The German Automobile Association (ADAC) identified a potential security gap in about 2,200,000 BMW Group vehicles equipped with ConnectedDrive. These include most BMWs, Mini hatchbacks, and some Rolls-Royces. The vehicles were produced between March 2010 and December 2014. The flaw could have allowed potential hackers to wirelessly open the vehicles within a few minutes.
The good news is that as soon as the security gap was discovered, BMW closed it by writing an update for the appropriate software, which is performed automatically when the vehicle connects to the BMW Group server or the driver calls up the service configuration manually. That’s right, no trip to the dealer required.
ADAC was checking BMW vehicle networking capabilities as part of a strategic review when it discovered the potential security gap, which affected data transmission through the vehicle’s mobile phone network. In other words, the ADAC researchers were able to create a fake phone network, which the ConnectedDrive BMW Group cars tried to access, allowing hackers to manipulate functions via the vehicle’s onboard SIM card.
A hacker could have conceivably exploited the gap to unlock the car, but BMW says the car could not have been driven away. BMW further pointed out that only software related to wireless functions would have been affected. There would have been no way for a hacker to access any of the car’s functions while driving. The security flaw did not affect any BMW Group hardware.
BMW claims that after the fix is automatically uploaded, the affected vehicles’ ConnnectedDrive packages will be using encryption equal to that used by banks for online banking. Data are encrypted with the HTTPS protocol, and the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.
BMW also explained that it has received no reports of any actual breaches or attempts by unauthorized persons.
Once again we see an example of the 21st-century razor’s edge, with incredible convenience and useful automotive functioning on one side and the loss of physical and data security on the other. It has to be considered a win when, upon discovery of the problem, the company fixes it before any damage is done.—Scott Blazey
[Photos courtesy of BMW Group.]
