The primary reason that ADEC was able to have so much control over the car once initial access was achieved is because none of the data or command streams sent to and from the car used any form of security or encryption. The data uses conventional HTTP protocols and the same sort of connection your cell phone uses, which is why BMW's 'fix' is implementing the same HTTPS protocol that, say, your web browser uses when you order something from Amazon.

BMW describes the fix, which has already been pushed out to affected cars automatically, like this:

The update is carried out automatically as soon as the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually. The online services of BMW Group ConnectedDrive communicate with this configuration via the HTTPS protocol (HyperText Transfer Protocol Secure) which had previously been used for the service BMW Internet and other functions. The BMW Group ConnectedDrive packages in the vehicle are thereby using encryption which in most cases is also being used by banks for online banking. On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network.


If HTTPS, which is certainly well-known, established, and well understood in the IT world, was already in place for the "service BMW Internet and other functions," the question remains why this very basic security precaution was not used for all ConnectedDrive traffic.

I posed this question to BMW, and am currently awaiting an answer.

ADAC's response to this pretty large security hole is as follows, and sounds a bit more dramatic in machine-translation:

The ADAC demands that computer technology in the car is timely protected from manipulation and illegal access. This protection must be based on standards as they are in other industries (eg. As IT industry) has long been customary. Moreover, this protection by a neutral body needs to be confirmed by about Common Criteria certification of the Federal Office for Information Security (BSI) in Bonn.


Their point that this basic sort of encryption has been standard in the IT world and should have, by default, been implemented here is a very valid one. At this point, we're not certain why BMW did not implement HTTPS encryption (at least) for data being sent to and from the car via public cellular networks. The ConnectedDrive basic hardware is essentially a data-capable cellphone, which are used to send encrypted, sensitive data safely every day.

We'll update this story with BMW's response as soon as we receive it.

According to ADAC, these are the affected vehicles:

All models with ConnectedDrive production from March 2010 to December 8, 2014 , including


1 Series Convertible, Coupé and Touring ( E81 , E82 , E87 , E88 , F20 , F21 ) 2er Active Tourer , Coupé and Convertible (F22 , F23 , F45 ) 3 with Convertible, Coupe , GT, Touring and M3 ( E90, E91 , E92 , E93 , F30 , F31, F34 , F80 ) 4p Coupe , Convertible, Gran Coupe and M4 ( F32 , F33 , F36 , F82 , F83 ) 5 Series GT and Touring ( F07 , F10 , F11 , F18) 6 with convertible and Gran Coupe ( F06 , F12, F13) 7 Series (F01 , F02 , F03 , F04) I3 ( I01 ) , I8 (I12 ) X1 (E84 ) X3 ( F25) , X4 (F26 ) X 5 (E70 , F15 , F85 ) , X6 (E71 , E72 , F16 , F86 ) , Z 4 ( E89 )


Three-door and five-door hatchback ( F55 , F56 )

Rolls Royce

Phantom Coupe and Drophead Coupe with (RR1 , RR2 , RR3 ) Ghost ( RR4 ) Wrait ( RR5 )

In Germany, 423,000 vehicles are affected ; in Europe 1.2 million and 2.2 million worldwide . Vehicles with production date from 9 December 2014 or later no longer have the manufacturer on these vulnerabilities .

The conversion of the affected vehicles to encrypted communication is carried out by BMW over the air and should be operational by January 31, 2015 largely achieved . It is not a workshop visit required , there will be no hardware or software replaced.

BMW has informed the Federal Motor Transport Authority (KBA ) in their own words .