As German luxury car maker BMW releases a security patch for their in-car software, one cannot help but wonder: is IoT security still an afterthought?
A couple of weeks ago, the BMW Group announced a security patch for a vulnerability in their ConnectedDrive system that could put 2.2 million Rolls-Royce, Mini and BMW vehicles at risk. Using a SIM card, the software allows car owners to access and control car navigation functions, internet connected features, windows and doors. Imagine what could have happened if hackers had discovered the flaw before the researchers at the German Automobile Association, ADAC.
Reportedly, ADAC had commissioned a study of the technology with a focus on data transmission issues that could affect consumer interests. The investigation resulted in a security flaw in data transmission over a mobile network that could enable an attacker to take over the SIM card functions of the ConnectedDrive, open doors, and even retrieve emails sent through BMW online – a within minutes, from a remote location.
According to security blogger Graham Cluley, the discovery happened last summer. But ADAC waited for the car maker to issue a patch before making it news, so as not to make hackers aware of it.
In their press release, BMW said they enabled data encryption through HTTPS as part of the security update that
“will be carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually.”
Now, from a security expert’s stand point, there are two or more issues with this announcement.
The first one, and most obvious: if you’ve kept your BMW/ Mini/ Rolls-Royce in an underground parking lot, with no phone signal, you may want to run over and install the update yourself.
Second, and most important: why haven’t they enabled HTTPS in the first place?
If we take a step back and look at the bigger picture, we’ll see an example of why IoT may result in troublesome experiences. We’ve got:
- a company with a reputation to care about
- a company that can afford skilled developers and proper Quality Assurance (QA) software testing
- an expensive, high-end product (not a $200 home thermostat!)
- a command-control action enabled by internet connectivity, which makes it highly security-sensitive (not some lightbulb remote-controlling action).
Taking all these points into consideration, one might expect that, when starting to build a great system with a huge impact in a number of industries, a resourceful company would try to do things right from the outset.However, the security flaw in BMW’s system that enabled third-parties to pull control commands from an unauthenticated remote site via unencrypted connection, shows that security is still an afterthought among many manufacturers. It was just lying there waiting to be discovered. And it even continued to exist for months after it was discovered, until the company finally provided a patch for it.
What can we expect from manufacturers with smaller budgets, cheap products and less of a reputation to care about?
On the bright side, the security flaw was discovered by a reputable entity, and the company made steps to improve their security. This goes to show that our 2015 security prediction #3 may get confirmed by the end of the year. At least in part.
Another question still remains though: how many vulnerabilities in IoT products have actually been discovered by not-so-reputable-entities and are on sale on the black market just waiting for someone to exploit them?