Did the BMW Connected App Just Get Majorly Hacked? Answer: No

Mosely · 05-16-2020, 11:43 PM

Was sitting on the couch with the wife watching TV, suddenly she got an alert to her phone from the BMW connected app saying "The panic alarm on your X7 M50i is going off". We don't have an X7...we have an X5 and an M2.

So she logged into the app and now it shows someone else's 330i in Georgia (we live in Texas) as her registered vehicle. She is able to see all the personal information associated with this car, destinations, home address, sync'd calendar events, etc.

I ran outside to make sure our cars were okay (they were). And we logged in and out of the app. Upon logging back in now it shows a 440i from Las Vegas. Again, we can see all the personal information associated with this new car. I had the ability to remote start, unlock, etc....

Tried calling BMW but they're closed. Will update as more happens but this appears to be a major breach of some sort.

Edit: it's back to normal after 15-20 minutes but some of the calendar events and location history etc from other people's accounts are still visible. It also only happened on her iPhone and not to mine on Android.

mjr24 · 05-17-2020, 01:40 AM

Quote:

Originally Posted by Mosely

Was sitting on the couch with the wife watching TV, suddenly she got an alert to her phone from the BMW connected app saying "The panic alarm on your X7 M50i is going off". We don't have an X7...we have an X5 and an M2.

So she logged into the app and now it shows someone else's 330i in Georgia (we live in Texas) as her registered vehicle. She is able to see all the personal information associated with this car, destinations, home address, sync'd calendar events, etc.

I ran outside to make sure our cars were okay (they were). And we logged in and out of the app. Upon logging back in now it shows a 440i from Las Vegas. Again, we can see all the personal information associated with this new car. I had the ability to remote start, unlock, etc....

Tried calling BMW but they're closed. Will update as more happens but this appears to be a major breach of some sort.

Works normally for me.....

GenXer · 05-17-2020, 11:17 AM

No issue here.

SpaceForRent · 05-17-2020, 01:03 PM

Probably just normal database "maintenance"..
Or
5 + 2 = 7...

Your choice..

Z

contented · 05-17-2020, 02:57 PM

Mine shows both cars just as it should. No problems.

Mosely · 05-17-2020, 07:48 PM

Quote:

Originally Posted by contented

Mine shows both cars just as it should. No problems.

Quote:

Originally Posted by webmeezer

Probably just normal database "maintenance"..
Or
5 + 2 = 7...

Your choice..

Z

Quote:

Originally Posted by GenXer

No issue here.

Quote:

Originally Posted by mjr24

Works normally for me.....

Mine also went back to normal. You guys seem remarkably unconcerned though. Personal information, private calendar events and home addresses being shared aside, imagine someone had triggered the remote start and your car filled up the garage with carbon monoxide or unlocked your doors and your car got broken into. Just saying...

nioh_lbbm2 · 05-17-2020, 07:53 PM

change your password

Mosely · 05-17-2020, 09:24 PM

Quote:

Originally Posted by nioh_lbbm2

change your password

That was the first thing I did, but it didn't impact anything at all. Basically every time I opened and closed the app, it would show a new car and new collection of information. No specific locations patterns (Atlanta, Vegas, Northern California, somewhere in France, and one in Germany)

SpaceForRent · 05-17-2020, 09:34 PM

Not really. If someone was hacking you, odds are you'd never know it. What's the point of letting you know they have your info. Odds are also much greater they can get all that data somewhere else that's a lot easier to hack.

Not saying it's not possible, there are a lot of "script kiddies" out there running hacking scripts they've downloaded, that have no idea how to run them correctly. This sounds more like a normal maintenance cycle or software update (over the weekend typically) that went awry.

Z

six75LT · 05-18-2020, 12:19 AM

Quote:

Originally Posted by Mosely

Mine also went back to normal. You guys seem remarkably unconcerned though. Personal information, private calendar events and home addresses being shared aside, imagine someone had triggered the remote start and your car filled up the garage with carbon monoxide or unlocked your doors and your car got broken into. Just saying...

you mean to tell me you can start these cars with just the app now? why didnt i know about this when it was cold outside

Mosely · 05-18-2020, 11:34 AM

Quote:

Originally Posted by six75LT

you mean to tell me you can start these cars with just the app now? why didnt i know about this when it was cold outside

Yep! You can do ventilation/AC during the summer too.

05-16-2020, 11:43 PM	#1
Mosely Lieutenant 601 Rep 455 Posts Drives: '18 M2 \| '20 X5 \| '07 E92 Join Date: Mar 2017 Location: SoCal iTrader: (1)	Did the BMW Connected App Just Get Majorly Hacked? Answer: No Was sitting on the couch with the wife watching TV, suddenly she got an alert to her phone from the BMW connected app saying "The panic alarm on your X7 M50i is going off". We don't have an X7...we have an X5 and an M2. So she logged into the app and now it shows someone else's 330i in Georgia (we live in Texas) as her registered vehicle. She is able to see all the personal information associated with this car, destinations, home address, sync'd calendar events, etc. I ran outside to make sure our cars were okay (they were). And we logged in and out of the app. Upon logging back in now it shows a 440i from Las Vegas. Again, we can see all the personal information associated with this new car. I had the ability to remote start, unlock, etc.... Tried calling BMW but they're closed. Will update as more happens but this appears to be a major breach of some sort. Edit: it's back to normal after 15-20 minutes but some of the calendar events and location history etc from other people's accounts are still visible. It also only happened on her iPhone and not to mine on Android. Last edited by Mosely; 05-17-2020 at 02:35 AM..
	Appreciate 0 Tweet

05-17-2020, 11:17 AM	#3
GenXer Major 1394 Rep 1,031 Posts Drives: Like a bat out of hell. Join Date: Apr 2019 Location: here and there iTrader: (0) Garage List 2017 Chevrolet Volt [0.00] 2020 Chevrolet Tahoe [0.00]	No issue here.
	Appreciate 0

05-17-2020, 01:03 PM	#4
SpaceForRent New Member 161 Rep 20 Posts Drives: BMW Join Date: Dec 2017 Location: Everywhere iTrader: (0) Garage List 2018 M240xi [0.00]	Probably just normal database "maintenance".. Or 5 + 2 = 7... Your choice.. Z
	Appreciate 0

05-17-2020, 02:57 PM	#5
contented Private First Class 197 Rep 153 Posts Drives: 2020 M2C DCT, 2022 Ford Bronco Join Date: May 2020 Location: SE USA iTrader: (0)	Mine shows both cars just as it should. No problems.
	Appreciate 0

05-17-2020, 07:53 PM	#7
nioh_lbbm2 Lieutenant Colonel 1719 Rep 1,897 Posts Drives: M2 Join Date: Mar 2018 Location: California iTrader: (0)	change your password
	Appreciate 0

05-17-2020, 09:34 PM	#9
SpaceForRent New Member 161 Rep 20 Posts Drives: BMW Join Date: Dec 2017 Location: Everywhere iTrader: (0) Garage List 2018 M240xi [0.00]	Not really. If someone was hacking you, odds are you'd never know it. What's the point of letting you know they have your info. Odds are also much greater they can get all that data somewhere else that's a lot easier to hack. Not saying it's not possible, there are a lot of "script kiddies" out there running hacking scripts they've downloaded, that have no idea how to run them correctly. This sounds more like a normal maintenance cycle or software update (over the weekend typically) that went awry. Z
	Appreciate 0