BMW announced that it had fixed a bug that would have allowed hackers to compromise it’s ConnectedDrive car automation system. The bug affected over two million BMWs, Minis and Rolls Royces, according to Mashable.
Apparently, the communications between BMW’s servers and your car were not even encrypted, so the solution was to use HTTPS to encrypt the traffic.
BMW claimed that the bug did not affect the driving, steering or braking functions of the car. That’s great, but I am not sure that this is the bar that we should measure their security by.
ADAC, a German automotive group, discovered the bug in the middle of last year and decided not to announce the bug until BMW came up with a solution.
BMW, the article says, patted itself on the back for coming up with a fix so quickly. Others said that HTTPS should have been there in the first place.
The good news is that BMW owners do not need to take the car into the dealer to fix the problem; the fix will be downloaded the next time the car connects to BMW’s servers.
Given how poor BMW’s security was around the car automation function, I am not sure that BMW’s being able to load new firmware into the car over the air is a good thing. They may want to review the security of that process as well. I can just see a hacker downloading new firmware into my car causing the car to do who knows what.
Unfortunately, I suspect that this problem will only get worse for a long time before it gets better.