BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.
The German carmaker updated the software running in models of the BMW, Rolls Royce, and Mini, in response to the German Automobile Association (ADAC)'s discovery that an attacker could hijack or manipulate remote communications to the vehicles' SIM cards. The researchers reportedly
were able to unlock the car doors remotely using a spoofed mobile network tower that intercepted mobile traffic to and from the vehicles.
Researchers at ADAC say the weak and unencrypted mobile communications links to the API also could potentially allow attackers to sniff vehicle location, speed, and even email communications over the ConnectedDrive network.
In response to the researchers' findings, The BMW Group said it now uses HTTPS for encrypted mobile communications to ConnectedDrive vehicles, and that no hardware nor any driving-related functions or personal customer data were affected by the security flaws. "The BMW Group has a new configuration to close this gap. The update is carried out automatically or when the driver manually updates BMW Assist/ConnectedDrive," the company said. "The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol Ö which had previously been used for the service BMW Internet and other functions," and any communications to the car is authenticated to the BMW Group server before data his the mobile network, the statement said.
Continue reading on EBN sister site, DarkReading.