BMW fixes security flaw that should not have been there

The BBC reports that BMW have fixed a flaw with their ConnectedDrive software found in approximately 2.2 million cars. The software was transmitting data unencrypted over cellular networks and not performing any verification checks on the servers it was communicating with leading to the possibility of unauthorised persons accessing and controlling certain car functions. As this software allowed access to the cars' locking functions it would have been a likely untraceable way to gain entry to the car. Fortunately the cars' driving functions are not accessible by this system.

Cellular data networks are considered fairly private by many which is flawed thinking in of itself as any network outside your control is by definition outside of your control and therefore subject to interception without your knowledge. The other problem with this flaw is that is not beyond many criminals (or other ne'er-do-wells) capability to spoof a cellular network and this capability will get easier and cheaper over time.

This is a strange oversight for any company to make if it takes security seriously, and one would hope that a company that prides itself on the quality of its engineering would have seen this issue at the design stage. It is important when developing software to build in security at the design stage as it can be horrendously difficult and costly to fix at later stages in the development life cycle. Microsoft have a good starting point for developing and implementing Security Development Lifecycle here. It's not rocket science.

BMW Group's  press release does not make any apology for the existence of the flaw.

More about this can be found here:


Graham Cluley's site


Comments are closed.