Skip to main content

BMW fixes flaw that allowed hackers to open doors

BMW has patched a security flaw that would have allowed hackers to open car doors, the company has announced.

The flaw was noticed inside the ConnectedDrive connectivity system that was implemented in some 2.2 million cars, including BMWs, Minis and Rolls-Royse vehicles.

The security patch will be applied automatically, as soon as the vehicles connect to BMW's servers.

They also include HTTPS, a secure version of the hypertext transfer protocol, to data transmissions via the ConnectedDrive system, Reuters reports (opens in new tab).

The flaw also affected air conditioning and traffic updates, but not steering or brakes, BMW says.

The German automobile group ADAC was the first to discover the flaw last year, but remained silent until BMW worked out a fix.

ADAC's security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card.

No one tried to steal a car using this flaw, both BMW and ADAC have said.

Access to functions relevant to driving was excluded at all times," it says in the BMW’s news release. "There was no need for vehicles to go to the workshop."

Security researcher Graham Cluley believes (opens in new tab) HTTPS should have been implemented from the very start.

“It appears the vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS. Something you would probably have hoped that BMW’s engineers would have thought about in the first place.”

If you have a BMW, a Mini or a Rolls-Royce and worry about not getting the patch, then you should choose “Update Services” from your car’s menu.

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.