Automotive Cybersecurity: Events, BMW i3/5/7 Hacks, Organization & Research

The Automotive cybersecurity market is heating up with a premier event, a new cybersecurity organization two new research centers and new research that shows how vulnerable BMW models were to hacking.

On May 25, the GDPR (General Data Protection Regulation)  law framework across the EU became law. The goal is to give citizens back the control of their personal data through strict rules. It requires giving anyone who receives emails to be able to delete data.  So far we have not hear any major changes in the automotive space. All EU citizens now have the right to see what information companies have about them, and to have that information deleted. Since many automotive companies are keeping the location and start/stop times of vehicles there should be major issues in Europe.

Companies must gain consent to use data.  In the case of data breach, and the overseeing authority must be informed within 72 hours.

Companies must also tell all affected users about any data breach, and tell the overseeing authority within 72 hours.

In the Untied States, news sites such as the LA Times and Chicago Tribune are not allowing access to customers in European countries. We at AUTO Connected Car News only keep the email address of news-letter subscribers, if you unsubscribe from the newsletter, your email address is deleted.

TU-Automotive Cybersecurity Nominees and Stories

TU-Automotive is a few weeks away. This year they will having a track of Automotive Cybersecurity-with a vast list of cybersecurity experts and discussions. Starting off the conference is an awards dinner with some nominees that have been nominated or won AUTO Connected Car News Tech CARS Awards.

  • Argus Cyber Security – Argus Connectivity Protection (Winner of Tech CARS Award ).
  • BlackBerry Limited – BlackBerry Jarvis( Tech CARS nominee).
  • Cisco – Cisco Jasper Control Center 7.0 for Connected Cars-Traffic Segmentation and Threat Protection & Smart Security (TPSS) Services.
  • Irdeto – Irdeto Cloakware™ Software Protection
  • Karamba Security – SafeCAN by Karamba Security (Winner of Tech CARS Award).
  • SafeRide Technologies Ltd – vSentry.
  • Sital Technology – Sital FPS (FingerPrintingSystem).

There is still time to register for TU-Automotive Detroit, use the code AUTOCC100 when you register for $100 off. Speakers include strategists, experts, researchers, from MIT, AUTO-ISAC, Visteon, Toyota,  Continental, Uber, CVTA, HARMAN and McDermott Will and Emery LLP.

A TU-Automotive survey  found that he top priorities for developing cyber secure automotive systems should be:

  • 38% Developing global standards and best practices.
  • 19% Information sharing and collaboration.
  • 19% Investing in cybersecurity technology.
  • 9% Better education within teams and for suppliers.
  • 3% Developing vulnerability disclosure programs.
  • 2% Recruiting the right talent.
  • 7% Other.

Register for TU-Automotive Detroit use the code  AUTOCC100   for a $100 discount.

Infineon Leads SecForCARs with Bosch, VW, AUDI & Universities

Security For Connected, Autonomous Cars (SecForCARs) and has funding of €7.2 million from the German Federal Ministry of Education and Research. Infineon is leading the project.

The project brings together experts from the fields of IT security and autonomous driving. The car makers involved are Volkswagen AG and AUDI AG. The supplier industry is represented by Infineon Technologies AG and Robert Bosch GmbH. ESCRYPT GmbH, Itemis AG, Mixed Mode GmbH and SCHUTZWERK GmbH represent tool manufacturers and the security industry. Selected research institutes and universities ensure that the latest results from research are transferred to the project. They include the University of Ulm, the Technical Universities of Braunschweig and Munich, the Free University of Berlin, the Karlsruhe University of Applied Sciences, and the Fraunhofer Institutes AISEC and IEM. SecForCARs will run until March 2021.

CAN Data Diode

A consortium of industry leaders in vehicle cybersecurity have come together to develop the CAN Data Diode, a creative development from the University of Tulsa’s Student CyberTruck Experience (CyTeX) program under the direction of Dr. Jeremy Daily. The National Motor Freight Traffic Association, Inc. (NMFTA), the University of Tulsa, Irdeto, Geotab, DG Technologies and other industry experts are collaborating to identify and validate possible commercial applications such as securing Electronic Logging Devices (ELDs). The CAN Data Diode is a hardware device that prevents communication from the ELD to a commercial vehicle, virtually eliminating the connected ELD device as a remote cyber attack surface. It is essentially a hardware firewall for connected vehicles.

BMW Keen on White Hat Hacking Awards Keen

Keen Security Lab found ways to hack hardware and software on in-vehicle infotainment Head Unit, Telematics Control Unit and Central Gateway Module of multiple BMW vehicles. Through mainly focusing on various external attack surfaces, (including GSM network, BMW Remote Service, BMW ConnectedDrive System, Remote Diagnosis, NGTP protocol, Bluetooth protocol, USB and OBD-II interfaces), Keen Security Labs gained local and remote access to infotainment components, T-Box components and UDS communication above certain speed of selected multiple BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely.

Keen Security Lab found some ways to influence the vehicle via different kinds of attack chains by sending arbitrary diagnostic messages to electronic control units. They also gained access to the head unit and telematics control unit, with attack chains are aimed to implement an arbitrary diagnostic message transmission through Central Gateway Module in order to impact or control electronic control units on different CAN buses (e.g. PT-CAN, K-CAN, etc..).

.Based on  research experiments, the company can confirm that the vulnerabilities existed in Head Unit would affect several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, BMW 7 Series. And the vulnerabilities existed in Telematics Control Unit (TCB) would affect the BMW models which equipped with this module produced from year 2012.

BMW confirmed, that the found vulnerabilities are present in the infotainment and T-Box components mentioned above. Updates have already been developed and implemented by BMW (see below).

The research to BMW cars is an ethical hacking research project. Keen Lab follows the “Responsible Disclosure” practice, which is a well-recognized practice by global manufactures in software and internet industries.

BMW informed Keen Security Lab that, for all the attacks via cellular networks BMW has started implementing measures in March 2018. These measures are in rollout since mid of April 2018 and are distributed via configuration updates remotely to the affected vehicles. Additional security enhancements are developed by BMW in form of optional SW updates. These will be available through the BMW dealer network.

The BMW Group is convinced that the presented study constitutes the by far most comprehensive and complex testing ever conducted on BMW Group vehicles by a third party. For this outstanding research work, Tencent Keen Security Lab has been selected as the first winner of the BMW Group Digitalization and IT Research Award.

Read full report.

PwC Launches Global Cybersecurity Centre for Excellence in Israel

PwC has launched a global Cybersecurity Centre of Excellence for critical infrastructure protection and Industrial Control Systems (ICS) & Operations Technology (OT) security in Israel – dedicated to helping governments and multi-national industrial companies around the world manage this critical and complex part of the cybersecurity landscape.
As part of the Centre of Excellence, a unique Cyber Security Experience Centre (CSEC) is being built in Beer Sheva, Israel. The CSEC – considered the first of its kind in the world – simulates an integrated national critical infrastructure ecosystem, featuring small-scale kinetic modules of all typical critical infrastructure facilities, all connected to real-life PLCs[ and ICS/SCADA networks, operating within a fully integrated cybersecurity framework.
With a highly experienced team of national-level cybersecurity professionals and state-of-the-art methodologies from across the PwC network, the new centre provides a comprehensive, end-to-end cybersecurity framework – from national cyber strategy for critical infrastructure protection; through to regulation; design and development of national CERTs and sectorial Hybrid-SOCs; to securing the ICS/SCADA networks of industrial facilities.

GRIMM opens MI Lab

GRIMM a leading cybersecurity research and engineering firm, announced the opening of its new Grand Rapids, MI-based cybersecurity research lab. GRIMM’s new facility will enable the company to work more closely on cybersecurity initiatives within the advanced manufacturing, aerospace, automobility and defense industries based in the region.

Through this new Michigan-based lab, the company will offer dedicated resources focused on engaging with companies specifically in the automobility and aerospace sectors, including Original Equipment Manufacturers (OEMs), suppliers, and other stakeholders to improve the holistic security of automotive, aviation, and industrial control systems. GRIMM is also creating a classroom training space where its experts will teach hands-on advanced coursework for automotive and ICS security.

The opening of the facility is being supported by a $216,000 performance-based grant from the Michigan Business Development Program. GRIMM also plans to invest $621,000 over the next three years to grow its presence in the region while it creates 27 new high tech jobs in the same period.

Syncsort Acquires i encryption

Syncsort, the global leader in Big Iron to Big Data software, announced it has signed a definitive agreement to acquire IBM i encryption, tokenization, authentication, FTP and SIEM integration products from Townsend Security, a Washington-state based provider of data privacy software. Additionally, the companies are announcing a partnership agreement for Syncsort to resell Townsend Security’s Alliance Key Manager product.


You are welcome to subscribe to receive email notification of publication of Connected Car News Cybersecurity, you can also get weekly news summaries or daily emails.