BMW Fixes Vulnerability Issue That Left Locks Open To Hackers

Share the joy

One of the world’s major auto manufacturing companies, BMW has reportedly fixed a security loophole that left 2.2 million cars including Rolls Royce and Mini models open to hackers.

According to the BBC, the flaw affected models fitted with BMW’s ConnectedDrive software, which makes use of an on-board Sim card. The BBC in its report quoted the company as saying that the software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering.

“As the leading manufacturer in the networking of driver, vehicle and the surrounding environment, the BMW Group is increasing the security of data transmission in its vehicles. This is the company’s response to reports from the German Automobile Association (ADAC). The motorist’s association had identified a potential security gap when data is transmitted. The BMW Group has already closed this gap with a new configuration.”

BMW

The flaw, which was identified by the German motorist association ADAC, revealed that the cars would try to communicate via spoofed phone network, allowing potential hackers to be able to control anything activated by the Sim. However, there has not been any reported case of hack involving any of the cars.

“In this way, the BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorised persons from outside or an attempt of this kind is made in the first place.”

The BBC reports that the patch would be applied automatically, including making data from the car encrypted via HTTPS, which is the same security commonly used for online banking, the company said.

“The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions,” the company said in a statement on its website.

Reacting to BMW’s decision to fix the flaw, Graham Cluley, who is a security expert, wrote on his blog: “You would probably have hoped that BMW’s engineers would have thought about [using HTTPS] in the first place.”

Cyber security experts have in recent years been criticizing automotive industry for not doing enough “to secure internal communications of vehicles with network-connected features.”


Share the joy

Author: Ola Ric

Ola Ric is a professional tech writer. He has written and provided tons of published articles for professionals and private individuals. He is also a social commentator and analyst, with relevant experience in the use of social media services.

Share This Post On