App Security Flaw leaves BMW exposed to hackers!

When a reputed company like BMW faces unethical hacking and securities lapses in its ConnectedDrive software, we can sense a huge lack of awareness in the field of mobile app security.

Due to this flaw, Rolls Royce, Mini and over 2.2 million cars were exposed to hackers. The application could control a number of functions including door locks, air conditioning, and sound of the horn. This software runs from an installed onboard Sim Card via smartphone apps. The flaw allowed the hackers to remotely control the Sim Card via fake mobile networks.

Recently, BMW patched the security bug using HTTPS protocol (Hyper Text Transfer Protocol Secure) which, in the opinion of Security Blogger Graham Clulev, should have been applied at the first place!

BMW also released a statement which says,

"On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network"

Joshua Corman, CTO at Sonatype praises the response and approach of BMW on the fix. However, the loop side of SSL is also the way it is implemented. We have already seen enough cases where OpenSSL has displayed security flaws. In fact, research at Appknox also shows that SSL is one of the top 5 security vulnerabilities found in mobile apps.

Experts warn that with the growing number of software-installed cars in the market, there is a huge threat of malware and hacking. The target being not only vehicles but also its high-end riders, today, there is a shout-out call for app securities.

Mark O’Neil, from Axway, a Software Organization in the UK says that these malicious attacks are foreseen due to the vulnerabilities and finding the software and vehicle vulnerable would mean abuses beyond imagination!

Dave Miller, CSO at Covisint says that – "We believe it is important to get this right now, at the beginning, instead of having to retrofit millions of cars.” He further states that "In this vein, we believe that putting the security infrastructure into the cloud, instead of the vehicle, will allow for the modification of defense strategies as the threat landscape changes."

Mobile app security, today, is a much needed safety for the app developers and companies who widely employ them. Big or small, companies using a mobile app for customer benefits are at high-risk state. BMW is just an example to showcase the vulnerability which is present and the open space which allows unethical hackers to sweep in. Security flaws are common for which solutions, and awareness is the need of the hour!

Published on Feb 4, 2015
Subho Halder
Written by Subho Halder
Subho Halder is the CISO and Co-Founder of Appknox. He started his career researching Mobile Security. Currently, he helps businesses to detect and fix security vulnerabilities. He has also detected critical loopholes in companies like Google, Facebook, Apple, and others


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now