Connecting stuff to the internet can sometimes introduce fun new vulnerabilities, and so it has proven in the case of millions of BMW cars.
On Friday the German auto outfit announced it was sending an over-the-air update to cars featuring its SIM-based ConnectedDrive module. This allows drivers to remotely unlock their car, but the German automobile club ADAC had reverse-engineered the telematics software and warned [company]BMW[/company] that a flaw made it possible for third parties to unlock vehicles.
In a statement, BMW stressed that there wasn’t a flaw in its hardware, nor would any driving-related functions have been affected. The update, which introduces HTTPS encryption to the car’s connection with BMW’s servers, is automatically downloaded as soon as the car module talks to that system.
Hackers were in theory able to dupe the car into unlocking by creating a fake mobile network, according to Reuters. There is no evidence that the flaw has been exploited, though it was present in up to 2.2 million BMWs, Minis and Rolls-Royces. According to PC World, BMWs in the U.S. will get the update this week.
On the one hand, it’s great that BMW was able to distribute the update so efficiently. On the other, a system such as this should really have been communicating using encryption in the first place. There’s a lesson here for the manufacturers of connected anything.