BMW patches e-goof that left 2.2m cars at risk

BMW has remotely patched a security flaw which, if exploited, could have handed over the digital keys to as many as 2.2m BMW, Rolls-Royce, and MINI cars to thieves. The hack, identified by a German motorist association, involved models fitted with BMW's ConnectedDrive infotainment system, which uses a mobile data connection to offer drivers locking control when they're away from the vehicle, in addition to downloading content to the dashboard when they're behind the wheel. BMW says that it's now using the same sort of HTTPS encryption that banks rely upon.

Exact details of the hack have not been shared by ADAC, the German organization that identified the issue. However, it said that it had been able to unlock a car with the unpatched ConnectedDrive system via a cellphone from outside the vehicle, in just a matter of minutes.

BMW's response has been to push out an OTA update which patches the exploit and moves the system to HTTPS, which was already being used by other connected services in its vehicles.

That means the car can now confirm that the server it is talking to is, indeed, one of BMW's, rather than something nefarious.

While it's embarrassing, BMW insists that as "no cases have come to light yet in which data has been called up actively by unauthorized persons from outside or an attempt of this kind is made in the first place" the problem was nonetheless a minor one.

Affected models should update automatically when they perform a regularly-scheduled ping of the server for the latest software. Alternatively, owners can trigger an update manually, by heading into the settings and hitting the update button.