Never Ending Security

It starts all here

6 Security failures discovered in BMW’s “ConnectedDrive”. Used in BMW’s made from 2010 and later.

-Failure One: BMW use in all the cars the same symmetric key.
-Failure Two: Some services send data to BMW-Backend without usage of any transport encryption.
-Failure Three: The integrity of the Connected Drive configuration is not protected.
-Failure Four: The Combox reveals with NGTP (Next Generation Telematics Protocol) error messages the VIN (Vehicle Identification Number) of the vehicle
-Failure Five: Send data via SMS in NGTP format that is encrypted with the dated & unsafe DES cipher for encryption.
-Failure Six: The Combox has no protection against replay attacks.

All these failures could been easily avoided, if they put some attention on it. The big question now is: Do people from BMW don’t care about security? Or do they just don’t understand security?

Worldwide there are about 2,2 million cars from BMW that have these same problems.

Detailed report about these issues can be found at:


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s