Luxury car manufacturer BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.
The issue affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.
As Reuters explains, security researchers were able to create a fake cellphone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.
Researchers working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.
According to ADAC, hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry. In other words, a bit easier and less conspicuous than if you tried to gain access with a bent coat hanger or the swift application of a brick to the window.
BMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.
It’s not the kind of press release where the company found to be insecure apologises, and explains that there should never have been a security hole to find in the first place.
It appears the vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS. Something you would probably have hoped that BMW’s engineers would have thought about in the first place.
Yes, it’s good that BMW has fixed the problem. But frankly I think they’re being a little disingenuous talking about “rapid response” if this issue was first brought to their attention in the middle of last year.
It’s a shame that BMW seems to think that a little more honesty and humility would be perceived as rather weak for the corporation’s image.
Here is the list of car models said to be affected:
1 Series Convertible, Coupé and Touring (E81, E82, E87, E88, F20, F21)
2er Active Tourer, Coupé and Convertible (F22, F23, F45)
3 with Convertible, Coupe, GT, Touring and M3 (E90, E91, E92, E93, F30, F31, F34, F80)
4p Coupe, Convertible, Gran Coupe and M4 (F32, F33, F36, F82, F83)
5 Series GT and Touring (F07, F10, F11, F18)
6 Series Gran Coupe Convertible (F06, F12, F13)
7 Series (F01, F02, F03, F04)
I3 (I01), I8 (I12)
X1 (E84), X3 (F25), X4 (F26) X 5 (E70, F15, F85), X6 (E71, E72, F16, F86), Z 4 (E89)
Three-door and five-door hatchback (F55, F56)
Phantom Coupe and Drophead Coupe (RR1, RR2, RR3)
If you are worried that your vehicle may not have received the update (perhaps because it has been parked in an underground car park or other places without a mobile phone signal, or if its starter battery has been disconnected) then you should choose “Update Services” from your car’s menu.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Did your BMW just download a security patch?”
So, if the patch involved enabling HTTPS to secure data in transit, that suggests BMW can unlock your car remotely at any time. As could anyone able to implement a MITM attack. It's unlikely (given they've only thought to enabled HTTPS now) that the car presents a SSL cert for the BMW end to verify it and to prevent such a MITM attack.
A device can be configured to ignore SSL certificates no signed by the right key. You get this warning all the time in browsers trying to go to HTTPS sites on a wifi that tries to redirect to a login page (like a lot of chain coffee shops)
This update seems to have reset a few things, in the radio and side mirrors not lowering while in reverse, are just a couple of noticed. Anyone else experiencing similar effects?