The Stack Archive

BMW patches security flaw affecting over 2 million vehicles

Mon 2 Feb 2015

BMW has fixed a security bug which left 2.2 million cars, including models from Rolls Royce and Mini, exposed to hackers.

The flaw was discovered in vehicles using BMW’s ConnectedDrive software, which runs from an installed on-board Sim card. Via the smartphone app, owners can remotely control a number of functions including door locks, air conditioning and sounding the horn. The software does not operate any of the vehicles’ hardware such as brakes or steering.

Researchers from the German motorist association ADAC identified the flaw which allowed the system to connect to fake mobile phone networks, enabling hackers to remotely control the Sim card. No known hacks have been reported.

BMW has now applied a patch employing HTTPS protocol (HyperText Transfer Protocol Secure) to encrypt the data from the cars.

“On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network,” BMW released in a statement.

For security experts the use of HTTPS should have been a given practice. “You would probably have hoped that BMW’s engineers would have thought about [using HTTPS] in the first place,” said security blogger Graham Cluley.

As an increasing number of connected cars are introduced into the market, experts warn of the growing threat of malware and hacking targeted at vehicles.

“I think we are going to see more malicious attacks [on connected cars]. If someone finds a vulnerability in an internet-enabled car you could have the same situation that you have now for browsers…it doesn’t take much imagination to think of the abuse this could cause,” Mark O’Neill of software organisation Axway, told IBTimes UK.

However, this BMW case has helped to instil confidence that software updates and patches can be distributed swiftly and effortlessly to connected vehicles, with drivers able to manually select updates to ensure they are fully covered.


cybercrime hacking news transport
Send us a correction about this article Send us a news tip