ConnectedDrive module security holes event ongoing Track, 2 on the 5th, ADAC fellow staff published(Dieter Spaar-sent the vulnerability of the whole process.

ADAC is want to research the BMW car, the end will send what kind of data to the automotive headquarters? Only expand the system of security research, by ADAC experts for the BMW ConnectedDrive perform technical analysis after the discovery of six cases of security vulnerabilities. And report to the BMW car. One of the most serious vulnerability allows an unauthorized attacker to start the vehicle.

Six security vulnerabilities:

l BMW in all of the models use the same symmetric key.

l some services not for vehicles with BMW back-end server, the transmission information is encrypted.

l ConnectedDrive configuration data is not the authentication of the transmission source of the identity information.

l Combox by NGTP error message to disclose the VIN.

l through the session message sent by the NGTP information through the insecurity of the DES method of encryption.

l Combox is not for a replay attack to implement protective measures.

Locate the target-Combox

Car the connected car, the Smart Car is going by with the built-in one moden to send data to their manufacturers. In the BMW car hardware name called“Combox”, these moden's role varies: they may provide access to the passenger of the Internet channel, the manufacturer initiates the telemetry data or traffic information, or be in a car crash occurs send emergency service alerts. For some brands, a mobile app allows the owner through the app to control the vehicle with certain functions, which may include an auxiliary heating system or the electric car on the main battery charging. These apps even allow for the door to remotely lock and unlock the door.

! /Article/UploadPic/2015-2/201527194639518.jpg

ConnectedDrive control unit. This so-called Combox has several different variations. This device is responsible for vehicle multimedia, such as playing USB music files or use the built-in Bluetooth hands-free device pairing a mobile phone. From 2 0 to 1 0 years on, this equipment and is attached to the BMW's many models.

! /Article/UploadPic/2015-2/2 0 1 5 2 7 1 9 4 6 3 9 2 0 4. png

Combox inside: this control unit will be BMW's ConnectedDrive services to the online server are connected together. Can a circuit Board from the upper right to see it in the SIM module image: ADAC centre.

Combox the CPU is SH-4A, it is Renesa a powerful 3 2-bit RISC processor. And Cinterion, which was previously the Siemens)GSM/GPRS/EDGE Modem make mobile communication more convenient. This device also uses the Renesas manufacturing of the V850ES micro Controller. Presumably, V850ES low power consumption makes the car in Parking and the engine is no longer running the case, to ensure that the modem maintains a reception state.

In order to study the Combox and ConnectedDrive server between transmission of the session of the message instruction. Recording Combox mobile network traffic, Dieter Spaar uses the OpenBSC project simulates a base station of the network, establish a test environment.

! /Article/UploadPic/2015-2/2 0 1 5 2 7 1 9 4 6 3 9 3 8 4. png

[1] [2] [3] [4] next