Consumer Rights Wiki - User contributions [en]

BMW API restrictions

2025-09-30T08:59:29Z

SGXander: add community goal

BMW has a subscription-based service called ConnectedDrive. BMW chose to restrict this service, making certain functions removed or not as powerful, causing issues for many users.{{IncidentCargo
|Company=BMW
|StartDate=2025-08-30
|Status=Active
|ProductLine=vehicles
|Product=vehicles, cars, automobiles
|ArticleType=Product
|Type=Digital restrictions
|Description=BMW destroys home assistant integration for customers of BMW's online services subscriptions
}}

==Background==
BMW ConnectedDrive is a subscription-based service that provides remote access to [[BMW]] vehicles through mobile applications & APIs, with tiers ranging from $50 to $150 per year after a free 3-year period.<ref>{{cite web |date=2025-06-27 |title=What You're Really Paying For With BMW ConnectedDrive |url=https://www.bimmer-mag.com/bmw-connected-drive-price/ |access-date=2025-01-01 |website=Bimmer Mag}}</ref> The service enables features such as remote climate control, vehicle location tracking, & electric car charging management through BMW's official mobile applications.<ref>{{cite web |date=2025-01-01 |title=BMW ConnectedDrive App Subscription Products, Store and Services |url=https://www.bmwusa.com/explore/connecteddrive.html |access-date=2025-01-01 |website=BMW USA}}</ref>

Home Assistant is an open-source home automation platform that allows users to integrate various smart home devices & services, including vehicle data through manufacturer APIs, with over 5000+ users of the BMW integration as of September 4th, 2025<ref>{{Cite web |title=Integrations {{!}} Home Assistant Analytics |url=https://analytics.home-assistant.io/integrations/}}</ref>. This number only counts users who did not turn off analytics.

According to discussions on the BMW i4 Forum, many BMW electric car users use this integration to optimize charging based on solar panel production, time-of-use electricity rates, & home energy management systems.<ref>{{cite web |url=https://www.i4talk.com/threads/smarter-charging-with-home-assistant.5441/ |title=Smarter Charging with Home Assistant |website=BMW i4 Forum |date=2024-05-20 |access-date=2025-01-01}}</ref> The integration was highly valued by users who paid for BMW's ConnectedDrive subscriptions & expected to maintain API access for their automation needs.

==Incident==
According to user reports documented in GitHub issue #149750, BMW began notifying users through its Android application in July 2025 about upcoming changes to charge control APIs.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications stated th''e'' following: <blockquote>''"to ensure the security of your personal data, and to better protect your vehicle, the option of allowing third-party providers to control your vehicle charging will be limited from September."''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref></blockquote>On August 30, 2025, BMW implemented strict API rate limiting that affected third-party applications. According to GitHub issue #151500, error logs showed HTTP 403 Forbidden responses with messages indicating '''"Out of call volume quota. Quota will be replenished in 00:49:03."'''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref> Users reported that the quota appeared to be limited to approximately 100 API calls per 24-hour period, far below the polling requirements of home automation systems.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151502 |title=BMW Connected Drive Quota · Issue #151502 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

Between September 1 and September 3, 2025, the Home Assistant community attempted various technical workarounds. According to discussions on the BMW i4 Forum, initial user-agent spoofing proved temporarily successful, with users reporting that mimicking official BMW app signatures allowed continued access.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> By September 3, 2025, these workarounds ceased functioning, with community members confirming that BMW had implemented additional detection methods.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-03 |access-date=2025-01-01}}</ref>

According to industry analysis by Beebop AI, the restrictions affected over 1.5 million vehicles and disrupted utilities using reverse-engineered BMW APIs for demand response & grid stability programs.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref> The timing occurred days before the EU Data Act's implementation on September 12, 2025, which requires manufacturers to provide users with access to their vehicle data.<ref>{{cite web |url=https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng |title=Regulation (EU) 2023/2854 |website=EUR-Lex |date=2023-12-13 |access-date=2025-01-01}}</ref>

On September 26, after 3 weeks of calm, BMW have made further restrictions blocking access to the API entirely.<ref>{{Cite web |date=2025-09-26 |title=BMW Connected Drive - Requires continuous re-authentications and still, errors for Login requires captcha validation #152646 |url=https://github.com/home-assistant/core/issues/152646 |website=Github}}</ref>

===BMW's response===
According to the notifications sent through the BMW mobile application, the company cited ''"security"'' & ''"safety"'' as justifications for the API restrictions.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications directed users to a FAQ page listing approved electricity providers that would maintain access to vehicle charging control.<ref>{{cite web |url=https://www.i4talk.com/threads/bmw-to-disable-remote-charging-control-api.14532/ |title=BMW to disable remote charging control API |website=BMW i4 Forum |date=2025-08-01 |access-date=2025-01-01}}</ref>

BMW has not issued an official press release or public statement regarding the API restrictions beyond the in-app notifications. According to user reports on GitHub, attempts to contact BMW customer service resulted in '''''"boilerplate responses citing security as a reason for these very targeted actions."'''''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-08-31 |access-date=2025-01-01}}</ref> The company has maintained partnerships with approved charging networks including Electrify America, Shell Recharge, & EVgo.<ref>{{cite web |url=https://www.bmwusa.com/charging.html |title=BMW Electric Vehicle Charging |website=BMW USA |date=2025-01-01 |access-date=2025-01-01}}</ref>

==Consumer response==
The Home Assistant community posted & documented many integration failures through multiple GitHub issues, with issue #149750 receiving over 250 comments from users getting negatively affected by this.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-04 |access-date=2025-01-01}}</ref> Users report complete loss of automated EV charging management & broken solar panel integration logic.<ref>{{cite web |url=https://community.home-assistant.io/t/bmw-integration-no-support-from-september-for-thirtparty-providers-like-ha/916187 |title=BMW integration: No support from September for thirtparty providers like HA |website=Home Assistant Community |date=2025-09-01 |access-date=2025-01-01}}</ref>

According to forum discussions, affected users attempted multiple technical solutions between August 30 and September 3, 2025, including polling rate reduction, QR code re-authentication, & regional API switching.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> Community members suggested some technical solutions like quota-aware polling with exponential backoff & improved error differentiation between quota & authentication failures.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

It has been reported that some users began exploring alternative platforms, with discussions on the openHAB community forums about migrating from Home Assistant due to the BMW restrictions.<ref>{{cite web |url=https://www.openhab.org/addons/bindings/mybmw/ |title=MyBMW - Bindings |website=openHAB |date=2025-09-03 |access-date=2025-01-01}}</ref> According to Beebop AI's analysis, utilities faced financial penalties for failing to meet flexibility commitments when losing EV load-shaping capabilities.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref>

For this ongoing issue, the following actions are being taken by members of the community to draw the attention of BMW:

#Cancel or stop auto-renew of your Connected Drive subscription
#Email your local BMW Connected Drive support address expressing your displeasure
#Leave a negative review on the app store / google play for the BMW or MINI app
#Share the same negative feedback in-app (Under Account > Feedback > App feedback)

Should BMW respond positively, the communitys goal is to have an open discussion with responsible parties to:

* Understand the real/technical background for killing access for HA and others.
* Work out a permanent solution to make the HA integration (+ other smart home solutions) work again. This may be BMWs official HA integration with modifications.
** Solution should be able to provide pull data and send commands from and to the cars we own.
** Send command and pull data at a defined frequency whithout additional costs as long as connected drive is already paid/active (e.g. every 5 minutes). This may require a switch to push-based integration which, with BMWs support should not be a problem.
** Optional live streaming of telemetry data (costs unclear / tbd)

==HomeAssistant & security==

BMW has a long track record of security vulnerabilities, none of which have ever been linked to Home Assistant.

==Past data security incidents==
BMW's justification for API restrictions cited ''"security"'' concerns, yet BMW has a documented history of severe security failures that exposed millions of customers to risks far greater than any posed by home automation integrations.

===ConnectedDrive vulnerability (2015)===
In 2015, security researcher Dieter Spaar discovered critical flaws in BMW's ConnectedDrive system that left 2.2 million vehicles vulnerable to remote attacks. The vulnerabilities included using identical symmetric encryption keys across all vehicles, failing to encrypt communications between cars & BMW's backend servers, & relying on the obsolete DES encryption standard.<ref>{{cite web |title=How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars |website=Slashdot |date=2015-02-07 |url=https://it.slashdot.org/story/15/02/07/0432254/how-to-hack-a-bmw-details-on-the-security-flaw-that-affected-22-million-cars |access-date=2025-01-01}}</ref> These basic security oversights allowed attackers to remotely unlock vehicles by standing within a few hundred feet with cellular network emulation equipment.

===Multiple vehicle vulnerabilities (2018)===
Keen Security Lab researchers identified 14 vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series & 7 Series vehicles. The flaws enabled both local & remote attacks on infotainment systems, Telematics Control Units, & CAN bus controls.<ref>{{cite web |title=BMW Fixes Security Flaws in Several Well-Known Car Models |website=Bleeping Computer |date=2018-05-23 |url=https://www.bleepingcomputer.com/news/security/bmw-fixes-security-flaws-in-several-well-known-car-models/ |access-date=2025-01-01}}</ref> Six vulnerabilities could be exploited remotely via Bluetooth & cellular networks without authentication.

===APT infiltration (2019)===
The Vietnamese state-sponsored hacking group OceanLotus (APT32) breached BMW's corporate networks & remained undetected from March 2019 until December 2019. The attackers deployed Cobalt Strike malware for espionage & remote control.<ref>{{cite web |title=BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets |website=Bleeping Computer |date=2019-12-06 |url=https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ |access-date=2025-01-01}}</ref> BMW's security team discovered the breach but monitored the hackers for months before finally removing them from the network.<ref>{{cite web |title=BMW Hacked - OceanLotus Hackers Group Penetrate the BMW Networks |website=GBHackers |date=2019-12-07 |url=https://gbhackers.com/bmw-hacked/ |access-date=2025-01-01}}</ref>

===UK customer database breach (2020)===
The KelvinSecurity hacking group compromised personal information of 384,319 BMW customers in the UK & offered it for sale on darknet forums. The exposed data included names, email addresses, vehicle registration numbers, residential addresses, & dealership information from 2016-2018.<ref>{{cite web |title=Data Breach Affects 384,319 BMW Customers in the U.K. |website=CISO Magazine |date=2020-07-06 |url=https://cisomag.com/bmw-data-breach/ |access-date=2025-01-01}}</ref> The database was allegedly obtained through a call center handling customer information for multiple automotive brands.

===BMW France ransomware attack (2023)===
The Play ransomware group claimed to have breached BMW France's systems in March 2023.<ref>{{cite web |title=BMW Data Breach Puts Customers Information At Risk! |website=The Cyber Express |date=2023-03-29 |url=https://thecyberexpress.com/bmw-data-breach-customers-information-risk/ |access-date=2025-01-01}}</ref> In 2022, BMW France had previously suffered a cybersecurity incident when its Twitter & Instagram accounts were compromised.

===Azure misconfiguration (2024)===
In early 2024, researchers discovered a misconfigured Microsoft Azure storage bucket that exposed BMW's private keys, credentials & other sensitive internal data to the public internet.<ref>{{cite web |title=BMW Security Error Left Valuable Private Company Data Exposed Online |website=TechRadar |date=2024-03-14 |url=https://www.techradar.com/pro/security/bmw-security-error-left-valuable-private-company-data-exposed-online |access-date=2025-09-04}}</ref>

===Hong Kong dealer breach (2024)===
BMW Concessionaires in Hong Kong suffered a breach in July 2024 exposing personal data of approximately 14,000 customers, including names & mobile numbers.<ref>{{cite web |title=BMW Hong Kong Data Breach Exposes Customer Information |website=Daily Security Review |date=2024-07-05 |url=https://dailysecurityreview.com/security-spotlight/bmw-data-breach/ |access-date=2025-09-04}}</ref>

===BMW Financial Services breach (2025)===
In February 2025, BMW Financial Services North America reported a breach via its vendor AIS InfoSource LP affecting nearly 2,000 individuals, with exposed data including names, Social Security numbers, account numbers & more.<ref>{{cite web |title=BMW Financial Services Data Breach Affects Nearly 2,000 Customers |website=Claim Depot |date=2025-03-01 |url=https://www.claimdepot.com/investigations/bmw-financial-services-data-breach-2025 |access-date=2025-09-04}}</ref>

===Pattern of security failures===
These incidents demonstrate BMW's inability to implement basic security practices, including encryption, access controls, & breach detection. The company's claim that restricting legitimate customer access to their own vehicle data is necessary for ''"security"'' , which to users appears contradictory given their documented failures to secure data through proper technical measures rather than access restrictions.

==References==
{{reflist}}

[[Category:BMW]]
[[Category:Digital restrictions]]
[[Category:API restrictions]]
[[Category:Home automation]]
[[Category:2025 incidents]]

BMW API restrictions

2025-09-29T16:55:10Z

SGXander: update consumer actions

BMW has a subscription-based service called ConnectedDrive. BMW chose to restrict this service, making certain functions removed or not as powerful, causing issues for many users.{{IncidentCargo
|Company=BMW
|StartDate=2025-08-30
|Status=Active
|ProductLine=vehicles
|Product=vehicles, cars, automobiles
|ArticleType=Product
|Type=Digital restrictions
|Description=BMW destroys home assistant integration for customers of BMW's online services subscriptions
}}

==Background==
BMW ConnectedDrive is a subscription-based service that provides remote access to [[BMW]] vehicles through mobile applications & APIs, with tiers ranging from $50 to $150 per year after a free 3-year period.<ref>{{cite web |date=2025-06-27 |title=What You're Really Paying For With BMW ConnectedDrive |url=https://www.bimmer-mag.com/bmw-connected-drive-price/ |access-date=2025-01-01 |website=Bimmer Mag}}</ref> The service enables features such as remote climate control, vehicle location tracking, & electric car charging management through BMW's official mobile applications.<ref>{{cite web |date=2025-01-01 |title=BMW ConnectedDrive App Subscription Products, Store and Services |url=https://www.bmwusa.com/explore/connecteddrive.html |access-date=2025-01-01 |website=BMW USA}}</ref>

Home Assistant is an open-source home automation platform that allows users to integrate various smart home devices & services, including vehicle data through manufacturer APIs, with over 5000+ users of the BMW integration as of September 4th, 2025<ref>{{Cite web |title=Integrations {{!}} Home Assistant Analytics |url=https://analytics.home-assistant.io/integrations/}}</ref>. This number only counts users who did not turn off analytics.

According to discussions on the BMW i4 Forum, many BMW electric car users use this integration to optimize charging based on solar panel production, time-of-use electricity rates, & home energy management systems.<ref>{{cite web |url=https://www.i4talk.com/threads/smarter-charging-with-home-assistant.5441/ |title=Smarter Charging with Home Assistant |website=BMW i4 Forum |date=2024-05-20 |access-date=2025-01-01}}</ref> The integration was highly valued by users who paid for BMW's ConnectedDrive subscriptions & expected to maintain API access for their automation needs.

==Incident==
According to user reports documented in GitHub issue #149750, BMW began notifying users through its Android application in July 2025 about upcoming changes to charge control APIs.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications stated th''e'' following: <blockquote>''"to ensure the security of your personal data, and to better protect your vehicle, the option of allowing third-party providers to control your vehicle charging will be limited from September."''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref></blockquote>On August 30, 2025, BMW implemented strict API rate limiting that affected third-party applications. According to GitHub issue #151500, error logs showed HTTP 403 Forbidden responses with messages indicating '''"Out of call volume quota. Quota will be replenished in 00:49:03."'''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref> Users reported that the quota appeared to be limited to approximately 100 API calls per 24-hour period, far below the polling requirements of home automation systems.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151502 |title=BMW Connected Drive Quota · Issue #151502 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

Between September 1 and September 3, 2025, the Home Assistant community attempted various technical workarounds. According to discussions on the BMW i4 Forum, initial user-agent spoofing proved temporarily successful, with users reporting that mimicking official BMW app signatures allowed continued access.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> By September 3, 2025, these workarounds ceased functioning, with community members confirming that BMW had implemented additional detection methods.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-03 |access-date=2025-01-01}}</ref>

According to industry analysis by Beebop AI, the restrictions affected over 1.5 million vehicles and disrupted utilities using reverse-engineered BMW APIs for demand response & grid stability programs.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref> The timing occurred days before the EU Data Act's implementation on September 12, 2025, which requires manufacturers to provide users with access to their vehicle data.<ref>{{cite web |url=https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng |title=Regulation (EU) 2023/2854 |website=EUR-Lex |date=2023-12-13 |access-date=2025-01-01}}</ref>

On September 26, after 3 weeks of calm, BMW have made further restrictions blocking access to the API entirely.<ref>{{Cite web |date=2025-09-26 |title=BMW Connected Drive - Requires continuous re-authentications and still, errors for Login requires captcha validation #152646 |url=https://github.com/home-assistant/core/issues/152646 |website=Github}}</ref>

===BMW's response===
According to the notifications sent through the BMW mobile application, the company cited ''"security"'' & ''"safety"'' as justifications for the API restrictions.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications directed users to a FAQ page listing approved electricity providers that would maintain access to vehicle charging control.<ref>{{cite web |url=https://www.i4talk.com/threads/bmw-to-disable-remote-charging-control-api.14532/ |title=BMW to disable remote charging control API |website=BMW i4 Forum |date=2025-08-01 |access-date=2025-01-01}}</ref>

BMW has not issued an official press release or public statement regarding the API restrictions beyond the in-app notifications. According to user reports on GitHub, attempts to contact BMW customer service resulted in '''''"boilerplate responses citing security as a reason for these very targeted actions."'''''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-08-31 |access-date=2025-01-01}}</ref> The company has maintained partnerships with approved charging networks including Electrify America, Shell Recharge, & EVgo.<ref>{{cite web |url=https://www.bmwusa.com/charging.html |title=BMW Electric Vehicle Charging |website=BMW USA |date=2025-01-01 |access-date=2025-01-01}}</ref>

==Consumer response==
The Home Assistant community posted & documented many integration failures through multiple GitHub issues, with issue #149750 receiving over 250 comments from users getting negatively affected by this.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-04 |access-date=2025-01-01}}</ref> Users report complete loss of automated EV charging management & broken solar panel integration logic.<ref>{{cite web |url=https://community.home-assistant.io/t/bmw-integration-no-support-from-september-for-thirtparty-providers-like-ha/916187 |title=BMW integration: No support from September for thirtparty providers like HA |website=Home Assistant Community |date=2025-09-01 |access-date=2025-01-01}}</ref>

According to forum discussions, affected users attempted multiple technical solutions between August 30 and September 3, 2025, including polling rate reduction, QR code re-authentication, & regional API switching.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> Community members suggested some technical solutions like quota-aware polling with exponential backoff & improved error differentiation between quota & authentication failures.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

It has been reported that some users began exploring alternative platforms, with discussions on the openHAB community forums about migrating from Home Assistant due to the BMW restrictions.<ref>{{cite web |url=https://www.openhab.org/addons/bindings/mybmw/ |title=MyBMW - Bindings |website=openHAB |date=2025-09-03 |access-date=2025-01-01}}</ref> According to Beebop AI's analysis, utilities faced financial penalties for failing to meet flexibility commitments when losing EV load-shaping capabilities.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref>

For this ongoing issue, the following actions are being taken by members of the community:

#Cancel or stop auto-renew of your Connected Drive subscription
#Email your local BMW Connected Drive support address expressing your displeasure
#Leave a negative review on the app store / google play for the BMW or MINI app
#Share the same negative feedback in-app (Under Account > Feedback > App feedback)

==HomeAssistant & security==

BMW has a long track record of security vulnerabilities, none of which have ever been linked to Home Assistant.

==Past data security incidents==
BMW's justification for API restrictions cited ''"security"'' concerns, yet BMW has a documented history of severe security failures that exposed millions of customers to risks far greater than any posed by home automation integrations.

===ConnectedDrive vulnerability (2015)===
In 2015, security researcher Dieter Spaar discovered critical flaws in BMW's ConnectedDrive system that left 2.2 million vehicles vulnerable to remote attacks. The vulnerabilities included using identical symmetric encryption keys across all vehicles, failing to encrypt communications between cars & BMW's backend servers, & relying on the obsolete DES encryption standard.<ref>{{cite web |title=How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars |website=Slashdot |date=2015-02-07 |url=https://it.slashdot.org/story/15/02/07/0432254/how-to-hack-a-bmw-details-on-the-security-flaw-that-affected-22-million-cars |access-date=2025-01-01}}</ref> These basic security oversights allowed attackers to remotely unlock vehicles by standing within a few hundred feet with cellular network emulation equipment.

===Multiple vehicle vulnerabilities (2018)===
Keen Security Lab researchers identified 14 vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series & 7 Series vehicles. The flaws enabled both local & remote attacks on infotainment systems, Telematics Control Units, & CAN bus controls.<ref>{{cite web |title=BMW Fixes Security Flaws in Several Well-Known Car Models |website=Bleeping Computer |date=2018-05-23 |url=https://www.bleepingcomputer.com/news/security/bmw-fixes-security-flaws-in-several-well-known-car-models/ |access-date=2025-01-01}}</ref> Six vulnerabilities could be exploited remotely via Bluetooth & cellular networks without authentication.

===APT infiltration (2019)===
The Vietnamese state-sponsored hacking group OceanLotus (APT32) breached BMW's corporate networks & remained undetected from March 2019 until December 2019. The attackers deployed Cobalt Strike malware for espionage & remote control.<ref>{{cite web |title=BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets |website=Bleeping Computer |date=2019-12-06 |url=https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ |access-date=2025-01-01}}</ref> BMW's security team discovered the breach but monitored the hackers for months before finally removing them from the network.<ref>{{cite web |title=BMW Hacked - OceanLotus Hackers Group Penetrate the BMW Networks |website=GBHackers |date=2019-12-07 |url=https://gbhackers.com/bmw-hacked/ |access-date=2025-01-01}}</ref>

===UK customer database breach (2020)===
The KelvinSecurity hacking group compromised personal information of 384,319 BMW customers in the UK & offered it for sale on darknet forums. The exposed data included names, email addresses, vehicle registration numbers, residential addresses, & dealership information from 2016-2018.<ref>{{cite web |title=Data Breach Affects 384,319 BMW Customers in the U.K. |website=CISO Magazine |date=2020-07-06 |url=https://cisomag.com/bmw-data-breach/ |access-date=2025-01-01}}</ref> The database was allegedly obtained through a call center handling customer information for multiple automotive brands.

===BMW France ransomware attack (2023)===
The Play ransomware group claimed to have breached BMW France's systems in March 2023.<ref>{{cite web |title=BMW Data Breach Puts Customers Information At Risk! |website=The Cyber Express |date=2023-03-29 |url=https://thecyberexpress.com/bmw-data-breach-customers-information-risk/ |access-date=2025-01-01}}</ref> In 2022, BMW France had previously suffered a cybersecurity incident when its Twitter & Instagram accounts were compromised.

===Azure misconfiguration (2024)===
In early 2024, researchers discovered a misconfigured Microsoft Azure storage bucket that exposed BMW's private keys, credentials & other sensitive internal data to the public internet.<ref>{{cite web |title=BMW Security Error Left Valuable Private Company Data Exposed Online |website=TechRadar |date=2024-03-14 |url=https://www.techradar.com/pro/security/bmw-security-error-left-valuable-private-company-data-exposed-online |access-date=2025-09-04}}</ref>

===Hong Kong dealer breach (2024)===
BMW Concessionaires in Hong Kong suffered a breach in July 2024 exposing personal data of approximately 14,000 customers, including names & mobile numbers.<ref>{{cite web |title=BMW Hong Kong Data Breach Exposes Customer Information |website=Daily Security Review |date=2024-07-05 |url=https://dailysecurityreview.com/security-spotlight/bmw-data-breach/ |access-date=2025-09-04}}</ref>

===BMW Financial Services breach (2025)===
In February 2025, BMW Financial Services North America reported a breach via its vendor AIS InfoSource LP affecting nearly 2,000 individuals, with exposed data including names, Social Security numbers, account numbers & more.<ref>{{cite web |title=BMW Financial Services Data Breach Affects Nearly 2,000 Customers |website=Claim Depot |date=2025-03-01 |url=https://www.claimdepot.com/investigations/bmw-financial-services-data-breach-2025 |access-date=2025-09-04}}</ref>

===Pattern of security failures===
These incidents demonstrate BMW's inability to implement basic security practices, including encryption, access controls, & breach detection. The company's claim that restricting legitimate customer access to their own vehicle data is necessary for ''"security"'' , which to users appears contradictory given their documented failures to secure data through proper technical measures rather than access restrictions.

==References==
{{reflist}}

[[Category:BMW]]
[[Category:Digital restrictions]]
[[Category:API restrictions]]
[[Category:Home automation]]
[[Category:2025 incidents]]

BMW API restrictions

2025-09-29T16:43:23Z

SGXander: added consumer response actions for people to adopt in the hopes of changing BMWs mind on this.

BMW has a subscription-based service called ConnectedDrive. BMW chose to restrict this service, making certain functions removed or not as powerful, causing issues for many users.{{IncidentCargo
|Company=BMW
|StartDate=2025-08-30
|Status=Active
|ProductLine=vehicles
|Product=vehicles, cars, automobiles
|ArticleType=Product
|Type=Digital restrictions
|Description=BMW destroys home assistant integration for customers of BMW's online services subscriptions
}}

==Background==
BMW ConnectedDrive is a subscription-based service that provides remote access to [[BMW]] vehicles through mobile applications & APIs, with tiers ranging from $50 to $150 per year after a free 3-year period.<ref>{{cite web |date=2025-06-27 |title=What You're Really Paying For With BMW ConnectedDrive |url=https://www.bimmer-mag.com/bmw-connected-drive-price/ |access-date=2025-01-01 |website=Bimmer Mag}}</ref> The service enables features such as remote climate control, vehicle location tracking, & electric car charging management through BMW's official mobile applications.<ref>{{cite web |date=2025-01-01 |title=BMW ConnectedDrive App Subscription Products, Store and Services |url=https://www.bmwusa.com/explore/connecteddrive.html |access-date=2025-01-01 |website=BMW USA}}</ref>

Home Assistant is an open-source home automation platform that allows users to integrate various smart home devices & services, including vehicle data through manufacturer APIs, with over 5000+ users of the BMW integration as of September 4th, 2025<ref>{{Cite web |title=Integrations {{!}} Home Assistant Analytics |url=https://analytics.home-assistant.io/integrations/}}</ref>. This number only counts users who did not turn off analytics.

According to discussions on the BMW i4 Forum, many BMW electric car users use this integration to optimize charging based on solar panel production, time-of-use electricity rates, & home energy management systems.<ref>{{cite web |url=https://www.i4talk.com/threads/smarter-charging-with-home-assistant.5441/ |title=Smarter Charging with Home Assistant |website=BMW i4 Forum |date=2024-05-20 |access-date=2025-01-01}}</ref> The integration was highly valued by users who paid for BMW's ConnectedDrive subscriptions & expected to maintain API access for their automation needs.

==Incident==
According to user reports documented in GitHub issue #149750, BMW began notifying users through its Android application in July 2025 about upcoming changes to charge control APIs.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications stated th''e'' following: <blockquote>''"to ensure the security of your personal data, and to better protect your vehicle, the option of allowing third-party providers to control your vehicle charging will be limited from September."''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref></blockquote>On August 30, 2025, BMW implemented strict API rate limiting that affected third-party applications. According to GitHub issue #151500, error logs showed HTTP 403 Forbidden responses with messages indicating '''"Out of call volume quota. Quota will be replenished in 00:49:03."'''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref> Users reported that the quota appeared to be limited to approximately 100 API calls per 24-hour period, far below the polling requirements of home automation systems.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151502 |title=BMW Connected Drive Quota · Issue #151502 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

Between September 1 and September 3, 2025, the Home Assistant community attempted various technical workarounds. According to discussions on the BMW i4 Forum, initial user-agent spoofing proved temporarily successful, with users reporting that mimicking official BMW app signatures allowed continued access.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> By September 3, 2025, these workarounds ceased functioning, with community members confirming that BMW had implemented additional detection methods.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-03 |access-date=2025-01-01}}</ref>

According to industry analysis by Beebop AI, the restrictions affected over 1.5 million vehicles and disrupted utilities using reverse-engineered BMW APIs for demand response & grid stability programs.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref> The timing occurred days before the EU Data Act's implementation on September 12, 2025, which requires manufacturers to provide users with access to their vehicle data.<ref>{{cite web |url=https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng |title=Regulation (EU) 2023/2854 |website=EUR-Lex |date=2023-12-13 |access-date=2025-01-01}}</ref>

On September 26, after 3 weeks of calm, BMW have made further restrictions blocking access to the API entirely.<ref>{{Cite web |date=2025-09-26 |title=BMW Connected Drive - Requires continuous re-authentications and still, errors for Login requires captcha validation #152646 |url=https://github.com/home-assistant/core/issues/152646 |website=Github}}</ref>

===BMW's response===
According to the notifications sent through the BMW mobile application, the company cited ''"security"'' & ''"safety"'' as justifications for the API restrictions.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications directed users to a FAQ page listing approved electricity providers that would maintain access to vehicle charging control.<ref>{{cite web |url=https://www.i4talk.com/threads/bmw-to-disable-remote-charging-control-api.14532/ |title=BMW to disable remote charging control API |website=BMW i4 Forum |date=2025-08-01 |access-date=2025-01-01}}</ref>

BMW has not issued an official press release or public statement regarding the API restrictions beyond the in-app notifications. According to user reports on GitHub, attempts to contact BMW customer service resulted in '''''"boilerplate responses citing security as a reason for these very targeted actions."'''''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-08-31 |access-date=2025-01-01}}</ref> The company has maintained partnerships with approved charging networks including Electrify America, Shell Recharge, & EVgo.<ref>{{cite web |url=https://www.bmwusa.com/charging.html |title=BMW Electric Vehicle Charging |website=BMW USA |date=2025-01-01 |access-date=2025-01-01}}</ref>

==Consumer response==
The Home Assistant community posted & documented many integration failures through multiple GitHub issues, with issue #149750 receiving over 250 comments from users getting negatively affected by this.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-04 |access-date=2025-01-01}}</ref> Users report complete loss of automated EV charging management & broken solar panel integration logic.<ref>{{cite web |url=https://community.home-assistant.io/t/bmw-integration-no-support-from-september-for-thirtparty-providers-like-ha/916187 |title=BMW integration: No support from September for thirtparty providers like HA |website=Home Assistant Community |date=2025-09-01 |access-date=2025-01-01}}</ref>

According to forum discussions, affected users attempted multiple technical solutions between August 30 and September 3, 2025, including polling rate reduction, QR code re-authentication, & regional API switching.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> Community members suggested some technical solutions like quota-aware polling with exponential backoff & improved error differentiation between quota & authentication failures.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

It has been reported that some users began exploring alternative platforms, with discussions on the openHAB community forums about migrating from Home Assistant due to the BMW restrictions.<ref>{{cite web |url=https://www.openhab.org/addons/bindings/mybmw/ |title=MyBMW - Bindings |website=openHAB |date=2025-09-03 |access-date=2025-01-01}}</ref> According to Beebop AI's analysis, utilities faced financial penalties for failing to meet flexibility commitments when losing EV load-shaping capabilities.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref>

For this ongoing issue, the following actions are being taken by members of the community:

# Email your local BMW Connected Drive support address expressing your displeasure
# Leave a negative review on the app store / google play for the BMW or MINI app
# Cancel or stop auto-renew of your Connected Drive subscription

==HomeAssistant & security==

BMW has a long track record of security vulnerabilities, none of which have ever been linked to Home Assistant.

==Past data security incidents==
BMW's justification for API restrictions cited ''"security"'' concerns, yet BMW has a documented history of severe security failures that exposed millions of customers to risks far greater than any posed by home automation integrations.

===ConnectedDrive vulnerability (2015)===
In 2015, security researcher Dieter Spaar discovered critical flaws in BMW's ConnectedDrive system that left 2.2 million vehicles vulnerable to remote attacks. The vulnerabilities included using identical symmetric encryption keys across all vehicles, failing to encrypt communications between cars & BMW's backend servers, & relying on the obsolete DES encryption standard.<ref>{{cite web |title=How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars |website=Slashdot |date=2015-02-07 |url=https://it.slashdot.org/story/15/02/07/0432254/how-to-hack-a-bmw-details-on-the-security-flaw-that-affected-22-million-cars |access-date=2025-01-01}}</ref> These basic security oversights allowed attackers to remotely unlock vehicles by standing within a few hundred feet with cellular network emulation equipment.

===Multiple vehicle vulnerabilities (2018)===
Keen Security Lab researchers identified 14 vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series & 7 Series vehicles. The flaws enabled both local & remote attacks on infotainment systems, Telematics Control Units, & CAN bus controls.<ref>{{cite web |title=BMW Fixes Security Flaws in Several Well-Known Car Models |website=Bleeping Computer |date=2018-05-23 |url=https://www.bleepingcomputer.com/news/security/bmw-fixes-security-flaws-in-several-well-known-car-models/ |access-date=2025-01-01}}</ref> Six vulnerabilities could be exploited remotely via Bluetooth & cellular networks without authentication.

===APT infiltration (2019)===
The Vietnamese state-sponsored hacking group OceanLotus (APT32) breached BMW's corporate networks & remained undetected from March 2019 until December 2019. The attackers deployed Cobalt Strike malware for espionage & remote control.<ref>{{cite web |title=BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets |website=Bleeping Computer |date=2019-12-06 |url=https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ |access-date=2025-01-01}}</ref> BMW's security team discovered the breach but monitored the hackers for months before finally removing them from the network.<ref>{{cite web |title=BMW Hacked - OceanLotus Hackers Group Penetrate the BMW Networks |website=GBHackers |date=2019-12-07 |url=https://gbhackers.com/bmw-hacked/ |access-date=2025-01-01}}</ref>

===UK customer database breach (2020)===
The KelvinSecurity hacking group compromised personal information of 384,319 BMW customers in the UK & offered it for sale on darknet forums. The exposed data included names, email addresses, vehicle registration numbers, residential addresses, & dealership information from 2016-2018.<ref>{{cite web |title=Data Breach Affects 384,319 BMW Customers in the U.K. |website=CISO Magazine |date=2020-07-06 |url=https://cisomag.com/bmw-data-breach/ |access-date=2025-01-01}}</ref> The database was allegedly obtained through a call center handling customer information for multiple automotive brands.

===BMW France ransomware attack (2023)===
The Play ransomware group claimed to have breached BMW France's systems in March 2023.<ref>{{cite web |title=BMW Data Breach Puts Customers Information At Risk! |website=The Cyber Express |date=2023-03-29 |url=https://thecyberexpress.com/bmw-data-breach-customers-information-risk/ |access-date=2025-01-01}}</ref> In 2022, BMW France had previously suffered a cybersecurity incident when its Twitter & Instagram accounts were compromised.

===Azure misconfiguration (2024)===
In early 2024, researchers discovered a misconfigured Microsoft Azure storage bucket that exposed BMW's private keys, credentials & other sensitive internal data to the public internet.<ref>{{cite web |title=BMW Security Error Left Valuable Private Company Data Exposed Online |website=TechRadar |date=2024-03-14 |url=https://www.techradar.com/pro/security/bmw-security-error-left-valuable-private-company-data-exposed-online |access-date=2025-09-04}}</ref>

===Hong Kong dealer breach (2024)===
BMW Concessionaires in Hong Kong suffered a breach in July 2024 exposing personal data of approximately 14,000 customers, including names & mobile numbers.<ref>{{cite web |title=BMW Hong Kong Data Breach Exposes Customer Information |website=Daily Security Review |date=2024-07-05 |url=https://dailysecurityreview.com/security-spotlight/bmw-data-breach/ |access-date=2025-09-04}}</ref>

===BMW Financial Services breach (2025)===
In February 2025, BMW Financial Services North America reported a breach via its vendor AIS InfoSource LP affecting nearly 2,000 individuals, with exposed data including names, Social Security numbers, account numbers & more.<ref>{{cite web |title=BMW Financial Services Data Breach Affects Nearly 2,000 Customers |website=Claim Depot |date=2025-03-01 |url=https://www.claimdepot.com/investigations/bmw-financial-services-data-breach-2025 |access-date=2025-09-04}}</ref>

===Pattern of security failures===
These incidents demonstrate BMW's inability to implement basic security practices, including encryption, access controls, & breach detection. The company's claim that restricting legitimate customer access to their own vehicle data is necessary for ''"security"'' , which to users appears contradictory given their documented failures to secure data through proper technical measures rather than access restrictions.

==References==
{{reflist}}

[[Category:BMW]]
[[Category:Digital restrictions]]
[[Category:API restrictions]]
[[Category:Home automation]]
[[Category:2025 incidents]]

BMW API restrictions

2025-09-26T16:04:41Z

SGXander: added information regarding further restrictions on the 26th of September

BMW has a subscription-based service called ConnectedDrive. BMW chose to restrict this service, making certain functions removed or not as powerful, causing issues for many users.{{IncidentCargo
|Company=BMW
|StartDate=2025-08-30
|Status=Active
|ProductLine=vehicles
|Product=vehicles, cars, automobiles
|ArticleType=Product
|Type=Digital restrictions
|Description=BMW destroys home assistant integration for customers of BMW's online services subscriptions
}}

==Background==
BMW ConnectedDrive is a subscription-based service that provides remote access to [[BMW]] vehicles through mobile applications & APIs, with tiers ranging from $50 to $150 per year after a free 3-year period.<ref>{{cite web |date=2025-06-27 |title=What You're Really Paying For With BMW ConnectedDrive |url=https://www.bimmer-mag.com/bmw-connected-drive-price/ |access-date=2025-01-01 |website=Bimmer Mag}}</ref> The service enables features such as remote climate control, vehicle location tracking, & electric car charging management through BMW's official mobile applications.<ref>{{cite web |date=2025-01-01 |title=BMW ConnectedDrive App Subscription Products, Store and Services |url=https://www.bmwusa.com/explore/connecteddrive.html |access-date=2025-01-01 |website=BMW USA}}</ref>

Home Assistant is an open-source home automation platform that allows users to integrate various smart home devices & services, including vehicle data through manufacturer APIs, with over 5000+ users of the BMW integration as of September 4th, 2025<ref>{{Cite web |title=Integrations {{!}} Home Assistant Analytics |url=https://analytics.home-assistant.io/integrations/}}</ref>. This number only counts users who did not turn off analytics.

According to discussions on the BMW i4 Forum, many BMW electric car users use this integration to optimize charging based on solar panel production, time-of-use electricity rates, & home energy management systems.<ref>{{cite web |url=https://www.i4talk.com/threads/smarter-charging-with-home-assistant.5441/ |title=Smarter Charging with Home Assistant |website=BMW i4 Forum |date=2024-05-20 |access-date=2025-01-01}}</ref> The integration was highly valued by users who paid for BMW's ConnectedDrive subscriptions & expected to maintain API access for their automation needs.

==Incident==
According to user reports documented in GitHub issue #149750, BMW began notifying users through its Android application in July 2025 about upcoming changes to charge control APIs.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications stated th''e'' following: <blockquote>''"to ensure the security of your personal data, and to better protect your vehicle, the option of allowing third-party providers to control your vehicle charging will be limited from September."''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref></blockquote>On August 30, 2025, BMW implemented strict API rate limiting that affected third-party applications. According to GitHub issue #151500, error logs showed HTTP 403 Forbidden responses with messages indicating '''"Out of call volume quota. Quota will be replenished in 00:49:03."'''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref> Users reported that the quota appeared to be limited to approximately 100 API calls per 24-hour period, far below the polling requirements of home automation systems.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151502 |title=BMW Connected Drive Quota · Issue #151502 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

Between September 1 and September 3, 2025, the Home Assistant community attempted various technical workarounds. According to discussions on the BMW i4 Forum, initial user-agent spoofing proved temporarily successful, with users reporting that mimicking official BMW app signatures allowed continued access.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> By September 3, 2025, these workarounds ceased functioning, with community members confirming that BMW had implemented additional detection methods.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-03 |access-date=2025-01-01}}</ref>

According to industry analysis by Beebop AI, the restrictions affected over 1.5 million vehicles and disrupted utilities using reverse-engineered BMW APIs for demand response & grid stability programs.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref> The timing occurred days before the EU Data Act's implementation on September 12, 2025, which requires manufacturers to provide users with access to their vehicle data.<ref>{{cite web |url=https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng |title=Regulation (EU) 2023/2854 |website=EUR-Lex |date=2023-12-13 |access-date=2025-01-01}}</ref>

On September 26, after 3 weeks of calm, BMW have made further restrictions blocking access to the API entirely.<ref>{{Cite web |date=2025-09-26 |title=BMW Connected Drive - Requires continuous re-authentications and still, errors for Login requires captcha validation #152646 |url=https://github.com/home-assistant/core/issues/152646 |website=Github}}</ref>

===BMW's response===
According to the notifications sent through the BMW mobile application, the company cited ''"security"'' & ''"safety"'' as justifications for the API restrictions.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01}}</ref> The notifications directed users to a FAQ page listing approved electricity providers that would maintain access to vehicle charging control.<ref>{{cite web |url=https://www.i4talk.com/threads/bmw-to-disable-remote-charging-control-api.14532/ |title=BMW to disable remote charging control API |website=BMW i4 Forum |date=2025-08-01 |access-date=2025-01-01}}</ref>

BMW has not issued an official press release or public statement regarding the API restrictions beyond the in-app notifications. According to user reports on GitHub, attempts to contact BMW customer service resulted in '''''"boilerplate responses citing security as a reason for these very targeted actions."'''''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-08-31 |access-date=2025-01-01}}</ref> The company has maintained partnerships with approved charging networks including Electrify America, Shell Recharge, & EVgo.<ref>{{cite web |url=https://www.bmwusa.com/charging.html |title=BMW Electric Vehicle Charging |website=BMW USA |date=2025-01-01 |access-date=2025-01-01}}</ref>

==Consumer response==
The Home Assistant community posted & documented many integration failures through multiple GitHub issues, with issue #149750 receiving over 250 comments from users getting negatively affected by this.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-04 |access-date=2025-01-01}}</ref> Users report complete loss of automated EV charging management & broken solar panel integration logic.<ref>{{cite web |url=https://community.home-assistant.io/t/bmw-integration-no-support-from-september-for-thirtparty-providers-like-ha/916187 |title=BMW integration: No support from September for thirtparty providers like HA |website=Home Assistant Community |date=2025-09-01 |access-date=2025-01-01}}</ref>

According to forum discussions, affected users attempted multiple technical solutions between August 30 and September 3, 2025, including polling rate reduction, QR code re-authentication, & regional API switching.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01}}</ref> Community members suggested some technical solutions like quota-aware polling with exponential backoff & improved error differentiation between quota & authentication failures.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01}}</ref>

It has been reported that some users began exploring alternative platforms, with discussions on the openHAB community forums about migrating from Home Assistant due to the BMW restrictions.<ref>{{cite web |url=https://www.openhab.org/addons/bindings/mybmw/ |title=MyBMW - Bindings |website=openHAB |date=2025-09-03 |access-date=2025-01-01}}</ref> According to Beebop AI's analysis, utilities faced financial penalties for failing to meet flexibility commitments when losing EV load-shaping capabilities.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01}}</ref>

==HomeAssistant & security==

BMW has a long track record of security vulnerabilities, none of which have ever been linked to Home Assistant.

==Past data security incidents==
BMW's justification for API restrictions cited ''"security"'' concerns, yet BMW has a documented history of severe security failures that exposed millions of customers to risks far greater than any posed by home automation integrations.

===ConnectedDrive vulnerability (2015)===
In 2015, security researcher Dieter Spaar discovered critical flaws in BMW's ConnectedDrive system that left 2.2 million vehicles vulnerable to remote attacks. The vulnerabilities included using identical symmetric encryption keys across all vehicles, failing to encrypt communications between cars & BMW's backend servers, & relying on the obsolete DES encryption standard.<ref>{{cite web |title=How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars |website=Slashdot |date=2015-02-07 |url=https://it.slashdot.org/story/15/02/07/0432254/how-to-hack-a-bmw-details-on-the-security-flaw-that-affected-22-million-cars |access-date=2025-01-01}}</ref> These basic security oversights allowed attackers to remotely unlock vehicles by standing within a few hundred feet with cellular network emulation equipment.

===Multiple vehicle vulnerabilities (2018)===
Keen Security Lab researchers identified 14 vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series & 7 Series vehicles. The flaws enabled both local & remote attacks on infotainment systems, Telematics Control Units, & CAN bus controls.<ref>{{cite web |title=BMW Fixes Security Flaws in Several Well-Known Car Models |website=Bleeping Computer |date=2018-05-23 |url=https://www.bleepingcomputer.com/news/security/bmw-fixes-security-flaws-in-several-well-known-car-models/ |access-date=2025-01-01}}</ref> Six vulnerabilities could be exploited remotely via Bluetooth & cellular networks without authentication.

===APT infiltration (2019)===
The Vietnamese state-sponsored hacking group OceanLotus (APT32) breached BMW's corporate networks & remained undetected from March 2019 until December 2019. The attackers deployed Cobalt Strike malware for espionage & remote control.<ref>{{cite web |title=BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets |website=Bleeping Computer |date=2019-12-06 |url=https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ |access-date=2025-01-01}}</ref> BMW's security team discovered the breach but monitored the hackers for months before finally removing them from the network.<ref>{{cite web |title=BMW Hacked - OceanLotus Hackers Group Penetrate the BMW Networks |website=GBHackers |date=2019-12-07 |url=https://gbhackers.com/bmw-hacked/ |access-date=2025-01-01}}</ref>

===UK customer database breach (2020)===
The KelvinSecurity hacking group compromised personal information of 384,319 BMW customers in the UK & offered it for sale on darknet forums. The exposed data included names, email addresses, vehicle registration numbers, residential addresses, & dealership information from 2016-2018.<ref>{{cite web |title=Data Breach Affects 384,319 BMW Customers in the U.K. |website=CISO Magazine |date=2020-07-06 |url=https://cisomag.com/bmw-data-breach/ |access-date=2025-01-01}}</ref> The database was allegedly obtained through a call center handling customer information for multiple automotive brands.

===BMW France ransomware attack (2023)===
The Play ransomware group claimed to have breached BMW France's systems in March 2023.<ref>{{cite web |title=BMW Data Breach Puts Customers Information At Risk! |website=The Cyber Express |date=2023-03-29 |url=https://thecyberexpress.com/bmw-data-breach-customers-information-risk/ |access-date=2025-01-01}}</ref> In 2022, BMW France had previously suffered a cybersecurity incident when its Twitter & Instagram accounts were compromised.

===Azure misconfiguration (2024)===
In early 2024, researchers discovered a misconfigured Microsoft Azure storage bucket that exposed BMW's private keys, credentials & other sensitive internal data to the public internet.<ref>{{cite web |title=BMW Security Error Left Valuable Private Company Data Exposed Online |website=TechRadar |date=2024-03-14 |url=https://www.techradar.com/pro/security/bmw-security-error-left-valuable-private-company-data-exposed-online |access-date=2025-09-04}}</ref>

===Hong Kong dealer breach (2024)===
BMW Concessionaires in Hong Kong suffered a breach in July 2024 exposing personal data of approximately 14,000 customers, including names & mobile numbers.<ref>{{cite web |title=BMW Hong Kong Data Breach Exposes Customer Information |website=Daily Security Review |date=2024-07-05 |url=https://dailysecurityreview.com/security-spotlight/bmw-data-breach/ |access-date=2025-09-04}}</ref>

===BMW Financial Services breach (2025)===
In February 2025, BMW Financial Services North America reported a breach via its vendor AIS InfoSource LP affecting nearly 2,000 individuals, with exposed data including names, Social Security numbers, account numbers & more.<ref>{{cite web |title=BMW Financial Services Data Breach Affects Nearly 2,000 Customers |website=Claim Depot |date=2025-03-01 |url=https://www.claimdepot.com/investigations/bmw-financial-services-data-breach-2025 |access-date=2025-09-04}}</ref>

===Pattern of security failures===
These incidents demonstrate BMW's inability to implement basic security practices, including encryption, access controls, & breach detection. The company's claim that restricting legitimate customer access to their own vehicle data is necessary for ''"security"'' , which to users appears contradictory given their documented failures to secure data through proper technical measures rather than access restrictions.

==References==
{{reflist}}

[[Category:BMW]]
[[Category:Digital restrictions]]
[[Category:API restrictions]]
[[Category:Home automation]]
[[Category:2025 incidents]]