http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.htmlConclusion
At the time of my initial investigation, ConnectedDrive included six security vulnerabilities:
BMW uses the same symmetric keys in all vehicles.
Some services do not encrypt messages in transit between the car and the BMW backend.
The ConnectedDrive configuration data isn't tanper-proof.
The Combox discloses the VIN via NGTP error messages.
NGTP data sent via text messages is encrypted with the insecure DES method.
The Combox does not implement protection to guard against replay attacks.
Affected Cars and What to Do About It
As a consumer watchdog, ADAC has informed BMW about the results of this investigation. The manufacturer has confirmed the security vulnerabilities.
According to the company, all cars that include ConnectedDrive and were manufactured by BMW, Mini and Rolls Royce between March 2010 and 8 December 2014 are affected. In Germany, this includes around 423,000 vehicles; worldwide, this number rises to 2.2 million cars. ADAC has compiled a list with the over 50 models in question.
The disclosure of the vulnerabilities was coordinated with BMW to give the company enough time to secure their services. A configuration change to enable encryption in transit for ConnectedDrive data has now been triggered via cellular connection. According to BMW, the certificate of the server is now being checked as part of this.
Car owners can not be sure if their car has received this change, however. To find out, owners can contact a BMW hotline at 0 89 / 1 25 01 60 10. This is especially applicable to cars that have been parked in underground car parks, other places without mobile reception or that had their starter batteries disconnected over the last few months. Owners can also trigger the change manually by selecting Update Services in the car's main menu.
