German carmaker patches flaw that could allow hackers to gain access to BMW, Mini, and Rolls Royce vehicles
German carmaker BMW has revealed that it has patched a serious security flaw that could have allowed hackers to seize control of some of its cars’ systems.
The flaw could have allowed hackers to the open doors of 2.2 million Rolls-Royce, Mini and BMW vehicles. The flaw could also have allowed the hackers to access the onboard vehicle computer system, which manages everything from engines and brakes to air conditioning.
The admission from BMW signals how carmakers increasingly need to consider the tech security aspects of their vehicles, as more and more cars incorporate computer technology into their designs and become connected to the outside world.
Last September for example, General Motors ramped up its protection from hackers when it hired a watchdog to maintain mobile system security and guide the company into the future.
And now BMW admitted that its cars had a problem, when it announced that it has increased the security of data transmission in its vehicles.
“This is the company’s response to reports from the German Automobile Association (ADAC),” said the firm. “The motorist’s association had identified a potential security gap when data is transmitted. The BMW Group has already closed this gap with a new configuration.”
The flaw concerned the ConnectedDrive software that used on-board SIM cards – the chips used to identify authorised users of mobile devices. This systems allows BMW drivers to activate door locking mechanisms, and a number of other services including real-time traffic information, online entertainment and air conditioning.
The security risk apparently occurred when data was transmitted, but BMW said that it did not impact the car’s critical functions such as driving, steering or braking. Security researchers at ADAC be able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card.
BMW said it has shutdown the flaw by encrypting the communications inside the car using the same HTTPS (Hypertext Transfer Protocol Secure) standard used in Web browsers for secure transactions such as online banking.
Furthermore, the update to the ConnectedDrive software is being done automatically, when the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. There is no need for the car to go into a workshop.
“The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles,” BMW said. “There was no need for vehicles to go to the workshop.”
“In this way, the BMW Group has responded promptly and increased the security of BMW Group ConnectedDrive, because no cases have come to light yet in which data has been called up actively by unauthorised persons from outside or an attempt of this kind is made in the first place,” said the car maker.
The BMW admission comes as some worry about the security aspects of modern cars.
In August last year, a group of hackers and security researchers known as “I Am The Cavalry”, urged attendees of the DefCon security conference in Las Vegas to sign an open letter encouraging carmakers to improve the security systems of their latest cars.
And in April 2014, security researcher Nitesh Dhanjani warned that weaknesses in the way Tesla lets drivers control their cars could allow someone to easily open the doors.
Dhanjani praised the Tesla Model S for its innovation, but said the car manufacturer’s website did not appear to have any particular account lockout policy when large numbers of login attempts were made.
In the driving seat about connected cars? Take our quiz!