Serious i3 Security Problems

[alohart]

In May, 2018, Keen Security Lab posted information about multiple security vulnerabilities in various modules of current BMW automobiles including the i3. These vulnerabilities could be exploited via the OBD or USB port which would require physical access to an i3. However, whenever an i3 owner/lessee is coding his/her i3 using an OBD to Ethernet or Bluetooth adapter, the adapter's wireless signal could be intercepted to give a malicious person the ability to hack various computer modules which could have serious consequences. Even worse are the vulnerabilities that could be exploited via an i3's cellular data connection which could occur without physical access to an i3.

This summary report provides some technical information that would be meaningful to those with technical backgrounds. As a retired computer programmer, I can understand most of the technical information. I am shocked by the carelessness of those at BMW who cobbled together various systems without sufficient regard for security.

However, in March, 2018, BMW acknowledged these security vulnerabilities to Keen Security Lab and began working on fixes. Some of these fixes could be and maybe have been implemented over the air whereas others would require software updates applied by a BMW dealer. A full report by Keen Security Lab is scheduled to be released in early 2019 to give BMW time to implement all of the fixes.

As an i3 owner, I want BMW to tell me and other i3 owners the status of these fixes.

• Have the over-the-air updates that fix some of these security vulnerabilities been applied? If not, when will this happen?
  
  
• Have software updates been developed that fix some of these security vulnerabilities? If so, which updates are these? Can i3 owners/lessees request that our dealers apply these updates at no cost to us?
  
  
• When do you expect all of these vulnerabilities to be fixed?

I have not heard anything from BMW about these problems. Have you? If not, what do you suggest as the best way to learn more from BMW? I have little confidence that my BMW dealer would have any information about this, but maybe I'm wrong.

 

[EVBob]

At first reviewing the document, it just seemed like the ODBII and usb interfaces would be the only real points of entry - easy bandaid would be not to leave your wireless odbii plugged in and be skeptical of all usb storage that has left your sight (really this should be done for all USB storage devices)...Then I saw:

"...
Technically speaking it’s possible to launch
the attack from hundreds of meters even when the car is in the driving mode. Using MITM attack
between TSP and the vehicle, attackers could remotely exploit the vulnerabilities existed in both
NBT and TCB, leading to backdoors being planted in the NBT and TCB. Typically, a malicious
backdoor can inject controlled diagnosis messages to the CAN buses in the vehicle.
..."

S#|T.....though I suppose the very small silver lining, would be that for the cellular exploit attack to work they would have to be in your general area and they could not do this attack remotely from a different country/state/town.....you would have to be individually targeted, it seems....

To be fair to BMW, the other car company that relies heavily on cellular connection - Tesla, has also been found to have numerous exploits:
https://keenlab.tencent.com/en/2017/07/27/New-Car-Hacking-Research-2017-Remote-Attack-Tesla-Motors-Again/

https://www.blackhat.com/docs/us-17/thursday/us-17-Nie-Free-Fall-Hacking-Tesla-From-Wireless-To-CAN-Bus.pdf

However - Tesla responded with fixes within 10 days of this one....


How should we proceed to make sure BMW fixes this in a timely manner? E-mail BMW HQs (NA and Europe) en mass? Start pushing this Keen Lab report to as many places as we can find, and hope it catches some mainstream attention forcing BMW to address before it turns into a smear campaign? One of us loans our i3 to the next Blackhat convention? :|

 

[EVMan]

I will try to shed some light into why this issue and how what it will take to fix the issue.

Having worked in software and hardware with different companies , i learned some things about the Process
1) there are traditional companies , which follow water fall model and have too many different teams working in silos. Everything is planned. In cars the cycle is normally 4 years
Though initial quality may be higher, if the product is not a disaster, but the wholes and product gaps , security or optimizations are never filled , and budged is allocated to future products and new models.
The budget drives everything, and is only allocated to future products.

2) The Tesla type agile model is very different, smaller teams, smaller task , agile budgets, agile goals.
Tesla is also doing agile manufacturing , where every week the production processes , models etc change . Experiment , improve.
Since the software team is almost always involved continuously, they keep listening to customers, adding features , adding bugs and fixing bugs .

In my i3, i have all the hardware , but basic things like using GPS location to decide if the customer is not at home and may not be interested in 'Time of Use Charging', is only a dream. Small tasks, but the question is "why improve existing models, we do it in new models only"

Unless car companies are forced, every one at car companies is mostly focused on new products. By new, i mean the Goals which were set by CEO 1-2 years back.

Tesla is a tech company , so we cannot compare the two. There is product is vertically integrated with one Tesla developed computer board, talking care of everything in car
Other Ev's source electronics from different companies and integrate them. Too many silos, very difficult to upgrade the wholes. Not like a Tesla type fix.
.

 

[EVBob]

...
Unless car companies are forced, every one at car companies is mostly focused on new products. By new, i mean the Goals which were set by CEO 2 years back.
....

So, this is something where a government agency would need to step in and demand a fix/recall? NTSB?

If so, they probably wouldn't get involved until there were a few reported incidents where the i3 was broken into and perhaps a few people get killed?

 

[EVMan]

I would guess, in today's world , the real pressure ( Both good and Bad) comes from Social Media, Fan Boys and Shorts.
Publishing the report in online Auto magazines , twitter , FB will effect new model sales, company reputation in millennial's , so you bet!
I have not seen NTSB been involved in any hacking type of issues, as none have resulted in actual incidents. Its a well know open issue.

So, this is something where a government agency would need to step in and demand a fix/recall? NTSB?

If so, they probably wouldn't get involved until there were a few reported incidents where the i3 was broken into and perhaps a few people get killed?

 

[alohart]

I would guess, in today's world , the real pressure ( Both good and Bad) comes from Social Media, Fan Boys and Shorts.
Publishing the report in online Auto magazines , twitter , FB will effect new model sales, company reputation in millennial's , so you bet!

Keen Security Labs is withholding details of their exploits until early 2019 to give BMW time to issue software updates that fix the security problems. BMW's letter to Keen Security Labs indicated that fixes were being rolled out starting in April, 2018, and that software updates that require dealer installation were being developed. I want to know when these dealer-installed software updates will be available and whether BMW would pay dealers to install these updates (can't imagine that they wouldn't).

I'm concerned that BMW won't want to publicize these security weaknesses, so they might not inform affected BMW owners when the software updates are available. These security flaws affect most recent BMW vehicles, not just i3's, so many vehicles will be affected.

 

[i3Houston]

I will try to shed some light into why this issue and how what it will take to fix the issue.

Having worked in software and hardware with different companies , i learned some things about the Process
1) there are traditional companies , which follow water fall model and have too many different teams working in silos. Everything is planned. In cars the cycle is normally 4 years
Though initial quality may be higher, if the product is not a disaster, but the wholes and product gaps , security or optimizations are never filled , and budged is allocated to future products and new models.
The budget drives everything, and is only allocated to future products.

2) The Tesla type agile model is very different, smaller teams, smaller task , agile budgets, agile goals.
Tesla is also doing agile manufacturing , where every week the production processes , models etc change . Experiment , improve.
Since the software team is almost always involved continuously, they keep listening to customers, adding features , adding bugs and fixing bugs .

In my i3, i have all the hardware , but basic things like using GPS location to decide if the customer is not at home and may not be interested in 'Time of Use Charging', is only a dream. Small tasks, but the question is "why improve existing models, we do it in new models only"

Unless car companies are forced, every one at car companies is mostly focused on new products. By new, i mean the Goals which were set by CEO 1-2 years back.

Tesla is a tech company , so we cannot compare the two. There is product is vertically integrated with one Tesla developed computer board, talking care of everything in car
Other Ev's source electronics from different companies and integrate them. Too many silos, very difficult to upgrade the wholes. Not like a Tesla type fix.
.

It makes me very sad that i3 software is so backward compared to Tesla even though I like i3(and probably will skip/delay buying a Tesla).

What shocking to me is that thousands of i3s have the custom code via BimmerCode and it has been tested so why not bundle all that and include in a software update.

 

[alohart]

What shocking to me is that thousands of i3s have the custom code via BimmerCode and it has been tested so why not bundle all that and include in a software update.

To clarify, BimmerCode doesn't change an i3's software; it can change the values of parameters that the i3's software reads to govern the software's behavior. So there's nothing from BimmerCode to bundle into an i3 system software update.

 

[i3Houston]

What shocking to me is that thousands of i3s have the custom code via BimmerCode and it has been tested so why not bundle all that and include in a software update.

To clarify, BimmerCode doesn't change an i3's software; it can change the values of parameters that the i3's software reads to govern the software's behavior. So there's nothing from BimmerCode to bundle into an i3 system software update.

BMW can make those parameters available so owners given that so many of us use it to do that. I am just complaining that car is a modern marvel but software is still ancient.

 

[EVBob]

BMW can make those parameters available so owners given that so many of us use it to do that. I am just complaining that car is a modern marvel but software is still ancient.

For the early i3 - one reason you couldn't access those parameters was because of ZEV credits for the Rex -- https://youtu.be/zWgeVytbvLI?t=113

Besides that giving the end user the ability to turning off navigation, seatbelt, etc would probably be a liability nightmare for them...

 

[jadnashuanh]

The software itself remains the same when you 'code' it with something like Bimmercode app. The path needs to have been already planned (and hopefully, tested), and coding just selects different branches to perform the desired task. Getting a new function cannot be changed via what we call 'coding', only selecting an existing one. It's highly likely that to improve security will require new software to be written and tested, not trying new combinations of existing code. Now, I certainly could be wrong...I'd like to know for sure, but I do not think so.

 

[i3Houston]

BMW can make those parameters available so owners given that so many of us use it to do that. I am just complaining that car is a modern marvel but software is still ancient.

For the early i3 - one reason you couldn't access those parameters was because of ZEV credits for the Rex -- https://youtu.be/zWgeVytbvLI?t=113

Besides that giving the end user the ability to turning off navigation, seatbelt, etc would probably be a liability nightmare for them...

Oh no not that. I am talking about modifications outside of Rex/ZEV credits and regulatory requirements. Whats disappointing is that BMW delivered i3 with outdated software out the door. For example, pre-conditioning can be set only at one time, weekdays and weekends; Geo-fencing is another.

 

[vrpirata]

Agile so call "improvements" are more marketing claims than real life realizations. Recently several studies have surfaced proving most Agile claims are never realized, and the overhead is excessive. It is surprising how many companies are jumping into the Agile wagon relying on marketing claims instead of hard data.

I will try to shed some light into why this issue and how what it will take to fix the issue.

Having worked in software and hardware with different companies , i learned some things about the Process
1) there are traditional companies , which follow water fall model and have too many different teams working in silos. Everything is planned. In cars the cycle is normally 4 years
Though initial quality may be higher, if the product is not a disaster, but the wholes and product gaps , security or optimizations are never filled , and budged is allocated to future products and new models.
The budget drives everything, and is only allocated to future products.

2) The Tesla type agile model is very different, smaller teams, smaller task , agile budgets, agile goals.
Tesla is also doing agile manufacturing , where every week the production processes , models etc change . Experiment , improve.
Since the software team is almost always involved continuously, they keep listening to customers, adding features , adding bugs and fixing bugs .

In my i3, i have all the hardware , but basic things like using GPS location to decide if the customer is not at home and may not be interested in 'Time of Use Charging', is only a dream. Small tasks, but the question is "why improve existing models, we do it in new models only"

Unless car companies are forced, every one at car companies is mostly focused on new products. By new, i mean the Goals which were set by CEO 1-2 years back.

Tesla is a tech company , so we cannot compare the two. There is product is vertically integrated with one Tesla developed computer board, talking care of everything in car
Other Ev's source electronics from different companies and integrate them. Too many silos, very difficult to upgrade the wholes. Not like a Tesla type fix.
.

 

[i3Houston]

Agile so call "improvements" are more marketing claims than real life realizations. Recently several studies have surfaced proving most Agile claims are never realized, and the overhead is excessive. It is surprising how many companies are jumping into the Agile wagon relying on marketing claims instead of hard data.

I will try to shed some light into why this issue and how what it will take to fix the issue.

Having worked in software and hardware with different companies , i learned some things about the Process
1) there are traditional companies , which follow water fall model and have too many different teams working in silos. Everything is planned. In cars the cycle is normally 4 years
Though initial quality may be higher, if the product is not a disaster, but the wholes and product gaps , security or optimizations are never filled , and budged is allocated to future products and new models.
The budget drives everything, and is only allocated to future products.

2) The Tesla type agile model is very different, smaller teams, smaller task , agile budgets, agile goals.
Tesla is also doing agile manufacturing , where every week the production processes , models etc change . Experiment , improve.
Since the software team is almost always involved continuously, they keep listening to customers, adding features , adding bugs and fixing bugs .

In my i3, i have all the hardware , but basic things like using GPS location to decide if the customer is not at home and may not be interested in 'Time of Use Charging', is only a dream. Small tasks, but the question is "why improve existing models, we do it in new models only"

Unless car companies are forced, every one at car companies is mostly focused on new products. By new, i mean the Goals which were set by CEO 1-2 years back.

Tesla is a tech company , so we cannot compare the two. There is product is vertically integrated with one Tesla developed computer board, talking care of everything in car
Other Ev's source electronics from different companies and integrate them. Too many silos, very difficult to upgrade the wholes. Not like a Tesla type fix.
.

What EVman says makes sense, so updates will only be for new i3 models. 4 year refresh cycle will negatively work for these traditional auto makers because of the end-user learning curve becoming steeper and longer as tech is being added to the car at high rate. So when someone will buy a next i3 it would mean learning all the new menus etc.

 

[jack1024]

Agile so call "improvements" are more marketing claims than real life realizations. Recently several studies have surfaced proving most Agile claims are never realized, and the overhead is excessive. It is surprising how many companies are jumping into the Agile wagon relying on marketing claims instead of hard data.

As somebody who does software project management for a living (for over 20 years), I could not disagree with you more. As with anything in this life sometimes there are some outlandish claims, but Agile iterative development is definitely a better way to run software (and even hardware) development.

Most importantly, its value added focus (versus budget focus) means that as a consumer I get the good stuff, and more importantly, the stuff that I want sooner. This may mean that I have to put up with a defect or two along the way, but usually those are fixed quickly in the next iteration. Small price to pay.