A fault in the company’s ConnectedDrive system that powers the car’s connectivity systems meant that doors could be unlocked remotely, giving potential car thieves access to the car’s interior. The software also controls the air conditioning and traffic updates but not essential driving systems such as the power steering mechanism, brakes or throttle response.
The 2.2 million affected vehicles include models made by BMW’s subsidiary companies as well as cars wearing its own badge. Cars by MINI are also at risk alongside luxury cars by prestigious marque Rolls-Royce.
The update that BMW released on Friday will occur automatically as soon as the vehicle is connected to BMW servers. No visit to a garage or mechanic is necessary to install the update and resolve the issue.
The issue was identified by German motorist association ADAC. They found that the cars communicated with BMW servers via a spoofed mobile network controlled by a SIM card in the car.
The car did not attempt to verify the authenticity of the BMW server so attackers could gain access to the car’s systems by simply pretending to be the BMW server. From there, commands could be sent to the car.
This has now been fixed so that the car uses the secure HTTPS protocol to communicate with BMW’s servers, something that security researchers say should have always been used. BMW say that there are no known exploits of the issue, something that ADAC confirm. Therefore, once your car is updated you should be safe from this issue — hackers unlocking your car doors.