Blog: How-Tos

BMW i3 password issues

Ken Munro 28 May 2014

This post contains much of the source material referred to by The Register’s article on 27 May 2014.

A friend of mine took delivery of a shiny new BMW i3. I had already started nosing around in it’s built-in email reader application when security issues with the Tesla started coming to light
coming to light.

My buddy knows that I love all things “security”, so we took a good look at the account creation, sign up and authentication processes that he went through to register the car.

The i8 and the i3 have an iOS app (“iRemote”). This a further build on the Connected Drive app that many Mini and BMW drivers will have encountered. The app enables people to check battery life, potential range, turn on pre-heating/cooling, and maybe most interestingly, the ability to unlock/lock the car.

So, what do think got my attention? That’s right, could someone locate a car, and unlock it?

Initial findings

The first thing to note is that BMW’s approach looks to be more secure than Tesla’s. With the BMW app it appears that regular MITM attacks would be very difficult to pull off.

Signing a car up to iRemote can be done ONLY using a phone call. There is some significant user validation too, more than for Connected Drive.

BMW deserve significant credit for this. The process has clearly been given plenty of thought, more than Tesla seem to have put in, but there are still some potential issues.

…and this was where it got interesting:

Fail #1: User name choice

My friend was asked to choose a user name by the call centre when first registering.

He chose firstname.lastname, which is a pretty standard choice for most people. BUT customers really ought to be advised against this.

Finding new i3 owners on the web isn’t the toughest job in the world. They’re tech savvy and like shouting about it. I’m a fan too, it’s a great piece of kit!

Based on a bit of Googling I reckon I have a decent chance of guessing the app username, problem is that I need to know that I’ve got it right, right?

OK, so back to the Connected Drive login for that. In a lot of cases it’s possible to validate a username through a “forget your password” form. Not so for BMW. Good work! Instead you need to contact their call centre, meaning that some social engineering is in order.

Also, failed login attempts don’t disclose the element that’s wrong, the error messages are non-specific. Again, good work.

Fail #2: Lockout

…and that would all be OK EXCEPT for this: My friend managed to lock himself out of Connected Drive while fiddling with the mail reader. It transpired that after five failed attempts from his fat digits the account locked- with an error message. Meaning that you only get a lockout if the user account name is valid.

So, if you can validate usernames that you’ve culled from other resources, you can lock those out of Connected Drive AND iRemote by entering a series of dud passwords. This denial of service isn’t that sexy, but it would drive most Connected Drive users batty if they lost their functionality.

There still isn’t a compromise though, just an annoying DoS.

Fail #3: Inconsistent lockout

The reset and authentication processes between Connected Drive and iRemote are inconsistent. When the account locks out, the reset was sent out of band, via a one-time SMS password sent to the registered phone. A big tick for BMW again.

However that password was five lower case alpha characters. Not great, but not a problem if it is changed the first time it’s used, and that’s exactly what the Connected Drive app correctly enforced. The iRemote application didn’t though. The five character password worked, and continued to work. The iOS app locked out after ten failed attempts.

We still don’t have a compromise though.

Part-fail #4: Password weakness

The iRemote application password isn’t case sensitive. It can be quite hard to lock yourself out even with caps lock is on, that’s when the app authenticates you anyway!

Five lower case characters = 10^18 combinations, which wouldn’t be a quick hack over HTTPS, and besides, the failed attempt lockout would kick in pretty quickly.

Fail #5: Second pairing

The first time provisioning process for Connected Drive and iRemote is fairly robust. It would be hard to do much without some social engineering. However, once you’re up on iOS, it’s trivial to provision ANOTHER iPhone with the app. AppStore, the same username + the same password. That’s it!

To prove the point, my friend showed me the process of installing and configuring the app on his wife’s phone, so she could talk to the car too. Once we have the password to the Connected Drive account, it’s all over.

Other strong points

BMW have implemented an additional PIN to access the app, a shrewd move. If a user is daft enough to have device with no PIN lock at least a stolen phone doesn’t mean a compromised car.

Next steps

So far we haven’t even touched the car, so we plan to look at the Wi-Fi access point inside, to review network connectivity, segregation, and mainly to see if we could find a direct interface to the car. As an aside the Tesla has its own custom Ethernet port, the kind that an RJ45 connection could be created for. I sincerely hope the i3 doesn’t have one!

The email reader application looks particularly interesting, though at first sight appears to validate content fairly effectively.

Attacks

A MITM attack looks like being struggle as the iOS app is pretty well configured. Intercepting and modding traffic could be interesting, but would probably require firing up a USRP in a Faraday cage to get anything.

Here’s what I think would likely yield success:

Profile the user online, and dig out their mail account through social media research. Then check the various password breach databases (e.g. Adobe) and see if they’ve re-used a password.

Install the iRemote app, enter username and password, find the car using the app, and unlock it…

This has to be the simplest vector to compromise a vehicle.

And yes, my friend had re-used a password. He doesn’t any more!