Cars equipped with the automaker's Connected Drive remote-services system are affected, according to the German Automobile Association (ADAC), which first discovered the problem.
Researchers found they could lock and unlock car doors by mimicking mobile communications and sending phony signals to a SIM card installed in affected vehicles. An attack could be launched "within minutes" of accessing the system without the perpetrators leaving a trace, according to their report, in part because once they had gained access to the network, the communications were not secure.
In response to the security gap, BMW says it has been upgrading software via over-the-air updates over the past week, so no visits to dealerships are needed to remedy the security hole. In fact, owners of affected cars may not have even noticed the updates taking place.
The problem affects BMW, Rolls-Royce and MINI vehicles equipped with Connected Drive since 2010.
Flaws were first reported to BMW last year by ADAC, which is the country's equivalent of AAA. ADAC says it withheld a public announcement until the car company could address the problem.
While BMW has pushed the software patch to most affected vehicles, the organization said it's possible some at cars in the United States had not yet been updated. BMW did not respond to a request for comment Monday. In a written statement, the automaker said it knows of no real-world breaches.
2015 Off To Dubious Start
The hack could raise the eyebrows of industry leaders: Cars are now the equivalent of mobile computers and cyber-security experts have been warning that the auto industry has been slow to close its security holes.
BMW's breach marks the second time in 2015 that researchers have found a popular automotive feature with little or no security precautions. Last month, experts said a popular device made by Progressive Insurance that allows motorists to track their driving habits contained no security whatsoever.
Like the Connected Drive smart-phone app, many automotive components and infotainment features were conceived and produced at a time when industry executives never considered the possibility someone might want to hack into them. But increased connectivity brings increased risk.
Going forward, BMW says its Connected Drive features will now operate by using encrypted communications via the HTTPS protocol.
Remote Access A Concern
Connected Drive allows motorists to "control your BMW from afar," according to the company's website. Accessed via a smart-phone app, drivers can lock and unlock their cars, blow the horn and flash their headlights. They can also access a climate menu to set the temperature of their car and transfer directions to their navigation units.
BMW says in its written statement (below) that no critical driving functions, such as acceleration, braking or steering were compromised. The German Automobile Association said it didn't probe those potential vulnerabilities.
The company's security hole is the second exposed by researchers in recent months in which they could manipulate intended functions from a remote location.