When the average person thinks of the BMW brand, they probably imagine a sleek and technology-driven vehicle that makes all their favorite ‘vroom-vroom’ sounds come to life. Or, at the very least, a luxury car brand.
What they don’t think of is a brand thats vehicles are full of security vulnerabilities and unsecured systems. BMW has taken direct control of it’s Online Brand Management efforts, and it clearly shows. However, control doesn’t have to mean secrecy and hiding information.
Should companies try hiding negative information online?
Absolutely not. This era is billed as the digital age for a reason. With time, customers can and will find out what secrets are being swept under the rug. With information and communication being a cornerstone of our digital age, it’s becoming increasingly hard for companies to keep secrets from the public. To make it worse, Consumer Trust is easily lost and finding out about negative information after the fact is not a good look for any company. Consumers value openness and transparity now, more than apologetic offerings later on.
Let’s take a look at the most recent issue BMW faces
- Automobile security researchers identified a number of software vulnerabilities in BMW automobiles
- 14 different vulnerabilities were found across the entire BMW lineup
- Vulnerabilities took advantage of as many as 7 different rounds to gain control of BMW’s ConnectedDrive System
- As many as 2.2 million vehicles could be affected at the time of disclosure
- BMW vehicles manufactured before 2011 are able to be physically started without their keys
- BMW vehicles manufactured after 2011 were able to be wirelessly unlocked, started, and driven away without their keys
- In most cases a $30 Bypass Tool shipped from China or Eastern Europe is all anyone needs if they are serious about gaining entry into a BMW
Is this a real thing?
Unfortunately it is, and pretty crazy to see in action. It’s not an issue exclusive to BMW either.
How did BMW deal with the situation?
BMW has taken a fantastic stance on this topic by keeping the public engaged in the process from the very start. When news of these vulnerabilities reached BMW, they didn’t just sweep it under the rug, pay to have the information burred, or ignore it. Instead they gave up the element of plausible deniability, decided to take control of the situation, and spin the story in their favor.
To do this BMW did three very important things right. The first thing they did was authenticate the research. Logically, they had to make sure this was a real threat to their vehicles. Second, they immediately deployed over-the-air (OTA) software updates to all vehicles that supported them. These countermeasures aimed to combat some of the most dangerous vulnerabilities right out of the gate. Lastly the automotive company awarded the research group with BMW’s “Digitization and IT Research Award” and encouraged the two organizations to expand cooperation and joint research proceeding into the future.
Looking toward the future
In order to help facilitate more independent research and find potential vulnerabilities before nefarious users did, BMW set up a secure communication channel via their website. The channel promised a response to user-submitted exploits within two to three days. The cornerstone of their communication channel is their policy of “Responsible Disclosure” where BMW asks for time to develop and roll-out countermeasures before researchers make technical specifications and details public.
This setup seems to work fairly well for each side, too. Researchers can help make automobiles safer and more secure, while getting credit and compensation for their efforts. BMW stands to gain value too, as they are now able to begin damage control and deploy countermeasures before the news of the specific issue is made public – hurting brand reputation, image, and likely stock prices.
