FRANKFURT (Reuters) -- BMW has fixed a security flaw that could have allowed hackers to unlock the doors of up to 2.2 million Rolls-Royce, Mini and BMW vehicles.
BMW said officials at German motorist association ADAC had identified the problem, which affected cars equipped with the company's ConnectedDrive software using on-board SIM cards -- the chips used to identify authorized users of mobile devices.
Cars at risk included models with ConnectedDrive such as the Rolls-Royce Phantom, Mini hatchback and most BMWs, including the i3 electric-car.
The vehicles were produced between March 2010 and December 2014, ADAC said. BMW said that it wasn't aware of any cases in which the flaw was exploited.
Drivers can use the software and SIM cards to activate door locking mechanisms, as well as a range of other services including real-time traffic information, online entertainment and air conditioning.
The security risk occurred when data was transmitted, BMW said, adding it did not impede the car's critical functions of driving, steering or braking.
In recent years, cybersecurity experts have criticized the automotive industry for failing to do more to secure internal communications of vehicles with network-connected features.
The danger, they say, is that once external security is breached, hackers can have free rein to access onboard vehicle computer systems which manage everything from engines and brakes to air conditioning.
They fear it is only a matter of time before hackers might break into wireless networks on cars to exploit software glitches and other vulnerabilities to try to harm drivers.
ADAC's security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card.
BMW said it had taken steps to eliminate possible breaches by encrypting the communications inside the car using the same HTTPS [Hypertext Transfer Protocol Secure] standard used in Web browsers for secure transactions such as ecommerce or banking.
BMW said it was able to update its ConnectedDrive software automatically, when the vehicle connects up to the BMW Group server or the driver calls up the service configuration manually.
"The online capability of BMW Group ConnectedDrive allowed the gap to be closed quickly and safely in all vehicles," BMW said. "There was no need for vehicles to go to the workshop."