On 30 January, security loopholes in 1731 BMW vehicles equipped with connected drive technologies were revealed. Believed to affect 2.2 million BMW vehicles worldwide, these flaws in the software allow thieves to unlock doors and track car data through a mobile phone without leaving a trace.
The Federation Internationale de l'Automobile (FIA) has long advocated for secure, open networks for vehicle connectivity. Vehicle manufacturers have argued that only closed networks can be truly secure. In fact, the loopholes in BMW’s closed, wireless connected car network prove that a closed network is not necessarily secure.
Jacob Bangsgaard, director general of FIA Region I said: “We are concerned about these findings as car owners have been unknowingly at risk of having their vehicle tracked and opened without a single trace. We have always supported strong data protection for consumers, which should be the leading concern as connected vehicles come to market. As has been proven in this example, a closed network does not necessarily result in data security and car owners must be assured that their vehicle data cannot be abused by tracking or theft.”
The gaps in security were discovered as part of a study performed by the German Automobile Club, ADAC, to discover what repair and maintenance data is sent over the BMW network. The functions that were found to be accessible remotely were opening of doors, location of the vehicle, recorded speed data, programming of the emergency call number, and emails. BMW has announced that the security loopholes will be closed by 31 January 2015 by activating encrypted communication with the affected vehicles. This is the first-ever ‘digital recall’; it will not require a workshop call or the replacement of any parts and will be carried out remotely.
The Federation Internationale de l'Automobile (FIA) has long advocated for secure, open networks for vehicle connectivity. Vehicle manufacturers have argued that only closed networks can be truly secure. In fact, the loopholes in BMW’s closed, wireless connected car network prove that a closed network is not necessarily secure.
Jacob Bangsgaard, director general of FIA Region I said: “We are concerned about these findings as car owners have been unknowingly at risk of having their vehicle tracked and opened without a single trace. We have always supported strong data protection for consumers, which should be the leading concern as connected vehicles come to market. As has been proven in this example, a closed network does not necessarily result in data security and car owners must be assured that their vehicle data cannot be abused by tracking or theft.”
The gaps in security were discovered as part of a study performed by the German Automobile Club, ADAC, to discover what repair and maintenance data is sent over the BMW network. The functions that were found to be accessible remotely were opening of doors, location of the vehicle, recorded speed data, programming of the emergency call number, and emails. BMW has announced that the security loopholes will be closed by 31 January 2015 by activating encrypted communication with the affected vehicles. This is the first-ever ‘digital recall’; it will not require a workshop call or the replacement of any parts and will be carried out remotely.