BMW API restrictions: Difference between revisions

BMW ConnectedDrive is a subscription-based service that provides remote access to [[BMW]] vehicles through mobile applications & APIs, with tiers ranging from $50 to $150 per year after a free 3-year period.<ref>{{cite web |last=Wilkinson |first=Rick |date=2025-06-27 |title=What You're Really Paying For With BMW ConnectedDrive |url=https://www.bimmer-mag.com/bmw-connected-drive-price/ |url-status=live |archive-url=https://web.archive.org/web/20251010090329/https://www.bimmer-mag.com/bmw-connected-drive-price/ |archive-date=10 Oct 2025 |access-date=2025-01-01 |website=Bimmer Mag}}</ref> The service enables features such as remote climate control, vehicle location tracking, & electric car charging management through BMW's official mobile applications.<ref>{{cite web |date=2025-01-01 |title=BMW ConnectedDrive App Subscription Products, Store and Services |url=https://www.bmwusa.com/explore/connecteddrive.html |url-status=live |archive-url=https://web.archive.org/web/20250914161417/https://www.bmwusa.com/explore/connecteddrive.html |archive-date=14 Sep 2025 |access-date=2025-01-01 |website=BMW USA}}</ref>

Home Assistant is an open-source home automation platform that allows users to integrate various smart home devices & services, including vehicle data through manufacturer APIs, with over 5000+ users of the BMW integration as of September 4th, 2025<ref>{{Cite web |title=Integrations {{!}} Home Assistant Analytics |url=https://analytics.home-assistant.io/integrations/}} ([http://web.archive.org/web/20260114173133/https://analytics.home-assistant.io/integrations/ Archived])</ref>. This number only counts users who did not turn off analytics.

According to discussions on the BMW i4 Forum, many BMW electric car users use this integration to optimize charging based on solar panel production, time-of-use electricity rates, & home energy management systems.<ref>{{cite web |date=2024-05-20 |title=Smarter Charging with Home Assistant |url=https://www.i4talk.com/threads/smarter-charging-with-home-assistant.5441/ |url-status=live |archive-url=https://web.archive.org/web/20240430184320/https://www.i4talk.com/threads/smarter-charging-with-home-assistant.5441/ |archive-date=30 Apr 2024 |access-date=2025-01-01 |website=BMW i4 Forum}}</ref> The integration was highly valued by users who paid for  BMW's ConnectedDrive subscriptions & expected to maintain API access for their automation needs.

According to user reports documented in GitHub issue #149750, BMW began notifying users through its Android application in July 2025 about upcoming changes to charge control APIs.<ref name=":0">{{cite web |date=2025-07-31 |title=Upcoming API changes notification from BMW · Issue #149750 |url=https://github.com/home-assistant/core/issues/149750 |url-status=live |archive-url=https://web.archive.org/web/20251011183206/https://github.com/home-assistant/core/issues/149750 |archive-date=11 Oct 2025 |access-date=2025-01-01 |website=GitHub}}</ref> The notifications stated th''e'' following: <blockquote>''"to ensure the security of your personal data, and to better protect your vehicle, the option of allowing third-party providers to control your vehicle charging will be limited from September."''<ref name=":0" /></blockquote>On August 30, 2025, BMW implemented strict API rate limiting that affected third-party applications. According to GitHub issue #151500, error logs showed HTTP 403 Forbidden responses with messages indicating '''"Out of call volume quota. Quota will be replenished in 00:49:03."'''<ref>{{cite web |date=2025-08-25 |title=BMW integration should handle call quota error · Issue #151500 |url=https://github.com/home-assistant/core/issues/151500 |url-status=live |archive-url=https://web.archive.org/web/20251026234305/https://github.com/home-assistant/core/issues/151500 |archive-date=26 Oct 2025 |access-date=2025-01-01 |website=GitHub}}</ref> Users reported that the quota appeared to be limited to approximately 100 API calls per 24-hour period, far below the polling requirements of home automation systems.<ref>{{cite web |date=2025-08-25 |title=BMW Connected Drive Quota · Issue #151502 |url=https://github.com/home-assistant/core/issues/151502 |url-status=live |archive-url=https://web.archive.org/web/20251026234706/https://github.com/home-assistant/core/issues/151502 |archive-date=26 Oct 2025 |access-date=2025-01-01 |website=GitHub}}</ref>

Between September 1 and September 3, 2025, the Home Assistant community attempted various technical workarounds. According to discussions on the BMW i4 Forum, initial user-agent spoofing proved temporarily successful, with users reporting that mimicking official BMW app signatures allowed continued access.<ref>{{cite web |date=2025-09-02 |title=anyone using Home Assistant for their i4 with BMW connected drive? |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |url-status=live |archive-url=https://web.archive.org/web/20251026235026/https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |archive-date=26 Oct 2025 |access-date=2025-01-01 |website=BMW i4 Forum}}</ref> By September 3, 2025, these workarounds ceased functioning, with community members confirming that BMW had implemented additional detection methods.<ref>{{cite web |date=2025-09-03 |title=Upcoming API changes notification from BMW · Issue #149750 |url=https://github.com/home-assistant/core/issues/149750 |url-status=live |archive-url=https://web.archive.org/web/20251011183206/https://github.com/home-assistant/core/issues/149750 |archive-date=11 Oct 2025 |access-date=2025-01-01 |website=GitHub}}</ref>

According to industry analysis by Beebop AI, the restrictions affected over 1.5 million vehicles and disrupted utilities using reverse-engineered BMW APIs for demand response & grid stability programs.<ref>{{cite web |last=White |first=Neil |date=2025-08-26 |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |url-status=live |archive-url=https://web.archive.org/web/20250907230105/https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |archive-date=7 Sep 2025 |access-date=2025-01-01 |website=Beebop AI}}</ref> The timing occurred days before the EU Data Act's implementation on September 12, 2025, which requires manufacturers to provide users with access to their vehicle data.<ref>{{cite web |url=https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng |title=Regulation (EU) 2023/2854 |website=EUR-Lex |date=2023-12-13 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20260209095159/https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng |archive-date=9 Feb 2026}}</ref>

On September 26, after 3 weeks of calm, BMW have made further restrictions blocking access to the API entirely.<ref>{{Cite web |date=2025-09-26 |title=BMW Connected Drive - Requires continuous re-authentications and still, errors for Login requires captcha validation #152646 |url=https://github.com/home-assistant/core/issues/152646 |website=Github |url-status=live |archive-url=http://web.archive.org/web/20260210180434/https://github.com/home-assistant/core/issues/152646 |archive-date=10 Feb 2026}}</ref>

According to the notifications sent through the BMW mobile application, the company cited ''"security"'' & ''"safety"'' as justifications for the API restrictions.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-07-31 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20260212015454/https://github.com/home-assistant/core/issues/149750 |archive-date=12 Feb 2026}}</ref> The notifications directed users to a FAQ page listing approved electricity providers that would maintain access to vehicle charging control.<ref>{{cite web |url=https://www.i4talk.com/threads/bmw-to-disable-remote-charging-control-api.14532/ |title=BMW to disable remote charging control API |website=BMW i4 Forum |date=2025-08-01 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20250910160716/https://www.i4talk.com/threads/bmw-to-disable-remote-charging-control-api.14532/ |archive-date=10 Sep 2025}}</ref>

BMW has not issued an official press release or public statement regarding the API restrictions beyond the in-app notifications. According to user reports on GitHub, attempts to contact BMW customer service resulted in '''''"boilerplate responses citing security as a reason for these very targeted actions."'''''<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-08-31 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20260212015454/https://github.com/home-assistant/core/issues/149750 |archive-date=12 Feb 2026}}</ref> The company has maintained partnerships with approved charging networks including Electrify America, Shell Recharge, & EVgo.<ref>{{cite web |url=https://www.bmwusa.com/charging.html |title=BMW Electric Vehicle Charging |website=BMW USA |date=2025-01-01 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20250920174224/https://www.bmwusa.com/charging.html |archive-date=20 Sep 2025}}</ref>

The Home Assistant community posted & documented many integration failures through multiple GitHub issues, with issue #149750 receiving over 250 comments from users getting negatively affected by this.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/149750 |title=Upcoming API changes notification from BMW · Issue #149750 |website=GitHub |date=2025-09-04 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20260212015454/https://github.com/home-assistant/core/issues/149750 |archive-date=12 Feb 2026}}</ref> Users report complete loss of automated EV charging management & broken solar panel integration logic.<ref>{{cite web |url=https://community.home-assistant.io/t/bmw-integration-no-support-from-september-for-thirtparty-providers-like-ha/916187 |title=BMW integration: No support from September for thirtparty providers like HA |website=Home Assistant Community |date=2025-09-01 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20251213200720/https://community.home-assistant.io/t/bmw-integration-no-support-from-september-for-thirtparty-providers-like-ha/916187 |archive-date=13 Dec 2025}}</ref>

According to forum discussions, affected users attempted multiple technical solutions between August 30 and September 3, 2025, including polling rate reduction, QR code re-authentication, & regional API switching.<ref>{{cite web |url=https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |title=anyone using Home Assistant for their i4 with BMW connected drive? |website=BMW i4 Forum |date=2025-09-02 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20251026235026/https://www.i4talk.com/threads/anyone-using-home-assistant-for-their-i4-with-bmw-connected-drive.9126/ |archive-date=26 Oct 2025}}</ref> Community members suggested some technical solutions like quota-aware polling with exponential backoff & improved error differentiation between quota & authentication failures.<ref>{{cite web |url=https://github.com/home-assistant/core/issues/151500 |title=BMW integration should handle call quota error · Issue #151500 |website=GitHub |date=2025-08-25 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20251026234305/https://github.com/home-assistant/core/issues/151500 |archive-date=26 Oct 2025}}</ref>

It has been reported that some users began exploring alternative platforms, with discussions on the openHAB community forums about migrating from Home Assistant due to the BMW restrictions.<ref>{{cite web |url=https://www.openhab.org/addons/bindings/mybmw/ |title=MyBMW - Bindings |website=openHAB |date=2025-09-03 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20251202015953/https://www.openhab.org/addons/bindings/mybmw/ |archive-date=2 Dec 2025}}</ref> According to Beebop AI's analysis, utilities faced financial penalties for failing to meet flexibility commitments when losing EV load-shaping capabilities.<ref>{{cite web |url=https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |title=BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections |website=Beebop AI |date=2025-09-01 |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20251108085033/https://www.beebop.ai/blog/bmw-api-changes-could-disrupt-utilities-using-unapproved-ev-connections |archive-date=8 Nov 2025}}</ref>

*Understand the real/technical background for killing access for HA and others.

*Work out a permanent solution to make the HA integration (+ other smart home solutions) work again. This may be BMWs official HA integration with modifications.

**Solution should be able to provide pull data and send commands from and to the cars we own.

**Send command and pull data at a defined frequency whithout additional costs as long as connected drive is already paid/active (e.g. every 5 minutes). This may require a switch to push-based integration which, with BMWs support should not be a problem.

**Optional live streaming of telemetry data (costs unclear / tbd)

In 2015, security researcher Dieter Spaar discovered critical flaws in BMW's ConnectedDrive system that left 2.2 million vehicles vulnerable to remote attacks. The vulnerabilities included using identical symmetric encryption keys across all vehicles, failing to encrypt communications between cars & BMW's backend servers, & relying on the obsolete DES encryption standard.<ref>{{cite web |title=How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars |website=Slashdot |date=2015-02-07 |url=https://it.slashdot.org/story/15/02/07/0432254/how-to-hack-a-bmw-details-on-the-security-flaw-that-affected-22-million-cars |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20230805180610/https://it.slashdot.org/story/15/02/07/0432254/how-to-hack-a-bmw-details-on-the-security-flaw-that-affected-22-million-cars |archive-date=5 Aug 2023}}</ref> These basic security oversights allowed attackers to remotely unlock vehicles by standing within a few hundred feet with cellular network emulation equipment.

Keen Security Lab researchers identified 14 vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series & 7 Series vehicles. The flaws enabled both local & remote attacks on infotainment systems, Telematics Control Units, & CAN bus controls.<ref>{{cite web |title=BMW Fixes Security Flaws in Several Well-Known Car Models |website=Bleeping Computer |date=2018-05-23 |url=https://www.bleepingcomputer.com/news/security/bmw-fixes-security-flaws-in-several-well-known-car-models/ |access-date=2025-01-01 |archive-url=http://web.archive.org/web/20250911132913/https://www.bleepingcomputer.com/news/security/bmw-fixes-security-flaws-in-several-well-known-car-models/ |archive-date=11 Sep 2025}}</ref> Six vulnerabilities could be exploited remotely via Bluetooth & cellular networks without authentication.

The Vietnamese state-sponsored hacking group OceanLotus (APT32) breached BMW's corporate networks & remained undetected from March 2019 until December 2019. The attackers deployed Cobalt Strike malware for espionage & remote control.<ref>{{cite web |title=BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets |website=Bleeping Computer |date=2019-12-06 |url=https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ |access-date=2025-01-01 |archive-url=http://web.archive.org/web/20251212110922/https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/ |archive-date=12 Dec 2025}}</ref> BMW's security team discovered the breach but monitored the hackers for months before finally removing them from the network.<ref>{{cite web |title=BMW Hacked - OceanLotus Hackers Group Penetrate the BMW Networks |website=GBHackers |date=2019-12-07 |url=https://gbhackers.com/bmw-hacked/ |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20250615211728/https://gbhackers.com/bmw-hacked/ |archive-date=15 Jun 2025}}</ref>

The KelvinSecurity hacking group compromised personal information of 384,319 BMW customers in the UK & offered it for sale on darknet forums. The exposed data included names, email addresses, vehicle registration numbers, residential addresses, & dealership information from 2016-2018.<ref>{{cite web |title=Data Breach Affects 384,319 BMW Customers in the U.K. |website=CISO Magazine |date=2020-07-06 |url=https://cisomag.com/bmw-data-breach/ |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20260113215026/https://cisomag.com/bmw-data-breach/ |archive-date=13 Jan 2026}}</ref> The database was allegedly obtained through a call center handling customer information for multiple automotive brands.

The Play ransomware group claimed to have breached BMW France's systems in March 2023.<ref>{{cite web |title=BMW Data Breach Puts Customers Information At Risk! |website=The Cyber Express |date=2023-03-29 |url=https://thecyberexpress.com/bmw-data-breach-customers-information-risk/ |access-date=2025-01-01 |url-status=live |archive-url=http://web.archive.org/web/20251130203640/https://thecyberexpress.com/bmw-data-breach-customers-information-risk/ |archive-date=30 Nov 2025}}</ref> In 2022, BMW France had previously suffered a cybersecurity incident when its Twitter & Instagram accounts were compromised.

In early 2024, researchers discovered a misconfigured Microsoft Azure storage bucket that exposed BMW's private keys, credentials & other sensitive internal data to the public internet.<ref>{{cite web |title=BMW Security Error Left Valuable Private Company Data Exposed Online |website=TechRadar |date=2024-03-14 |url=https://www.techradar.com/pro/security/bmw-security-error-left-valuable-private-company-data-exposed-online |access-date=2025-09-04 |url-status=live |archive-url=http://web.archive.org/web/20251118161224/https://www.techradar.com/pro/security/bmw-security-error-left-valuable-private-company-data-exposed-online |archive-date=18 Nov 2025}}</ref>

BMW Concessionaires in Hong Kong suffered a breach in July 2024 exposing personal data of approximately 14,000 customers, including names & mobile numbers.<ref>{{cite web |title=BMW Hong Kong Data Breach Exposes Customer Information |website=Daily Security Review |date=2024-07-05 |url=https://dailysecurityreview.com/security-spotlight/bmw-data-breach/ |access-date=2025-09-04 |url-status=live |archive-url=http://web.archive.org/web/20260114050632/https://dailysecurityreview.com/security-spotlight/bmw-data-breach/ |archive-date=14 Jan 2026}}</ref>

In February 2025, BMW Financial Services North America reported a breach via its vendor AIS InfoSource LP affecting nearly 2,000 individuals, with exposed data including names, Social Security numbers, account numbers & more.<ref>{{cite web |title=BMW Financial Services Data Breach Affects Nearly 2,000 Customers |website=Claim Depot |date=2025-03-01 |url=https://www.claimdepot.com/investigations/bmw-financial-services-data-breach-2025 |access-date=2025-09-04 |archive-url=https://web.archive.org/web/20260223033903/https://www.claimdepot.com/data-breach/bmw-financial-services |archive-date=23 Feb 2026}}</ref>