Did your BMW just download a security patch?

BMWLuxury car manufacturer BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.

The issue affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive - a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.

As Reuters explains, security researchers were able to create a fake cellphone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.

BMW ConnectedDrive

Researchers working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.

According to ADAC, hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry. In other words, a bit easier and less conspicuous than if you tried to gain access with a bent coat hanger or the swift application of a brick to the window.

ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is "increasing the security of data transmission in its vehicles" in response to what it describes as the "potential security gap" in ConnectedDrive.

It's not the kind of press release where the company found to be insecure apologises, and explains that there should never have been a security hole to find in the first place.

It appears the vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS. Something you would probably have hoped that BMW's engineers would have thought about in the first place.

Yes, it's good that BMW has fixed the problem. But frankly I think they're being a little disingenuous talking about "rapid response" if this issue was first brought to their attention in the middle of last year.

It's a shame that BMW seems to think that a little more honesty and humility would be perceived as rather weak for the corporation's image.

BMW press statement

Here is the list of car models said to be affected:


1 Series Convertible, Coupé and Touring (E81, E82, E87, E88, F20, F21)
2er Active Tourer, Coupé and Convertible (F22, F23, F45)
3 with Convertible, Coupe, GT, Touring and M3 (E90, E91, E92, E93, F30, F31, F34, F80)
4p Coupe, Convertible, Gran Coupe and M4 (F32, F33, F36, F82, F83)
5 Series GT and Touring (F07, F10, F11, F18)
6 Series Gran Coupe Convertible (F06, F12, F13)
7 Series (F01, F02, F03, F04)
I3 (I01), I8 (I12)
X1 (E84), X3 (F25), X4 (F26) X 5 (E70, F15, F85), X6 (E71, E72, F16, F86), Z 4 (E89)


Three-door and five-door hatchback (F55, F56)

Rolls Royce

Phantom Coupe and Drophead Coupe (RR1, RR2, RR3)
Ghost (RR4)
Wraith (RR5)

If you are worried that your vehicle may not have received the update (perhaps because it has been parked in an underground car park or other places without a mobile phone signal, or if its starter battery has been disconnected) then you should choose "Update Services" from your car's menu.

Tags: ,

Subscribe to the free GCHQ newsletter


Special offers & deals

  • Sticky Password Premium: Lifetime Subscription

    Sticky Password Premium: Lifetime Subscription

    Sticky Password protects your online identity by providing strong encrypted passwords for all your accounts, managed by a single master password known by you, and only you. Available for Mac, Windows, iOS, and Android. For a limited time, it's 80% off in our store.
  • IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    Whether you're a beginner or mid-level professional, you'll want to take this comprehensive online course, to help you attain two industry-recognised certifications. You'll master mobile hacking, VPN technologies, penetration testing, and much more--giving you the knowledge you need to succeed in any IT workplace.

More deals...

Leave a reply

3 Comments on "Did your BMW just download a security patch?"

Notify of

Sort by:   newest | oldest | most voted
A Google User
A Google User
February 3, 2015 1:59 am

So, if the patch involved enabling HTTPS to secure data in transit, that suggests BMW can unlock your car remotely at any time. As could anyone able to implement a MITM attack. It's unlikely (given they've only thought to enabled HTTPS now) that the car presents a SSL cert for the BMW end to verify it and to prevent such a MITM attack.

February 3, 2015 2:44 pm

A device can be configured to ignore SSL certificates no signed by the right key. You get this warning all the time in browsers trying to go to HTTPS sites on a wifi that tries to redirect to a login page (like a lot of chain coffee shops)

February 4, 2015 10:58 pm


This update seems to have reset a few things, in the radio and side mirrors not lowering while in reverse, are just a couple of noticed. Anyone else experiencing similar effects?