BMW responded after the flaw was identified by researchers at Allgemeiner Deutscher Automobil-Club (ADAC) a German motorist association. The flaw affected cars equipped with the company’s ConnectedDrive software. That technology allows authorized operators with mobile devices to lock and unlock doors and access environmental, navigation and entertainment systems on the cars.
In their test, ADAC security researchers created a rogue phone network. When the BMW cars attempted to access it, the researchers were able to attack and compromise functions on the car linked to a SIM card.
[Read more Security Ledger coverage of connected vehicles here.]
BMW said it has already patched the issue, encrypting the wireless communications inside the car to prevent compromise. In a statement to ADAC, BMW said that the update was issued wirelessly to around 2.2 million affected cars globally in early December, but the update would be transparent to BMW owners.
ConnectedDrive relies on a permanently installed SIM card in the vehicle. BMW relies on it to use BMW TeleServices, Concierge Services, to connect to the Internet and get real-time traffic information.
BMW said it is able to update ConnectedDrive software automatically whenever vehicles connects up to the BMW Group server. However, owners who have reason to believe that their car has not been reachable wirelessly since December should call a company hotline to verify that their car received the ConnectedDrive update.
Security concerns stemming from connected vehicle features are growing. The research firm McKinsey has found that security concerns may hamper the “rapid and broad adoption” of connected vehicle technology.
“Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood,” the group said.
“Modern cars are computers on wheels and are increasingly connected and controlled by software. Unlike your home computer, the consequences of compromise are far more severe,” said Joshua Corman, co-founder of I Am The Cavalry at DEFCON.