BMW discovers major security vulnerability with car software

Attention drivers of BMW, Rolls-Royce, or Mini Cooper vehicles: your car may be vulnerable to hackers. According to an article published on Friday by Reuters, BMW was recently informed of a major security vulnerability with ConnectedDrive, the in-car software installed in some recent models.

The security vulnerability, which was discovered by German automotive association, ADAC, could have allowed hackers to exploit ConnectedDrive SIM cards in order to unlock a car. SIM card technology, of course, is what cellphones use to recognize mobile networks. The ConnectedDrive system uses the same technology to integrate a range of applications – from navigation programs to music streaming services – with the car itself.

The vulnerability was discovered when researchers at ADAC essentially created a fake cellular network to trick the system. The ConnectedDrive SIM cards took the bait and tried to access the counterfeit cellular network. Once connected, the researchers were able to essentially take control of the entire ConnectedDrive system. And while that system provides no control of steering, speed, brakes, or other vital driving systems, it can control the door lock mechanism.

BWM says that there have been no reports from drivers that this vulnerability had been exploited for criminal purposes. In other words, the motor company is not aware of any recent instances where one of their cars was mysteriously broken into without any sign of forced entry.

Not that the company is being complacent about the ADAC report. Immediately after learning of the vulnerability, BMW released a software patch that will encrypt all future ConnectedDrive communications. The encryption will make it much more difficult for any cellular network source – either real or fake – to be used for the hacking of BMW, Rolls-Royce, or Mini Cooper systems.

An estimated 2.2 million vehicles were affected by the ConnectedDrive vulnerability. You can view a full list of affected models at Engadget. Luckily, though, BMW was able to transmit a software patch remotely. The patch installs as soon as ConnectedDrive vehicles connect to BMW’s servers. In other words, those who have driven their BMW, Rolls-Royce, or Mini lately should already have the update. Those who have not – like drivers who keep their luxury vehicles in storage for the winter – can launch the update by simply pushing the “Update Services” buttons in their cars.

From the looks of it, the BMW ConnectedDrive story gets a happy ending. However, the discovery of this major software vulnerability begs the question of how secure the “smart systems” on many newer cars really are. Perhaps automotive companies should take another look at these systems to make sure they are truly safe.

Be social, please share!

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail

Leave a Reply

Your email address will not be published. Required fields are marked *