autoevolution

ConnectedDrive Vulnerability Allows Hackers to Lock and Unlock BMWs via Mobile Phone

BMW’s ConnectedDrive suite apparently has a security flaw that could allow hackers to lock and unlock the cars using a mobile phone. The discovery was made by ADAC in Germany and BMW has quickly come up with a solution.
ConnectedDrive 1 photo
The cars affected are only those fitted with the ConnectedDrive optional feature that grants you access to online features like weather and concierge, manufactured between March 2010 and December 8, 2014. The trick is, not only BMWs are affected but also MINIs and Rolls-Royce models that use basically the same system.

According to ADAC, the flaw was discovered because of a lack of data encryption between the system and the serves with which they communicate. Basically, anyone can tap into the feed and make some changes without leaving any traces. At the moment, only the opening/closing of the doors was mentioned but other functions might also be altered, even though the German institution didn’t make any clear comments in this regard.

BMW says they fixed it


The security flaw was quickly reported to BMW that claims has fixed it with an over-the-air update for all cars. This update would be sent out by today to all affected cars according to the company.

"The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions," said BMW in a statement.

However, the comment from the Bavarians doesn’t specify what happens to cars that are possibly in remote areas, out of reach.

If you own such a car, our recommendation would be to travel to the nearest dealership and make sure that the update was installed. You can also call your local dealership and have them check if your system was updated, remotely. The video below shows ADAC experts explaining how the vulnerability was found.



 

Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories