G20 BMW 3-Series Forum - View Single Post

davewes · 01-25-2021, 05:58 PM

Quote:

Originally Posted by Rux

My comments on this subject are for entertainment and my own curiosity.

I do not work in the automotive industry so I must rely on the experts who do to fill in some of the gaps for me.

I was at a DEFCON, when things used to be normal, where OTA, specifically the BMW OTA exploit CVE-2018-9322, was referenced.

It is clear that an update does not need to be downloaded or approved for install by the user. That is clear as the above stated exploit was patched OTA by BMW.

Isn't it possible that BMW could OTA determine if a DME was unlocked and if so, lock it remotely?

There are a ton of attack surfaces that connected vehicles have (GSM, HTTP, NGTP etc). If you learned what type of encryption the OTAs used (asymmetric I assume) wouldn't it be possible to spoof an update with the parameters chosen by the user?

I am sorry if this has been asked before.

Quote:

Originally Posted by Rux

My comments on this subject are for entertainment and my own curiosity.

I do not work in the automotive industry so I must rely on the experts who do to fill in some of the gaps for me.

I was at a DEFCON, when things used to be normal, where OTA, specifically the BMW OTA exploit CVE-2018-9322, was referenced.

It is clear that an update does not need to be downloaded or approved for install by the user. That is clear as the above stated exploit was patched OTA by BMW.

Isn't it possible that BMW could OTA determine if a DME was unlocked and if so, lock it remotely?

There are a ton of attack surfaces that connected vehicles have (GSM, HTTP, NGTP etc). If you learned what type of encryption the OTAs used (asymmetric I assume) wouldn't it be possible to spoof an update with the parameters chosen by the user?

I am sorry if this has been asked before.

Those are some great points. Wouldn't be surprised at all if in the near future something like that would be SOP for manufacturers. Standard two way conversations between vehicles and the manufacturer. Live diagnostics, etc., labeled as a way to further refine servicing and to keep vehicles running in top condition. General public would love it. The rest of us? Not so much. Expanding OTA comms would smash open that attack surface. Regardless of what type of encryption the OEM used, someone will find a way to either break it or sidestep it. Whether that would take an APT or some random motivated dude would depend on the crypto I guess. Either way, I wouldn't be 100% comfortable with it.