Last week, the world was again reminded of how vulnerable connected cars are to hacking. BMW revealed that it had found—and fixed—a security problem that could have enabled hackers to access about 2.2 million of its vehicles.
According to BMW, the German Automobile Association (ADAC) detected a security flaw related to data transmission. The problem affected vehicles that come with BMW’s ConnectedDrive feature and were equipped with SIM cards. These include majority of BMW models (even the i3 electric car and the i8 plug-in hybrid seen above), the Mini hatchback (both the three-door and five-door variety) as well as the Rolls-Royce Phantom, Ghost and Wraith. ADAC noted that all at-risk models were manufactured between March 2010 and December 2014.
Reuters reported that ADAC’s research team were able to access the systems controlled by the vehicle’s SIM card by simulating a fake mobile phone network. The vehicles tried to access the fake network, giving hackers an opportunity to take over a number of functions controlled through the SIM card.
In a statement, BMW assured that the security problem did not allow access to functions crucial to driving (such as braking and steering). That’s the good news. The bad news is that the bug could have allowed hackers to manipulate a lot more functions. BMW’s ConnectedDrive software and the on-board SIM cards are used to activate functions related to air-conditioning, traffic information as well as online entertainment. More importantly, both the software and SIM cards are used for door locking functions, meaning that hackers would have been able to unlock doors of all at-risk BMW vehicles.
Fortunately, the German automaker immediately addressed the matter after being notified by ADAC. The company said that it had fixed the problem through a new configuration. Owners of affected models need not go to the dealership for the fix, as this is provided through an update of ConnectedDrive. The update will happen automatically when the vehicle connects to the BMW server or when the driver seeks the service configuration manually.
BMW has also made data transmission more secure by using HTTPS (HyperText Transfer Protocol Secure), which is also used by banks to make online transactions secure. The German automaker is using HTTPS not only to encrypt data inside the vehicle but also to enable the vehicle to check the identity of the server prior to transmitting data over the phone network.
BMW said it knows of no cases wherein hackers have tried to take advantage of the security gap.
Photo credit: bmw.com