Hat tip to BMW – they may be one of the first automakers to publicly admit to a security flaw in their vehicles.
The potential breach was found in BMW’s ConnectedDrive infotainment system.
In Germany, the ADAC (their CAA) discovered a potential security gap during data transmission.
It would have allowed an attacker to use ConnectedDrive to remotely unlock the car’s doors, then potentially access the SIM card to control some of the vehicle’s functions (not critical ones though, like steering or braking.)
What BMW did
They promptly sent out a mass software patch to over 2.2 million vehicles, switched to using HTTPS (like a bank) to encrypt traffic between their servers and the vehicles, and then even posted a press release about it, here.
Why this is meaningful
It’s not the first time an automaker has experienced some sort of potential security breach.
What’s different is how they handled it – swiftly, and openly talked about it, something which often only happens when the manufacturer is publicly shamed.