DUDE, WHERE'S MY CAR? New leccy BMWs have flimsy password security – researcher

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2014/05/27/bmw_password_security_shortcomings/

By John Leyden
The Register
27 May 2014

Exclusive New BMW cars have security shortcomings that could allow thieves 
to pop open a victim's flash motor from a smartphone.

Ken Munro, a partner at Pen Test Partners, uncovered security issues in 
the systems that pair the latest generation of beamers with owners' 
mobiles. By stringing together the flaws, a crook could open doors, 
windows and the boot, and leave the lights on for an added headache.

Preliminary findings from the ongoing research – which El Reg passed onto 
BMW last month – suggest it may be possible to determine the usernames of 
drivers through social networks, and then use a mix of social engineering 
and other techniques to gain access to vehicles – or trick BMW into 
suspending security protections, clearing the way for other attacks.

The car manufacturer said it had passed Munro's research onto its people 
in Germany, and played down any risk. "If it was an issue then it's solved 
now," a spokesman told The Register. It's understood the company has added 
an extra layer of protection: a new check for a PIN when accessing the 
mobile application.

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/