German car manufacturer BMW has issued a security patch over the air to its vehicles, after the emergence of a vulnerability that would have allowed hackers to open doors using just a mobile. BMW, Rolls-Royce and Mini vehicles were all affected as the problem was resident in the Connected Drive service, which allows drivers to control functions like doors and infotainment from their smartphones, according to German driver association ADAC.
ADAC vice president for technology, Thomas Burkhardt, said in a statement that it discovered the vulnerability last year, but didn’t want to warn the public until a fix had been issued by BMW. ADAC said it hadn’t seen any proof the flaw was exploited in the real world, though it had tested attacks successfully “on several vehicles”. More than 2.2 million vehicles were thought to have been affected. Vehicles with a production date later than 9 December 2014 won’t have to worry, however, whilst owners don’t have to do anything; the updates are automatic. They were due to go out to all cars by 31 January.
ADAC didn’t provide much detail on the attack, other than to say it would only take a few minutes for a hacker to execute. According to Reuters, researchers at the association created a fake cell network which it used to trick the BMW vehicles into taking commands from their mobiles. The video below (in German) from ADAC appears to show the attack in action.
BMW seems to have fixed the issue by ensuring interactions between BMW, the driver and the car are done over encrypted traffic, using the SSL standard, which typically guarantees the identity and the sender and receiver of data. Along with Tesla, BMW is one of the more forward-thinking car makers when it comes to digital security. It recently talked up its privacy stance to the FT, saying it refused to hand over car information to those asking for it.
A BMW spokesperson told Forbes over email it had detected the problem on its own. “BMW runs a process of continuous improvement with its products and it is through this testing that an issue was detected on the Connected Drive system subsequently highlighted by the ADAC. However, prior to this notification our systems have since been enhanced, tested and approved,” they said.
“Like all electronic and cyber attacks on a vehicle, whatever form they may take, BMW continuously assesses its level of car security and enhances the level of defence where possible. For obvious security reasons the details of such enhancements are something we will not discuss, suffice to say the issue has been fixed.”
Meanwhile, digital security within cars has become increasingly worrisome to researchers, who’ve pointed to weaknesses in connected vehicle components. In January, Forbes was told a Progressive Insurance dongle used in more than 2 million cars had almost no security mechanisms whatsoever to protect against malicious attacks. Last year, another vehicle tracking dongle from provider Zubie was also shown to contain hackable vulnerabilities.
This article was written by Thomas Fox-Brewster from Forbes and was legally licensed through the NewsCred publisher network.