The problem affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.
Security experts were able to create a fake mobile phone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.
Other boffins working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.
Hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry – which is a lot better than a brick through the window or a bent coat hanger.
ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.
The vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS. Since HTTPS is the minimal sort of security you would expect from an online transition, you would have thought that BMW’s have thought to install it.
The fact BMW still took half a year to work out a fix and roll it out, indicates that they have not really thought this whole security thing through yet.
Still it is likely that we will see a lot more of these sorts of patches being rolled out for cars. In the old days you could open a mini with a fork.