BMW says it has fixed a security flaw that could have given hackers the ability to remotely unlock the doors of 2.2 million vehicles sold by the BMW, Mini and Rolls-Royce brands.
The announcement underscores growing concern that thieves and hackers could gain access to vehicles through the fast-growing array of onboard infotainment and safety systems that have become common on today’s vehicles.
In the case of the German luxury maker, the problem was linked to BMW’s ConnectedDrive system which relies on onboard SIM cards to identify authorized users. The technology can be used, among other things, to allow a vehicle’s doors to be unlocked remotely. But it also is used to transmit real-time traffic information and other data.
(Learn about the best BMW Extended Warranty options)
The problem was first identified by ADAC, the German equivalent of the AAA, and apparently could occur when data was being transmitted to the vehicle. The motor club found that hackers could conceivably create a fake phone network that the vehicle would attempt to connect with. At that point, a hacker could gain access to the SIM card and begin to access some vehicle functions.
(Will your smartphone soon replace your car key? Click Here for the story.)
However, BMW said it would not give an unauthorized user the ability to compromise critical vehicle functions, such as driving, steering or braking. The maker said it also knows of no actual situation where hackers used the trick to gain access to one of its products.
Experts, however, say it is just a matter of time. “It’s a relatively low risk today,” Karl Heimer, the senior research director at the Battelle Center for Advanced Vehicle Environments, told TheDetroitBureau.com last summer. But there’s already a lot of technology in today’s cars, “some of it known to be vulnerable.” And as cars become even more dependent on technology, “You will see an increase in attacks,” Heimer predicted.
There have already been signs of trouble. The Center for Automotive Embedded Systems Security – a joint program of the University of California San Diego and the University of Washington – has already shown that a car’s vital systems can be taken over by plugging a device into the OBD-II diagnostics port. Other researchers have shown they can capture and duplicate the digital signals that allow remote key fobs to operate.
(Security experts fear today’s vehicles could be easily hacked. Click Here for the latest.)
And there have been reports out of both Europe and the U.S. that some high-tech thieves have discovered ways to clone the codes used by remote keyfobs to unlock vehicle doors – though whether that is happening remains a matter of debate.
BMW says it has now adopted the name Hypertext Transfer Protocol Secure, or HTTPS, used to permit secure sales and banking transactions on the Web. But as the recent experiences of Home Depot and Target have shown, even such activities can be breached.
The German maker was able to avoid a recall by using the ConnectedDrive system’s communication capabilities to upload updated software to the 2.2 million vehicles.
“The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles,” the automaker said. “There was no need for vehicles to go to the workshop.”
(Would you trade off privacy for a safety car? Click Here for more.)