• Security loopholes found in BMW’s Connected Drive make it possible to steal car data

    30 January 2015

    On 30 January 2015, security loopholes in BMW vehicles equipped with Connected Drive technologies were revealed. Believed to affect 2.2 million BMW vehicles worldwide, these flaws in the software allow thieves to unlock doors and track car data through a mobile phone without leaving a trace. The FIA has long advocated for secure, open networks for vehicle connectivity. Vehicle manufacturers have argued that only closed networks can be truly secure. In fact, the loopholes in BMW’s closed, wireless connected car network prove that a closed network is not necessarily secure.

    Jacob Bangsgaard, Director General of FIA Region I said: “We are concerned about these findings as car owners have been unknowingly at risk of having their vehicle tracked and opened without a single trace. We have always supported strong data protection for consumers, which should be the leading concern as connected vehicles come to market. As has been proven in this example, a closed network does not necessarily result in data security and car owners must be assured that their vehicle data cannot be abused by tracking or theft.”

    The gaps in security were discovered as part of a study performed by the German Automobile Club, ADAC, to discover what repair and maintenance data is sent over the BMW network. The functions that were found to be accessible remotely were opening of doors, location of the vehicle, recorded speed data, programming of the emergency call number, and emails. BMW has announced that the security loopholes will be closed by 31 January 2015 by activating encrypted communication with the affected vehicles. This is the first-ever “digital recall”; it will not require a workshop call or the replacement of any parts and will be carried out remotely.

    ENDS

    NOTES TO EDITORS

    BMW Connected Drive security loopholes – ADAC release

    FIA Region I video on consumer principles for access to data and your car

    Affected vehicles (according to the manufacturer)

    All Connected Drive models produced from March 2010 up to, and including, 8 December 2014.

    BMW
    1-series, incl. Cabrio, Coupé and Touring (E81, E82, E87, E88, F20, F21)
    2-series, incl. Active Tourer, Coupé and Cabrio (F22, F23, F45 )
    3-series, incl. Cabrio, Coupé, GT, M3 and Touring (E90, E91, E92, E93, F30, F31, F34, F80)
    4-series Coupé, Cabrio, GranCoupé and M4 (F32, F33, F36, F82, F83)
    5-series, incl. GT and Touring (E81, E82, F07, F10, F11, F18)
    6-series, incl. Cabrio and GranCoupé (F06, F12, F13)
    7-series (F01, F02, F03, F04)
    I3 (I01), I8 (I12)
    X1 (E84), X3 (F25), X4 (F26), X 5 (E70, F15, F85), X6 (E71, E72, F16, F86), Z4 (E89)

    Mini
    3-door and Countryman (F56, F60)

    Rolls Royce
    Phantom, incl. Coupé and Drophead Coupé (RR1, RR2, RR3)
    Ghost (RR4)
    Wraith (RR5)

    The loopholes apply 1.2 million vehicles in Europe an 2.2m worldwide. The manufacturer claims that any vehicles produced on or after 9 December 2014 do not have these loopholes.

    About FIA Region I

    FIA Region I is a consumer body representing 111 Motoring and Touring Clubs and their 38 million members from across Europe, the Middle East and Africa.

    The FIA represents the interests of our members as motorists, riders, pedestrians and passengers. FIA Region I is working to ensure safe, affordable, clean and efficient mobility for all. www.fiaregion1.com

    Contact:
    Andrea Campbell
    Communications Manager, FIA Region I
    acampbell@fia.com
    +32 2 282 0813