BMW are sending their software updates unencrypted
By @edent
· bmw car i3 security · 7 comments · 950 words · read ~15,603 times.
The BMW i3 is an amazing electric car - let down by very shoddy software. That's a huge problem - software runs our lives and, if it is defective, it can ruin us.
We used to have separate categories of device: washing machines, VCRs, phones, cars, but now we just have computers in different cases. For example, modern cars are computers we put our bodies in and Boeing 747s are flying Solaris boxes, whereas hearing aids and pacemakers are computers we put in our body.
The Coming Civil War over General Purpose Computing - Cory Doctorow Emphasis added.
The i3 has numerous software defects. Despite having a capable 3G modem, all major software updates have to be performed by an authorised dealer. That means booking your car in and waiting for a day or two for the update to take place.
So, that's the major software updates, what about the minor ones? It turns out that the entertainment system can be updated by anyone with a USB stick and access to your vehicle.
The BMW Group allows part of the vehicle software to be updated, to enable compatibility of the latest tested Bluetooth or USB devices in the vehicle. This offer is available for selected vehicles manufactured after March 2010.
You can perform this software update yourself. To do so, all you need is a standard USB memory stick with sufficient memory capacity.
The website doesn't use SSL. I mean, everything is unencrypted including the software download!
The user enters their Vehicle Identification number, it is sent across to an unencrypted API.
http://www.bmw.com/_common/shared/owners/bluetooth/jsp/serviceV2.jsp
?op=getVINData
&requestType=bluetooth
&language=en
&vin=1234567
&domain=kisu-check
The user is asked to agree to a "usage right agreement" - but it's not necessary; the software is available to anyone without requiring authentication.
For example, the i3's software is available at
No need to guess a VIN or agree to any terms. Just click and download.
A look through the various BMW forums shows that software updates for different cars all follow a similar pattern.
Why Is This A Bad Thing™?
Because the software download goes via http rather than https, it is theoretically possible for an attacker to modify the file before it gets to you.
One would hope that the firmware is cryptographically signed so that it cannot be maliciously modified - but given BMW's fairly poor record on securing their cars (original in German), it's not guaranteed.
OK, what's the worst that could happen with a phony software update for a glorified car radio?
My friend Marc Rogers successfully hacked the Tesla Model S in part using the car's infotainment system. It turns out that entertainment systems often talk to the rest of the car via a CAN bus. If the car isn't fully secured, it is theoretically possible that a rogue internal component would be able to endanger the car and its passengers.
There's a secondary issue - car manufacturers are training people to stick untrusted USB sticks into their cars.
When FIAT had to update the software on 1.4 million cars, they opted to send USB sticks in the post to affected drivers.
Oh, a *secure* USB.
There's no way that could be malicious… #antipattern pic.twitter.com/kqHtw51zQ6— Terence Eden is on Mastodon (@edent) September 5, 2015
If you receive a USB stick in the post, how can you be sure that it doesn't contain malicious software?
Hopefully, the car should reject any unauthorised tampering - but we all know that security measures can be bypassed by sufficiently motivated adversaries.
Decoding The Firmware
Alas, dear reader, here is where I must confess my ignorance. Decompiling firmware is way outside my area of expertise. If anyone with greater skills can investigate further, I'd be grateful.
Firstly, a quick run of binwalk gives us:
POSIX tar archive (GNU), owner user name: "01E40_110_005_010.xml"
Renaming the .bin to .tar allows us to extract the 7 firmware files and an XML file.
Within the XML, we find:
<SWIP digalg="sha256" signalg="sha256withRSA" version="0.3.6" ...
Which would indicate that the software is self-signed and probably secure against forgery.
Each of the firmware files contains a file called "bungstabelle.sgbm" which appears to be another cryptographic signature.
Judging from the files, it would appear that the infotainment system is made by Magneti Marelli with components by Wind River, AutoSAR, and Nvidia Tegra. Looking at the copious mentions of systemd and freedesktop it's a Linux system!
Hmmm... I wonder if they're respecting the GPL...?
The firmware isn't encrypted - so anyone can read the code and comments - but it does appear to be signed which makes it unlikely that a user could accidentally install corrupted software.
The Five Star Automotive Cyber Safety Program suggests to manufacturers that:
While updating is a necessary capability, an insecure update design could facilitate adversaries or trigger accidents. Authenticity and quality verification preserves the integrity of the updates and leads to a safer mechanism that can prevent digital tampering or unexpected failures.
From my limited understanding of the way the firmware is designed, it should be robust enough to prevent malicious users from infecting it with anything nasty.
However, given BMW's troubled history with HTTPS, I think it would be sensible for them to ensure all their software was delivered securely.
Mastodon
Twitter
Facebook
LinkedIn
Reddit
HackerNews
Lobsters
Pocket
WhatsApp
Telegram
BMW *are* complying with the GPL
"Beschreibungstabelle" is German for descriptor table. The name does not imply any cryptographic security; analysis of the binary could tell.
The software package is signed indeed. If you check the XML file at the root of the package (SWIP_00001E40_110_005_010.xml) you will find a tag inside the header. This tag is an enveloped XML signature (https://www.w3.org/TR/xmldsig-core2/#def-SignatureEnveloped), and it protects the whole XML file from tampering. This same XML file also references all the other bin files with their respectives SHA256 hashes, which basically means that this signature's protection cascades for the rest of the package.
BMW i3's system can then verify the package with the correct digital certificate which must be installed on the car already, preferably hardware-protected (e.g. inside a HSM). The security of this scheme now lays on whether an attacker can install a rogue certificate on the car's trusted certs store or not, which is way harder IMHO, infeasible with an HSM I think. No HTTPS necessary here.
The thumb drive is another story, I guess, but I don't know enough about this to comment.
Honestly not surprised considering just last year I was setting up connected drive in my 2015 BMW and I had to call into BMW and ask a CSR to set my password. Please set my password to: _____________. They have since updated their site and you can do this via the web now but shows security is an after thought IMO. Shameful...
Updates require PHYSICAL ACCESS to the car and the USB port....how is a hacker going to get that???
Ever leave your car with a valet?