Case study: Kaspersky Lab's analysis of the BMW ConnectedDrive

advertisement
07
Case study: Kaspersky Lab's analysis of
the BMW ConnectedDrive system
INTRODUCTION
Cars are increasingly using electronic components designed to improve the performance, safety and comfort of
users. The majority of these functionalities involve processing different types of signals from the vehicle and
coordinating them in real time. This means it is necessary to use sensors to provide data, units responsible for
processing the data (Electronic Control Units or ECUs) and a form of communication between all of them (through
one or several data buses using the standard Controller Area Network or CAN). Modern cars have dozens of ECUs,
depending on the model, manufacturer and version.
ECUs communicate using CAN packets. The communication via CAN is broadcast and, although there are some
segmented networks, each ECU decides whether a data packet is intended for it or not. There is no way of
authenticating or identifying the source of a packet.
By accessing the CAN communication buses, it is possible to capture the traffic between the various ECUs. Not only
that, it is also possible to inject packages that interact with the different ECUs in the vehicle. This can provide total
control, including the brake system, engine, lights and any other functionality incorporated in the vehicle. Over the
past few years, several studies have emerged showing that it is possible to interfere with all of these vehicle
systems, such as the brakes.
For this reason, whether or not it is possible to access this communication is a key point. Obviously, one option is
physical access to the car. This study does not consider this possibility.
As well as all of these features installed in cars, we cannot ignore those related to communication and Internetderived services that are included in the new generation of "connected" cars. We are not talking about parking
assistance now, but access to social networks, email, smartphone connectivity, route calculation, applications that
are running in the car etc.
The inclusion of these technologies brings a series of new risks which users have not had to face… until now.
Below, we analyse the different factors that would make a potential attack or fraud possible, or even an incident
involving the operation of the vehicle.
64
BMW CONNECTEDDRIVE SYSTEM CONFIGURATION
BMW has the following connectivity options in its range:
1. In Car Browser Apps. These applications run in the vehicle
and come pre-installed in the car.
2. In Car Smartphone Apps. These are apps approved by
BMW to run directly in the user's smartphone. The
smartphone, connected to the vehicle, allows them to be
reproduced in the car. A specific BMW app also needs to be
downloaded to run some of them. They are divided into two
classes:
2.1. BMW Apps: the BMW Connected app needs to be
downloaded for them to run.
2.2. BMW Apps Ready: These are apps that run
independently and are approved by the German brand:
Snippy,
Audible,
Glympse,
Aupeo!,
TuneIN Radio,
Amazon Music, Deezer, Napster, Stitcher Radio and
M Laptimer.
You can find applications in a BMW that are embedded in
the system itself (In Car Browser Apps) and apps that
run on a phone and are "launched" on the screen (In Car
Smartphone apps). The latter should be signed by BMW
to enable them to function in one of the Bavarian brand's
vehicles.
3. Browser Apps (send to car).
Certain services, such as Google Maps, allow direct
interaction with the BMW service to incorporate data into the
applications that we use in the car (for example, sending an
address).
4. My BMW Remote.
This application enables interaction with the vehicle from a
phone. The difference is that the user is not inside the car with
the smartphone connected physically. Instead, the user can
check the status of the car or activate certain functions from
outside the vehicle.
The function for locating the vehicle on the map can be used when the vehicle is within a maximum radius of 1.5 km.
65
5. BMW TeleServices.
This is a function for the remote diagnosis and solution of minor faults by updating configurations and software. This
requires an infrastructure and points of connectivity between the vehicle and the infrastructure.
Let's not forget that the vehicle has an integrated SIM card (not normally accessible to the user), which is used for
certain services such as connection with the My BMW ConnectedDrive portal.
6. Car-Internet connection.
This connection can be made in two ways:
6.1. From the vehicle's SIM card. This connection is the one
used in the services/applications: In Car Browser Apps, My BMW
Remote and BMW TeleServices.
6.2. From the user's smartphone. This mode is used for In Car
Smartphone Apps services.
POSSIBLE ATTACK VECTORS
In this section we are going to look at the different attack options that both BMW and its users could encounter with
the proposed structure. It must be borne in mind that with all the new technology and functionalities available, the
user is exposed to new threats that did not previously exist:
Vector 1. My BMW ConnectedDrive Portal.
This is a web portal that enables vehicle management. To log in, the serial number of each vehicle (VIN number)
must be provided. Once the VIN code has been entered into the portal, a second code is sent to the car, which it
receives via its integrated SIM card. The user must open the car and write down this code to then enter it into the
web portal. This provides for a two-factor authentication that, for example, prevents us from entering the data for a
vehicle that is not ours but for which we know the data that we requested.
However, the risks are the same as for any web service. One of them is password theft — through a Trojan – with
which management of the services BMW offers on its portal could be accessed. The management of an online
service by users can also give rise to types of fraud already known in sectors such as banking. Spam specially
created for BMW users could develop, with the aim of stealing passwords or carrying out more elaborate fraud.
One possible mitigation would be to offer a second factor of authentication for the web portal, for example, through a
mobile phone.
Vector 2. Applications.
BMW provides an application for both iPhone and Android, which enables the management of In Car Smartphone
Apps, as well as another app for Remote Services - My BMW Remote - (see below). There are also third-party
applications authorised by BMW that are installed in the user's phone independently. The list can be consulted in the
BMW Connected app itself.
One of the primary risks to users is malicious applications that impersonate the official applications that are
downloaded from the corresponding online store (PlayStore or AppStore). A search through both stores uncovers
more than 400 and 800 BMW applications respectively.
To run third-party apps, there is a selection of applications in the container app BMW Connected,
66
which greatly limits the possibility of an attacker being able to offer a malicious application through this limited list.
Although no details have been provided about which control systems are applied to third-party applications, because
it is a very short list is unlikely to include a malicious application at this time. However, this may change if the list of
applications grows dramatically in the future. The problems that app stores have with controlling malicious apps are
very well known.
The BMW system only allows apps especially signed by BMW to run, which greatly diminishes the possibility of
attack. However, there are plenty of cases where attackers have stolen certificates from developers to sign their own
malicious applications. Thus, there is always the possibility of the insertion of a malicious application from which an
attacker could compromise a developer. We are unaware of BMW's controls in this regard.
Vector 3. Remote Services.
Remote services provide information about the status of our vehicle, but also enable us to turn lights on and off,
sound the horn, activate the air conditioning system and open and close doors. All of this is managed from the
smartphone, which makes all of this information available through the My BMW Remote app.
When it is enabled, the most remarkable thing is that our phone becomes a key. A bad choice of question/password
clearly means that anyone in control of the phone could open the doors.
Also these applications seem to provide a lot of information of the user in case they are analyzed – that requires
access to the owner´s device. However in the Android version, apparently the data is not encrypted and the PIN can
be bypassed by an attacker, having access to the remote services.
Security for the remote services app on our smartphone works as follows: The security question for installation is
asked the first time the application is downloaded to the phone. Once answered, the application prompts the user to
set a 4-digit code. Each time the user opens the application, he or she is prompted for this code. This operation also
carries a potential risk because the driver is able to turn off this 4-digit password from the settings.
Vector 4. BMW TeleServices.
This seems to be one of the most inherently dangerous vectors. If an attacker were able to intercept the
communication (Man in the Middle attack), he or she could replace the code installed in the car. This would
undoubtedly be the most critical case, as any code could be installed.
It is also possible to update the software for external devices (Bluetooth). To do this, the application must be
downloaded from the BMW website. The VIN number is the only thing requested to allow access to the updates.
Once the VIN number has been entered, the updates must be downloaded to an external USB. This USB is
connected directly to the car, which performs the update automatically. Of course this opens many doors to social
engineering attacks with false updates, which could cause all sorts of problems in the vehicle.
67
WHAT COULD HAPPEN
Once the different attack vectors have been identified, an analysis is conducted of an attacker's options and what
he or she could ultimately do.
 IN CAR SMARTPHONE APPS. Where malicious applications exist, these have access to the display, audio
controls, voice control and also the CAN data bus. This last point is the most interesting, as internal information
about the operation of the vehicle could be obtained, although apparently not written.
 MY BMW REMOTE APPLICATION. This application contains real-time information about the vehicle. Where
remote services are available, they can interact from outside the car. In an extreme case the locking system could
be opened. This involves a key in the phone, so in the event of a possible infection that provides control of the
phone to an attacker, the attacker would also control the key.
CASE STUDY
We have conducted a test on this point, based on an
attack using “stolen” victim's credentials from the My
BMW ConnectedDrive site. In this case the victim had
remote services enabled. Using the credentials, we
were able to download the app for the phone, change
the security question and access remote services. As a
result, we were able to locate the car and open the
doors. By doing this, and with the remote services
enabled, it is possible to steal user´s data and get
access to he car. This would also apply if someone
physically controlled the mobile device.
 THEFT OF CREDENTIALS IN THE MY BMW CONNECTED DRIVE PORTAL. Through PC Trojans and spam
messages it would be possible to interact with the services purchased in the vehicle; although it would not be
possible to activate the remote services that could enable someone to unlock the vehicle if already activated.
 SOFTWARE AND HARDWARE VULNERABILITIES. Ultimately, new features involve millions of lines of code in
systems that are running in the car. These interact with devices that we connect to the vehicle. This complexity is
not free from faults which, if discovered and exploited, could lead to the takeover by outsiders of any of these
features. It depends, then, on the capacity for interaction that these elements have with the CAN bus.
One attack vector could be from connectivity with an infected mobile phone. At present
there is no sleeping malicious code especially designed to attack a vehicle to which it
is connected. However, this option cannot be discounted, especially in targeted
attacks.
To our knowledge, there are several infotainment systems manufacturers, each with its
own software and operating systems. This makes the potential attack vector more
heterogeneous.
 UPDATES. Update management is always vital in matters of security, especially in
the distribution of patches for a potential vulnerability.
Given that there seems to be variety of operating systems using BMW's various
components, the update distribution policy is unclear. This is especially delicate where
there are different suppliers that fragment the market, as has happened with Android.
68
As far as we know, there is no system for testing applications in the system (Sanity Check) to detect illegitimate
software, or for remote deletion of this software.
There is a software update system (for Bluetooth, to our knowledge) available on the web and installable via USB.
This means that the vehicle recognises the updates on a USB device and installs them. Of course, this presents a
potential risk in the event of a malicious upgrade.
Although this would mean physical control of the vehicle, discounted as a hypothesis from the outset, the fact that
these types of updates are distributed via the web for users to download and install in their car via USB represents a
potential attack vector because it would be possible to create a false update distributed through social engineering.
CASE STUDY
In terms of USB updates, we were able to download the binary that they provide. Surprisingly,
this is a TAR file containing several files. Given that only a valid VIN is required to obtain this
update (searching videos on YouTube there is no problem finding one), it would not be difficult for
an attacker to obtain the file.
We found several signed RPM files within the update that contained the Combox software update.
Analysing these files showed they were for Linux 32. In these files we quickly found the binaries
that will be copied to the Combox. They are not encrypted, so they provide a lot of internal
information about the system and open the door to reverse engineering them in order to install
what we want in the vehicle.
Examples of code found inside the update:
select * from (select sfid from library as l inner join (select * from w_dblAlbumTracksView as
a order by a._rowid_ desc) as atv on atv.sFid=fid group by l.album_id order by atv._rowid_
desc) EXCEPT select sfid from mdi_image_ cache as mic inner join library as l on mic.fid =
l.fid and profile_index != -1 inner join w_dblAlbumTracksView as atv on atv.sFid = l.fid
There are also the configuration files, including comments from the developers:
<!-- If on, the accurate column will be assigned 1 after a full synchronization of all media on a
media store. (EVERYTHING: What happens otherwise? -->
<!--<ForceAccurateAfterFullSync enabled=”off”/>-->
In these files we found databases (qdb database used internally) and libraries: in other words,
all the internal details that would allow any attacker to find out what was needed to exploit the system.
We can therefore assume that the possibility of taking control of the infotainment system through the
USB updates system is real.
 Communication between the vehicle and remote services. This communication is performed via an SMS that is
sent to the car thanks to the embedded Machine to Machine-type SIM installed in the vehicle.
SMS communications can be decrypted, with varying degrees of difficulty, depending on the encryption employed.
This changes between operators, countries etc. We should remember that a car travels, so it is sensitive to these
changes if it receives these types of SMS messages that enable actions to be performed on it, such as
preconfiguring routes or remote services. If we were travelling in the car to India, for example, we would find that any
SMS messages received wouldn't be encrypted by the operator.
69
This could allow an attacker once sniffed the phone number of the internal SIM card, to attempt replay attacks or
send fake information including routes or destinations.
From BMW we have been informed that these SMS messages are encrypted and signed. However we don´t know if
they are signed for a particular receiving car or just generically signed by BMW – in the latter that would allow replay
attacks. Also we don´t know if these messages are encrypted and signed for all services.
Anyway, SMS probably is not the most secure messaging protocol as it does not establish a secure cryptographic
channel between sender and receiver – and that´s the reason why BMW does not use it for critical services. So
probably it would be a good idea not to use for any service that could lead to fraud attempts.
PRIVACY
This last point has a lot to do with the way all
new services offered by connected vehicles
are managed. Some of these services are
used directly from our telephone, so the
manufacturer in principle does not have any
direct knowledge of them. However, in other
cases they are managed through BMW.
When services are managed through the
vehicle, the vehicle acts as an intermediary.
For example, to access email or social
networks from the vehicle, credentials and
information must be entered from the vehicle
itself.
Not only that, but from then on our vehicle also knows our position, our routes, offers suggestions and search
services for restaurants and hotels, enables the use of voice commands (which are managed on external servers)
etc.
Moreover, when using the management application on our phone we are giving access to our physical position. In
addition, when we access the portal we provide data on where we are, what equipment we are using for access and
when we are doing it etc.
Without a doubt, with all of these services the manufacturers are entering headlong into the world of (very valuable)
customer data acquisition. Aware of this fact, they include corresponding clauses in all of the services in which they
tell us that we agree to provide such data.
This type of information has been used extensively for targeted Internet advertising. We can only imagine how our
car will offer us suggestions based on, for example, the interests of companies who want their services
recommended rather than those of the competition.
CONCLUSION
Ultimately, connecting cars to the Internet opens up a world of almost unlimited possibilities for users, but it also
opens the door to threats, which already exist in the world of PCs and smartphones, adapted to this new device
within the so-called Internet of Things. In addition, the data privacy issue also reaches the automobile segment with
giants such as Google, which has already colonised some of the models in the report with its search technology, or
the brands themselves, handling a growing volume of personal information.
70
08
What comes next:
The fight for connectivity standards
As we have already mentioned in this report, the fragmentation of connectivity systems for telephone integration in
cars is the common denominator in the current automotive landscape. The creation of a single connectivity standard
that overcomes this fragmentation and makes drivers' lives easier has led to the development of technologies such
as MirrorLink, CarPlay, Android Auto and Windows in the car. There are also brands that, for the moment at least,
do not include the integration of smartphone apps in their connectivity strategy, as is the case for Peugeot and
Citroën.
These integration systems bring to mind past wars in a different field, that of connected cars. Apple is behind
CarPlay, Android Auto belongs to Google and Windows in the car bears the seal of Microsoft. Completing the circle,
the latter system is based on MirrorLink, which in turn was developed by Nokia.
Ŷ MIRRORLINK
is a technology formerly known as
Terminal Mode. It works in the following way: The
user connects the smartphone to the car's
infotainment system with a cable and some of the
apps on the telephone are automatically projected
onto the in-car screen.
The Car Connectivity Consortium, the body
behind this technology, has created a MirrorLink
certification, so that only apps that have this
certification can be displayed while driving to ensure
driving safety.
This solution is intended primarily for Android devices. Its main problem lies in the fact that compatibility is subject
to the telephone manufacturers with which it has reached an agreement. If the driver has a phone that is not
associated with this platform, MirrorLink will not work.
In Spain, this standard has been officially introduced by Volkswagen and its new Polo, although in one of the
models tested in the report, the Lexus CT 200 H was offered as an option from the menu, although it could not be
activated.
71
Phone brands that support the technology:
 HTC
 LG
 NOKIA
 PANASONIC
 SAMSUNG
 SONY
Ŷ CARPLAY: APPLE'S SOLUTION
This was launched at the last Geneva Motor Show
by Volvo and was included in the iOS 7.1 update.
It looks like CarPlay will be available sometime in
2014.
The design is essentially the same as MirrorLink's: projecting
some iPhone applications onto the infotainment system display,
provided they are safe for driving. The main difference lies in the
design, as the projected screen would have the same aesthetics
as Apple's mobile operating system. It is important to note that
there is no iOS version running in the car. Rather, it is a projection
of the phone screen into the car's own operating system.
The currently announced applications that are compatible with this system are as follows: Apple Maps, Podcasts,
Spotify and Stitcher.
This solution also allows the Siri vocal assistant to be integrated into the car for voice commands. Interaction with
the system can also take place via the steering wheel controls and, of course, the touch screen.
Ŷ OPEN ALLIANCE AUTOMOTIVE: ANDROID AUTO
Google's developer conference held at the end of June finally revealed more information about the
way it conceived in-car Android. The name of the system is Android Auto and, like MirrorLink or
CarPlay, it seeks to project some of the telephone's features into the car's multimedia system. The
main advantage of this technology compared to MirrorLink is that it does not require compatibility with
specific terminals. Instead, it is integrated into the Android operating system itself and thereby any
telephone that runs this software.
Android Auto has a simplified a design to make it easier for the driver to read, reducing distractions at the wheel.
It has also placed a lot of emphasis on voice control, to facilitate the use of the system.
To begin with, the applications that will be available on the vehicle's display will be Google Maps and
Google Play Music, although companies such as Spotify have announced their support for this platform. Its release
could come in the autumn and, in theory, has the support of 40 manufacturers.
It is also interesting to note that, although this would be in some way the official version of Android for cars,
manufacturers such as Volvo and Renault are already using the Android operating system.
72
Ŷ WINDOWS IN THE CAR, MICROSOFT'S ALTERNATIVE.
The most recent connectivity standard to arrive has been
Windows in the car, whose interface is based on Windows 8.
However, this alternative is not a new system, but rather a
technological solution based on MirrorLink and adapted to
smartphones using Windows Phone. Not surprisingly, Microsoft is
part of the MirrorLink consortium.
In addition, this wealth of alliances is not made up of watertight
compartments. Instead, some automobile manufacturers are
backing several initiatives so as not to lose influence in the
promising connected car sector. The following graphic shows the
different options handled by manufacturers:
MirrorLink
General Motors
Honda
Hyundai
Kia
Mazda
Mercedes
PSA Peugeot Citroën
Renault
Toyota
Volkswagen
CAR BRANDS AND PLATFORMS
CarPlay
Abarth
Alfa Romeo
Audi
BMW
Chrysler
Ferrari
Ford
Dodge
Fiat
General Motors
Honda
Hyundai
Jaguar
Jeep
Kia
Land Rover
Mazda
Mercedes
Mitsubishi
Nissan
Opel
PSA Peugeot Citroën
RAM
Subaru
Volvo
Suzuki
Toyota
Android Auto
Abarth
Acura
Alfa Romeo
Audi
Bentley
Chevrolet
Chrysler
Dodge
Fiat
Ford
Honda
Hyundai
Infiniti
Kia
Maserati
Mazda
Mitsubishi
Nissan
Opel
RAM
Renault
Seat
Skoda
Subaru
Suzuki
VW
Volvo
73
09
Conclusion
The present and immediate future involves the use of hybrid solutions. The formula of
subscription to connected services coexists with the integration of free apps. To
control all of these new features, voice assistants are established as indispensable
elements of equipment that must evolve.
We are clearly still in a very early stage of online connectivity systems in cars. Each brand provides the user with its
own solution and business models have not yet been established. Five general conclusions can be drawn from the
tests carried out in this report:
 Fragmentation: Although there are already initiatives underway and consortia seeking the creation and adoption
of a common standard for the integration of smartphones into cars, the reality is that manufacturers are still
committed to their own solutions. In fact, there are brands that are not even backing this integration beyond
Bluetooth connections to make calls and read text messages. With the arrival of CarPlay and Android Auto, it seems
that this trend is changing, but it remains to be seen whether the benefits of these platforms will satisfy all of the
users' needs.
 Optional Connectivity: If a driver wants to enjoy the online services of most of the brands featured in this report,
these brands should incorporate into their model some element of additional equipment, with the consequent
financial outlay that this implies.
 Free services for a limited time: Many manufacturers choose to provide their customers with a free subscription
for a certain period, after which the services must be paid for. The curious thing is that these solutions coexist with
the integration of apps that offer free services.
 Coverage issues: Many online services such as music streaming need 3G coverage to operate normally. If the
vehicle is driven in urban areas, coverage is guaranteed. The problem arises when drivers travel on secondary
roads or stretches of motorways where there is no 3G coverage. This is when services drop out and reduce the
quality of the user experience. This is even more evident with 4G.
 Data consumption: This seems obvious, but online services require data usage that, in the case of the connected
car, may require the user to pay an additional fee. Operators have the ability to offer rates adapted to "large-scale
data usage".
 Voice assistants: One of the safest ways to control the connectivity offered by the manufacturers is the use of
vocal assistants. While the majority of the cars in the report offer this option, there is still a lot of room for
improvement. Brands such as BMW already allow for the integration of voice technologies from other sectors, as is
the case with Nuance. This firm which specialises in voice software was also responsible for developing Siri, Apple's
voice assistant. There is also a trend to incorporate text-to-speech solutions with a view to reading content from
emails or news, so that drivers can keep their eyes on the road.
74
10
The participants in this study were:
IAB
IAB (Interactive Advertising Bureau) is the world's largest advertising association. It was founded in New York in
1995 and is present in 45 countries.
It is a non-profit organisation that aims to develop the digital market through research, events, education and
lobbying.
It has more than 200 partners in Spain, including Google, Vodafone, Telefonica, Repsol, WPP, Omnicom, G+J,
Hachette - Hearst, Nielsen and Panasonic.
Co-author: Javier Clarke, Mobile & New Media Director at IAB Spain. Email: javier@iabspain.net.
APPLICANTES.COM
Applicantes.com is the number one website in Spanish for daily information on the world of apps and the Internet of
Things.
The project began in April 2012 when a group of corporate communication and technology journalism professionals
realised the growing demand for information on this sector, and the increasing relevance of apps in the mainstream
media.
Co-author: Juan Antonio Corrales, Co-founder of Applicantes.com. Marketing and Business Development at The
Appgency. Email: juanan@applicantes.com.
KASPERSKY LAB
Kaspersky Lab is one of the world's fastest growing security manufacturers and is among the four major security
companies worldwide. The company's 2013 results show a growth in turnover of 6% on the previous year, raising
the figure up to $667 million.
Kaspersky Lab operates in nearly 200 countries and has 32 local offices in 30 countries, providing protection to
more than 300 million users and 250,000 corporate clients, from SMEs to large corporations and government
agencies.
Co-author: Vicente Diaz, Senior Analyst at Kaspersky Lab. Email: vicente.diaz@kaspersky.com.
PERIODISMO DEL MOTOR
Periodismo del Motor is a website created in 2008 with the aim of covering news and innovations from the
automotive world. It also features car tests and coverage of motor sports, such as Formula 1 and rallying. It has
more than 11,400 followers on Facebook and 13,400 on Twitter.
Co-author: Hugo Valverde, Founder of Periodismodelmotor.com. Email: hvalverde@periodismodelmotor.com.
Layout: Emma Sanchez; Photography: Alejandro Moya.
75
Download