BMW are sending their software updates unencrypted

The BMW i3 is an amazing electric car - let down by very shoddy software. That's a huge problem - software runs our lives and, if it is defective, it can ruin us.

We used to have separate categories of device: washing machines, VCRs, phones, cars, but now we just have computers in different cases. For example, modern cars are computers we put our bodies in and Boeing 747s are flying Solaris boxes, whereas hearing aids and pacemakers are computers we put in our body. The Coming Civil War over General Purpose Computing - Cory Doctorow Emphasis added.

The i3 has numerous software defects. Despite having a capable 3G modem, all major software updates have to be performed by an authorised dealer. That means booking your car in and waiting for a day or two for the update to take place.

So, that's the major software updates, what about the minor ones? It turns out that the entertainment system can be updated by anyone with a USB stick and access to your vehicle.

The BMW Group allows part of the vehicle software to be updated, to enable compatibility of the latest tested Bluetooth or USB devices in the vehicle. This offer is available for selected vehicles manufactured after March 2010. You can perform this software update yourself. To do so, all you need is a standard USB memory stick with sufficient memory capacity. BMW Connected Drive - Software Updates

The website doesn't use SSL. I mean, everything is unencrypted including the software download!

The user enters their Vehicle Identification number, it is sent across to an unencrypted API.

http://www.bmw.com/_common/shared/owners/bluetooth/jsp/serviceV2.jsp

   ?op=getVINData

   &requestType=bluetooth

   &language=en

   &vin=1234567

   &domain=kisu-check

The user is asked to agree to a "usage right agreement" - but it's not necessary; the software is available to anyone without requiring authentication.

For example, the i3's software is available at

• http://www.bmw.com/_common/shared/owners/bluetooth/bin/UPD07012.bin

No need to guess a VIN or agree to any terms. Just click and download.

A look through the various BMW forums shows that software updates for different cars all follow a similar pattern.

Why Is This A Bad Thing™?

Because the software download goes via http rather than https, it is theoretically possible for an attacker to modify the file before it gets to you.

One would hope that the firmware is cryptographically signed so that it cannot be maliciously modified - but given BMW's fairly poor record on securing their cars (original in German), it's not guaranteed.

OK, what's the worst that could happen with a phony software update for a glorified car radio?

My friend Marc Rogers successfully hacked the Tesla Model S in part using the car's infotainment system. It turns out that entertainment systems often talk to the rest of the car via a CAN bus. If the car isn't fully secured, it is theoretically possible that a rogue internal component would be able to endanger the car and its passengers.

There's a secondary issue - car manufacturers are training people to stick untrusted USB sticks into their cars.

When FIAT had to update the software on 1.4 million cars, they opted to send USB sticks in the post to affected drivers.

Terence Eden is on Mastodon

@edent

Oh, a *secure* USB.
There's no way that could be malicious…
#antipattern pic.x.com/kqhtw51zq6

---

If you receive a USB stick in the post, how can you be sure that it doesn't contain malicious software?

Hopefully, the car should reject any unauthorised tampering - but we all know that security measures can be bypassed by sufficiently motivated adversaries.

Decoding The Firmware

Alas, dear reader, here is where I must confess my ignorance. Decompiling firmware is way outside my area of expertise. If anyone with greater skills can investigate further, I'd be grateful.

Firstly, a quick run of binwalk gives us:

POSIX tar archive (GNU), owner user name: "01E40_110_005_010.xml"

Renaming the .bin to .tar allows us to extract the 7 firmware files and an XML file.

Within the XML, we find: <SWIP digalg="sha256" signalg="sha256withRSA" version="0.3.6" ... Which would indicate that the software is self-signed and probably secure against forgery.

Each of the firmware files contains a file called "bungstabelle.sgbm" which appears to be another cryptographic signature.

Judging from the files, it would appear that the infotainment system is made by Magneti Marelli with components by Wind River, AutoSAR, and Nvidia Tegra. Looking at the copious mentions of systemd and freedesktop it's a Linux system!

Hmmm... I wonder if they're respecting the GPL...?

The firmware isn't encrypted - so anyone can read the code and comments - but it does appear to be signed which makes it unlikely that a user could accidentally install corrupted software.

The Five Star Automotive Cyber Safety Program suggests to manufacturers that:

While updating is a necessary capability, an insecure update design could facilitate adversaries or trigger accidents. Authenticity and quality verification preserves the integrity of the updates and leads to a safer mechanism that can prevent digital tampering or unexpected failures.

From my limited understanding of the way the firmware is designed, it should be robust enough to prevent malicious users from infecting it with anything nasty.

However, given BMW's troubled history with HTTPS, I think it would be sensible for them to ensure all their software was delivered securely.