ADAC testers found a security gap that allows unauthorised persons to unlock the vehicle through a mobile connection. In the ConnectedDrive scheme, BMW's connected car implementation, the vehicles are equipped with their own wireless cellular connection independently of the driver's cellphone. Therefore they can be reached via mobile phone networks. Authorised users (such as the driver) can use the technology to read out status messages (for instance fuel gauge or parking position). The ADAC test proved a security gap that affected the transmission path via mobile networks, enabling hackers to unlock the vehicle and access its interior. The operation does not leave any traces and is a matter of minutes, the testers said.
In an apparently coordinated approach, BMW reacted immediately (actually, the BMW release reached EE Times Europe before the ADAC message) and assured drivers that access to functions related to driving was never possible. The carmaker has already started to fix the problem by automatically updating the related software across the vehicle's mobile connection. The wireless connection is utilising the HTTPS protocol - a scheme that involves data encryption as well as authentication. Interestingly, BMW has started the updates already on December 8, 2014 - a hint that the security gap has already been known for a while.