Bug fixed but some cars may have not received the patch

Jan 30, 2015 15:12 GMT  ·  By

A security flaw in the remote service of the Connected Drive software platform, which is installed on 2.2 million BMW vehicles worldwide, allows an attacker to unlock the car’s doors from a smartphone.

The cars affected are all those with Connected Drive, manufactured between March 2010 and December 8, 2014. Among them are BMW models (1 through 7 Series, I3, X1), Mini (three and five-door hatchback), and Rolls Royce (Phantom Coupe and Drophead Coupe, Ghost and Wraith).

Bug was reported responsibly to BMW

According to German automobile club ADAC, which discovered the vulnerability (Google Translate), the doors of the cars can be unlocked within minutes, without any trace or wrongdoing being left behind.

It appears that the flaw is caused by lack of data encryption between Connected Drive and the servers maintained by BMW. The communication is achieved through a cellular modem with an always-present SIM card.

The researchers noticed that the traffic exchange between the car and the BMW servers was unencrypted, which allowed them to intercept and modify it. This could be done via base transceiver station (BTS) equipment, which can capture information from GSM devices.

ADAC discovered the vulnerability by chance and reported its findings responsibly to the manufacturer, waiting for an update to be ready before publishing the information.

From the details provided by ADAC it is unclear if the security flaw could also be taken advantage of to access drive-related functions, although from the demonstration video below it would appear so.

The features of Connected Drive were bumped up in 2014, when the builder introduced enhanced navigation tools, connectivity to the smartphone and voice search, along with apps designed to improve the overall experience with the car and prevent driving distractions caused by peeking into the mobile phone.

Update has been pushed over-the-air

BMW said that the flaw would be corrected by January 31 and has already sent the fix to the affected cars. Communication with the vehicles that received the update should now be carried out in a secure manner as encryption has been turned on.

However, it is possible that not all cars have received the over-the-air fix, as some of them may be parked in an area with no reception.

In this case, the owners can call the BMW hotline and make an inquiry. Alternatively, the update function available for the platform should allow pulling in the patch and applying it manually.

A presentation of the vulnerability is available in the video below (German):

Photo Gallery (3 Images)

BMW has corrected the issue
Unencrypted trafficAccessing the OpenBSC interface
Open gallery