BMW fixes security flaw that left more than 2 million cars unlocked


BMW has patched a bug in its ConnectedDrive system that left 2.2 million cars vulnerable to being hacked and unlocked.

The security flaw, as reported by Forbes, was found in the software used to operate door locks, air conditioning and traffic updates, meaning the vehicles were effectively left wide open to any hacker with a smartphone. Both Rolls Royce and Mini models were also affected.

The German car manufacturer announced the patch on Friday, but Mashable explains that it was first identified last year by German driver association ADAC, which took the decision not to warn the public until BMW had completed a fix. ADAC said that it had no evidence of the flaw being exploited in the real world, but were able to create a fake cell network to simulate how the attack could have been made in just a few minutes.

The patch was applied automatically from January 31, encrypting the car’s data with HTTPS – a common internet security measure used in everything from banks to e-commerce platforms.

“You would probably have hoped that BMW’s engineers would have thought about [using HTTPS] in the first place,” comments We Live Security contributor Graham Cluley on his blog. “If you are worried that your vehicle may not have received the update (perhaps because it has been parked in an underground car park or other places without a mobile phone signal, or if its starter battery has been disconnected) then you should choose “Update Services” from your car’s menu.”

As previously reported by We Live Security, The World Economics Forum recently highlighted the threats facing the connected car. The forum’s Global Risks report explains: “Hacking the location data on a car is merely an invasion of privacy, whereas hacking the control system of a car would be a threat to life. The current internet infrastructure was not developed with such security concerns in mind.”

Author Alan Martin, ESET

Leave a Reply