BMW Moves To Block Hackers

Security flaw offered access to doors on 2.2 million BMW, Mini, Rolls-Royce cars.

by on Feb.02, 2015

BMW's ConnectedDrive system offerred access to hackers looking to break into a vehicle.

BMW says it has fixed a security flaw that could have given hackers the ability to remotely unlock the doors of 2.2 million vehicles sold by the BMW, Mini and Rolls-Royce brands.

The announcement underscores growing concern that thieves and hackers could gain access to vehicles through the fast-growing array of onboard infotainment and safety systems that have become common on today’s vehicles.

Key in on a Free Subscription!

In the case of the German luxury maker, the problem was linked to BMW’s ConnectedDrive system which relies on onboard SIM cards to identify authorized users. The technology can be used, among other things, to allow a vehicle’s doors to be unlocked remotely. But it also is used to transmit real-time traffic information and other data.

The problem was first identified by ADAC, the German equivalent of the AAA, and apparently could occur when data was being transmitted to the vehicle. The motor club found that hackers could conceivably create a fake phone network that the vehicle would attempt to connect with. At that point, a hacker could gain access to the SIM card and begin to access some vehicle functions.

(Will your smartphone soon replace your car key? Click Here for the story.)

However, BMW said it would not give an unauthorized user the ability to compromise critical vehicle functions, such as driving, steering or braking. The maker said it also knows of no actual situation where hackers used the trick to gain access to one of its products.

Experts, however, say it is just a matter of time. “It’s a relatively low risk today,” Karl Heimer, the senior research director at the Battelle Center for Advanced Vehicle Environments, told last summer. But there’s already a lot of technology in today’s cars, “some of it known to be vulnerable.” And as cars become even more dependent on technology, “You will see an increase in attacks,” Heimer predicted.

There have already been signs of trouble. The Center for Automotive Embedded Systems Security – a joint program of the University of California San Diego and the University of Washington – has already shown that a car’s vital systems can be taken over by plugging a device into the OBD-II diagnostics port. Other researchers have shown they can capture and duplicate the digital signals that allow remote key fobs to operate.

(Security experts fear today’s vehicles could be easily hacked. Click Here for the latest.)

And there have been reports out of both Europe and the U.S. that some high-tech thieves have discovered ways to clone the codes used by remote keyfobs to unlock vehicle doors – though whether that is happening remains a matter of debate.

BMW says it has now adopted the name Hypertext Transfer Protocol Secure, or HTTPS, used to permit secure sales and banking transactions on the Web. But as the recent experiences of Home Depot and Target have shown, even such activities can be breached.

The German maker was able to avoid a recall by using the ConnectedDrive system’s communication capabilities to upload updated software to the 2.2 million vehicles.

“The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles,” the automaker said. “There was no need for vehicles to go to the workshop.”

(Would you trade off privacy for a safety car? Click Here for more.)

Tags: , , , , , , , , , , , , ,

4 Responses to “BMW Moves To Block Hackers”

  1. Jorge says:

    Too late. The criminals have already figured out how to access many brands of autos with electronic devices. Police were confounded when they saw thieves open the doors, steal goods from inside, then close the doors and re-lock them.

  2. Glien says:

    The “S” in HTTPS is for “Secure”, not “System”.

    • Paul A. Eisenstein says:

      correct. our error to be resolved. thanks!

    • Jorge says:

      Be advised that this so called “secure” HTTPS” network is only secure based on security certificates – which have already been compromised several times. Don’t believe ANY electronic system is secure, because in reality it is not – contrary to what your bank or other institution may claim.