BMW fixes security flaw that left locks open to hackers

 

 

BMW has patched a security flaw that left 2.2 million cars, including Rolls Royce and Mini models, open to hackers.

The flaw affected models fitted with BMW's ConnectedDrive software, which uses an on-board Sim card.

The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.

No cars have actually been hacked, but the flaw was identified by German motorist association ADAC.

ADAC's researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim.

The patch, which would be applied automatically, included making data from the car encrypted via HTTPS (HyperText Transfer Protocol Secure) - the same security commonly used for online banking, BMW said.

"On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network," it said in a statement.

This should have already been in place, said security expert Graham Cluley.