2011 Bmw X5 M on 2040-cars

Auto blog

BMW's Connected Drive feature vulnerable to hackers

BMW is working to fix a cyber-security flaw that has left 2.2 million vehicles worldwide vulnerable to hackers. Cars equipped with the automaker's Connected Drive remote-services system are affected, according to the German Automobile Association (ADAC), which first discovered the problem. Researchers found they could lock and unlock car doors by mimicking mobile communications and sending phony signals to a SIM card installed in affected vehicles. An attack could be launched "within minutes" of accessing the system without the perpetrators leaving a trace, according to their report, in part because once they had gained access to the network, the communications were not secure. In response to the security gap, BMW says it has been upgrading software via over-the-air updates over the past week, so no visits to dealerships are needed to remedy the security hole. In fact, owners of affected cars may not have even noticed the updates taking place. The problem affects BMW, Rolls-Royce and MINI vehicles equipped with Connected Drive since 2010. Flaws were first reported to BMW last year by ADAC, which is the country's equivalent of AAA. ADAC says it withheld a public announcement until the car company could address the problem. While BMW has pushed the software patch to most affected vehicles, the organization said it's possible some at cars in the United States had not yet been updated. BMW did not respond to a request for comment Monday. In a written statement, the automaker said it knows of no real-world breaches. 2015 Off To Dubious Start The hack could raise the eyebrows of industry leaders: Cars are now the equivalent of mobile computers and cyber-security experts have been warning that the auto industry has been slow to close its security holes. BMW's breach marks the second time in 2015 that researchers have found a popular automotive feature with little or no security precautions. Last month, experts said a popular device made by Progressive Insurance that allows motorists to track their driving habits contained no security whatsoever. Like the Connected Drive smart-phone app, many automotive components and infotainment features were conceived and produced at a time when industry executives never considered the possibility someone might want to hack into them. But increased connectivity brings increased risk. Going forward, BMW says its Connected Drive features will now operate by using encrypted communications via the HTTPS protocol.

BMW Hack: the auto industry's big cyber-security warning sign [w/video]

A cyber-security hole that left more than two million BMWs vulnerable may be the most serious breach the auto industry has faced in its emerging fight against car hackers. Security experts are not only concerned that researchers found weaknesses inside the company's Connected Drive remote-services system. They're worried about how the hackers gained entry. German researchers spoofed a cell-phone station and sent fake messages to a SIM card within a BMW's telematics system. Once inside, they locked and unlocked car doors. Other researchers have demonstrated it's possible to hack into a car and control its critical functions, but what separates this latest exploit from others is that it was conducted remotely. In an industry that's just coming to grips with the security threats posed by connectivity in cars, the possibility of a remote breach has been an ominous prospect. The fact it has now occurred may mean a landmark threshold has been crossed. "It's as close as I've seen to a genuine, remote attack on telematics," said Mike Parris, head of the secure car division at SBD, a UK-based automotive technology consulting company. "At this point, the OEMs are trying to play a game of catch up." Previous researchers in the automotive cyber-security field have launched remote attacks that are similar in nature, though not the same. In 2010, academics at California-San Diego and the University of Washington demonstrated they could remotely control essential functions of a car, but they needed to be within close proximity of the vehicle. In November 2014, researchers at Argus Cyber Security remotely hacked cars with an aftermarket device called a Zubie plugged into their diagnostic ports. But the remote attack was predicated on the Zubie dongle having physically been installed in the car. With the BMW hack, researchers compromised the car without needing physical access or proximity. The German Automobile Association, whose researchers conducted the BMW study, said it infiltrated the system "within minutes" and left undetected, a feat that raises the possibility that a hacker could do the same in a real-world scenario. Messages Were Sent Unencrypted Security analysts described the BMW infiltration as a "man in the middle" attack. Researchers mimicked a cellular base station and captured traffic between the car and the BMW Connected Drive service, which drivers can access and control via an app on their cell phones.

BMW ponders increase in i3 production capacity on early demand

The 2014 BMW i3 is not slated to hit US showrooms until the second quarter of next year, but the response BMW has received for the all-electric hatchback has been positive enough that the automaker is already considering boosting production capacity. Bloomberg Businessweek reports that more than 8,000 customers have reserved an i3 so far, which is high, especially considering that BMW only planned to sell 10,000 i3s total in 2014.
Talking to BMW CFO Friedrich Eichiner, the report says that if the demand holds for the i3, BMW would increase capacity accordingly. The i3 goes on sale next month in Germany before a global roll out in the US, China and Japan, and with a starting price of $41,350, it is priced slightly higher than current small plug-in vehicles offered in the US like the Chevy Volt, Ford Focus Electric and Toyota Prius Plug-in, though features more use of advanced, lightweight materials.