BMW Moves To Block Hackers

BMW says it has fixed a security flaw that could have given hackers the ability to remotely unlock the doors of 2.2 million vehicles sold by the BMW, Mini, and Rolls-Royce brands.

The announcement underscores growing concern that thieves and hackers could gain access to vehicles through the fast-growing array of onboard infotainment and safety systems that have become common in today’s vehicles.

In the case of the German luxury maker, the problem was linked to BMW’s ConnectedDrive system which relies on on-board SIM cards to identify authorized users. The technology can be used, among other things, to allow a vehicle’s doors to be unlocked remotely. But it also is used to transmit real-time traffic information and other data.

The problem was first identified by ADAC, the German equivalent of the AAA, and apparently could occur when data was being transmitted to the vehicle. The motor club found that hackers could conceivably create a fake phone network that the vehicle would attempt to connect with. At that point, a hacker could gain access to the SIM card and begin to access some vehicle functions.

However, BMW said it would not give an unauthorized user the ability to compromise critical vehicle functions, such as driving, steering or braking. The maker said it also knows of no actual situation where hackers used the trick to gain access to one of its products.

The Center for Automotive Embedded Systems Security – a joint program of the University of California San Diego and the University of Washington – has already shown that a car’s vital systems can be taken over by plugging a device into the OBD-II diagnostics port. Other researchers have shown they can capture and duplicate the digital signals that allow remote key fobs to operate.

And there have been reports out of both Europe and the U.S. that some high-tech thieves have discovered ways to clone the codes used by remote keyfobs to unlock vehicle doors – though whether that is happening remains a matter of debate.

The problem is likely to get worse, warns a new report overseen by Senator Edward Markey, a Massachusetts Democrat. It comes at a significant time, with automakers loading their vehicles with an assortment of new electronic features – from digital safety systems to wireless infotainment technologies. And over the coming decade, a number of manufacturers are looking to launch new autonomous systems that could allow hands-free driving – and even bigger opportunities for hackers.

"Drivers have come to rely on these new technologies, but unfortunately the automakers haven’t done their part to protect us from cyberattacks or privacy invasions," Sen. Markey said in a statement.

Until recently, there were relatively few opportunities for hackers to access the electronic systems on a vehicle. And manufacturers traditionally isolated vehicle control and entertainment systems. But the barriers have been falling on some of the latest vehicles. And the Markey report notes there are a growing number of channels through which hackers could gain entry.

These include wireless Bluetooth and 4G LTE Internet systems that are becoming more and more commonplace. But there are also less obvious access points, include keyless entry and remote start systems, satellite navigation devices, even the wireless tire pressure monitoring systems now required by federal law. A number of vehicles also have wired access points, including USB ports. Some automakers, such as Ford’s Lincoln brand, make it possible to update vehicle systems by accessing those USB ports.

The study warned "there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information."