DUDE, WHERE'S MY CAR? New Leccy BMWs Have Flimsy Password Security – Researcher

John Leyden | The Register | May 27, 2014

Motor giant told to try harder with mobe app

New BMW cars have security shortcomings that could allow thieves to pop open a victim's flash motor from a smartphone. Ken Munro, a partner at Pen Test Partners, uncovered security issues in the systems that pair the latest generation of beamers with owners' mobiles. By stringing together the flaws, a crook could open doors, windows and the boot, and leave the lights on for an added headache.

Preliminary findings from the ongoing research – which El Reg passed onto BMW last month – suggest it may be possible to determine the usernames of drivers through social networks, and then use a mix of social engineering and other techniques to gain access to vehicles – or trick BMW into suspending security protections, clearing the way for other attacks.

The car manufacturer said it had passed Munro's research onto its people in Germany, and played down any risk. "If it was an issue then it's solved now," a spokesman told The Register. It's understood the company has added an extra layer of protection: a new check for a PIN when accessing the mobile application...