The German automobile maker issued a patch for a security issue that could have affected more than 2 million vehicles and allowed attackers to gain physical access to the cars.
The German automobile maker issued a patch for a security issue that could have affected more than 2 million vehicles and allowed attackers to gain physical access to the cars.

BMW released a security patch on Friday to address a security flaw that could have affected 2.2 million Rolls-Royce, Mini and BMW vehicles.

The addressed vulnerability could have allowed hackers to unlock the doors and gain physical access to vehicles hooked up to the company's ConnectedDrive software, which relies on SIM cards to identify mobile device users, Reuters reported. ADAC, a German motorist association and consumer protection organization, discovered the bug this past year but waited until it was patched to release its findings, the company said in an emailed statement to SCMagazine.com.

ConnectedDrive allows vehicles to automatically check in with BMW to remain up-to-date. It also links up with an app on an owner's cell phone to issue commands, including activating the horn and opening the driver's side door, and ultimately provides roadside assistance.

ADAC said it commissioned an independent study of the technology, with particular focus on what data is transmitted to BMW when a vehicle is due for inspection or repair.

"The objective was to determine whether independent workshops might be at a disadvantage and whether ADAC should step in to protect consumer interests," the statement said. "Although this was never intended, the investigations revealed security loopholes (that the company later detailed)."

Reuters reported that ADAC's researchers successfully exploited the bug by creating a fake phone network with which the vehicles attempted to connect. During this connection attempt, attackers could take over the SIM card ConnectDrive functions. More specifically, attackers could monitor the vehicle's current location and real-time traffic information. They could also obtain emails sent through BMW online. 

The recent security update is completed automatically through the car owner's phone; however, no information is provided as to whether a specific vehicle has been updated, although BMW opened a phone line for drivers who want to ensure their car is safe from the possible attack, ADAC said. The updates are set to be finished by January 31.

In addition to the security update, BMW said it was removing the possibility of breaches by encrypting the cars' communications through HTTPS.

ADAC said it had not yet seen the vulnerability exploited for malicious purposes.