Ford Lincoln announces remote-control car app as BMW issues security patch

Ford Motor Company’s Lincoln brand announces an app enabling users to control their cars remotely as BMW issues a security patch

Ford Motor Company’s Lincoln luxury brand is to announce an app to enable users to control their cars remotely as BMW issues a security patch for a flaw affecting 2.2 million vehicles.

The MyLincoln smartphone app – developed with Google – will allow users to schedule remote starts as well as lock and unlock their cars, reports The Detroit News.

MyLincoln is the first app of its kind to be integrated with the Android organiser app Google Now, and is likely to raise concerns with privacy watchdogs and cyber security professionals.

But users may disregard the risks to benefit from remote start functionality that will ensure the vehicle is cooled off or warmed up by the time they are ready to drive.

“Delivering unique experiences for the luxury client throughout ownership is fundamental to Lincoln,” Matt VanDyke, director, global Lincoln, said in a statement.

“By innovating with leading tech companies, we have an opportunity to personalize the ongoing interaction between the customer and the vehicle.”

The Google Now and MyLincoln apps will be connected through an embedded modem in the vehicle.

Security concerns

Lincoln said the MyLincoln Mobile connectivity and Google services are opt-in features, and notifications can be turned off.

But the car maker made no mention of security or privacy, which will be key to the app’s success, especially as it can also be used to locate vehicles.

Security concerns are underlined by the fact that BMW released a patch for a security flaw that could have allowed hackers to unlock about 2.2 million BMW, Rolls-Royce and Mini cars.

The vulnerability in BMW’s ConnectedDrive infotainment system was discovered by the German motorist association ADAC, reports Slashgear.

ADAC said it proved with several vehicles they could be unlocked remotely using a smartphone. “The procedure leaves no trace and runs in minutes,” the organisation said in a statement.

ADAC said it had waited for BMW to release a patch before revealing the flaw. "As a responsible consumer advocate we have held off publication of this vulnerability until it was closed by the manufacturer to prevent criminals exploiting the attack," the organisation said.

Finance-grade encryption

Like the MyLincoln app, the BMW system uses a mobile data connection to enable users to lock vehicles remotely.

BMW has boosted the security of the system with the same encryption used by financial institutions and other connected services in its vehicles. Affected vehicles should update automatically.

The patched systems can now confirm that they are connected to one of BMW's servers and not a cyber criminal.

BMW said: "No cases have come to light yet in which data has been called up actively by unauthorised persons.”

But BMW should have ensured the data transmission was secure in the first place, said independent security consultant Graham Cluley.

“Yes, it’s good that BMW has fixed the problem. But frankly I think they’re being a little disingenuous talking about 'rapid response' if this issue was first brought to their attention in the middle of last year,” he wrote in a blog post.

Cluley said BMW, Rolls-Royce or Mini owners who are concerned their vehicle may not have received the update should choose “Update Services” from the car’s menu.

ADAC has called on all car makers and technology partners to protect against cyber attacks by certifying their systems and processes against information security standards like The Common Criteria for Information Technology Security Evaluation.

Read more on Hackers and cybercrime prevention