Jump to content

BMW API restrictions

From Consumer Rights Wiki
Revision as of 16:07, 5 September 2025 by AnotherConsumerRightsPerson (talk | contribs) (Normally I would remove the title from background and make that the lead section, but that doesn't work here, so I chose to make my own.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

BMW has a subscription-based service called ConnectedDrive. BMW chose to restrict this service, making certain functions removed or not as powerful, causing issues for many users.

Background[edit | edit source]

BMW ConnectedDrive is a subscription-based service that provides remote access to BMW vehicles through mobile applications & APIs, with tiers ranging from $50 to $150 per year after a free 3-year period.[1] The service enables features such as remote climate control, vehicle location tracking, & electric car charging management through BMW's official mobile applications.[2]

Home Assistant is an open-source home automation platform that allows users to integrate various smart home devices & services, including vehicle data through manufacturer APIs, with over 5000+ users of the BMW integration as of September 4th, 2025[3]. This number only counts users who did not turn off analytics.

According to discussions on the BMW i4 Forum, many BMW electric car users use this integration to optimize charging based on solar panel production, time-of-use electricity rates, & home energy management systems.[4] The integration was highly valued by users who paid for BMW's ConnectedDrive subscriptions & expected to maintain API access for their automation needs.

Incident[edit | edit source]

According to user reports documented in GitHub issue #149750, BMW began notifying users through its Android application in July 2025 about upcoming changes to charge control APIs.[5] The notifications stated the following:

"to ensure the security of your personal data, and to better protect your vehicle, the option of allowing third-party providers to control your vehicle charging will be limited from September."[6]

On August 30, 2025, BMW implemented strict API rate limiting that affected third-party applications. According to GitHub issue #151500, error logs showed HTTP 403 Forbidden responses with messages indicating "Out of call volume quota. Quota will be replenished in 00:49:03."[7] Users reported that the quota appeared to be limited to approximately 100 API calls per 24-hour period, far below the polling requirements of home automation systems.[8]

Between September 1 and September 3, 2025, the Home Assistant community attempted various technical workarounds. According to discussions on the BMW i4 Forum, initial user-agent spoofing proved temporarily successful, with users reporting that mimicking official BMW app signatures allowed continued access.[9] By September 3, 2025, these workarounds ceased functioning, with community members confirming that BMW had implemented additional detection methods.[10]

According to industry analysis by Beebop AI, the restrictions affected over 1.5 million vehicles and disrupted utilities using reverse-engineered BMW APIs for demand response & grid stability programs.[11] The timing occurred days before the EU Data Act's implementation on September 12, 2025, which requires manufacturers to provide users with access to their vehicle data.[12]

BMW's response[edit | edit source]

According to the notifications sent through the BMW mobile application, the company cited "security" & "safety" as justifications for the API restrictions.[13] The notifications directed users to a FAQ page listing approved electricity providers that would maintain access to vehicle charging control.[14]

BMW has not issued an official press release or public statement regarding the API restrictions beyond the in-app notifications. According to user reports on GitHub, attempts to contact BMW customer service resulted in "boilerplate responses citing security as a reason for these very targeted actions."[15] The company has maintained partnerships with approved charging networks including Electrify America, Shell Recharge, & EVgo.[16]


Consumer response[edit | edit source]

The Home Assistant community posted & documented many integration failures through multiple GitHub issues, with issue #149750 receiving over 250 comments from users getting negatively affected by this.[17] Users report complete loss of automated EV charging management & broken solar panel integration logic.[18]

According to forum discussions, affected users attempted multiple technical solutions between August 30 and September 3, 2025, including polling rate reduction, QR code re-authentication, & regional API switching.[19] Community members suggested some technical solutions like quota-aware polling with exponential backoff & improved error differentiation between quota & authentication failures.[20]

It has been reported that some users began exploring alternative platforms, with discussions on the openHAB community forums about migrating from Home Assistant due to the BMW restrictions.[21] According to Beebop AI's analysis, utilities faced financial penalties for failing to meet flexibility commitments when losing EV load-shaping capabilities.[22]

HomeAssistant & security[edit | edit source]

BMW has a long track record of security vulnerabilities, none of which have ever been linked to Home Assistant.

Past data security incidents[edit | edit source]

BMW's justification for API restrictions cited "security" concerns, yet BMW has a documented history of severe security failures that exposed millions of customers to risks far greater than any posed by home automation integrations.

ConnectedDrive vulnerability (2015)[edit | edit source]

In 2015, security researcher Dieter Spaar discovered critical flaws in BMW's ConnectedDrive system that left 2.2 million vehicles vulnerable to remote attacks. The vulnerabilities included using identical symmetric encryption keys across all vehicles, failing to encrypt communications between cars & BMW's backend servers, & relying on the obsolete DES encryption standard.[23] These basic security oversights allowed attackers to remotely unlock vehicles by standing within a few hundred feet with cellular network emulation equipment.

Multiple vehicle vulnerabilities (2018)[edit | edit source]

Keen Security Lab researchers identified 14 vulnerabilities affecting BMW i Series, X Series, 3 Series, 5 Series & 7 Series vehicles. The flaws enabled both local & remote attacks on infotainment systems, Telematics Control Units, & CAN bus controls.[24] Six vulnerabilities could be exploited remotely via Bluetooth & cellular networks without authentication.

APT infiltration (2019)[edit | edit source]

The Vietnamese state-sponsored hacking group OceanLotus (APT32) breached BMW's corporate networks & remained undetected from March 2019 until December 2019. The attackers deployed Cobalt Strike malware for espionage & remote control.[25] BMW's security team discovered the breach but monitored the hackers for months before finally removing them from the network.[26]

UK customer database breach (2020)[edit | edit source]

The KelvinSecurity hacking group compromised personal information of 384,319 BMW customers in the UK & offered it for sale on darknet forums. The exposed data included names, email addresses, vehicle registration numbers, residential addresses, & dealership information from 2016-2018.[27] The database was allegedly obtained through a call center handling customer information for multiple automotive brands.

BMW France ransomware attack (2023)[edit | edit source]

The Play ransomware group claimed to have breached BMW France's systems in March 2023.[28] In 2022, BMW France had previously suffered a cybersecurity incident when its Twitter & Instagram accounts were compromised.

Azure misconfiguration (2024)[edit | edit source]

In early 2024, researchers discovered a misconfigured Microsoft Azure storage bucket that exposed BMW's private keys, credentials & other sensitive internal data to the public internet.[29]

Hong Kong dealer breach (2024)[edit | edit source]

BMW Concessionaires in Hong Kong suffered a breach in July 2024 exposing personal data of approximately 14,000 customers, including names & mobile numbers.[30]

BMW Financial Services breach (2025)[edit | edit source]

In February 2025, BMW Financial Services North America reported a breach via its vendor AIS InfoSource LP affecting nearly 2,000 individuals, with exposed data including names, Social Security numbers, account numbers & more.[31]

Pattern of security failures[edit | edit source]

These incidents demonstrate BMW's inability to implement basic security practices, including encryption, access controls, & breach detection. The company's claim that restricting legitimate customer access to their own vehicle data is necessary for "security" , which to users appears contradictory given their documented failures to secure data through proper technical measures rather than access restrictions.

References[edit | edit source]

  1. "What You're Really Paying For With BMW ConnectedDrive". Bimmer Mag. 2025-06-27. Retrieved 2025-01-01.
  2. "BMW ConnectedDrive App Subscription Products, Store and Services". BMW USA. 2025-01-01. Retrieved 2025-01-01.
  3. "Integrations | Home Assistant Analytics".
  4. "Smarter Charging with Home Assistant". BMW i4 Forum. 2024-05-20. Retrieved 2025-01-01.
  5. "Upcoming API changes notification from BMW · Issue #149750". GitHub. 2025-07-31. Retrieved 2025-01-01.
  6. "Upcoming API changes notification from BMW · Issue #149750". GitHub. 2025-07-31. Retrieved 2025-01-01.
  7. "BMW integration should handle call quota error · Issue #151500". GitHub. 2025-08-25. Retrieved 2025-01-01.
  8. "BMW Connected Drive Quota · Issue #151502". GitHub. 2025-08-25. Retrieved 2025-01-01.
  9. "anyone using Home Assistant for their i4 with BMW connected drive?". BMW i4 Forum. 2025-09-02. Retrieved 2025-01-01.
  10. "Upcoming API changes notification from BMW · Issue #149750". GitHub. 2025-09-03. Retrieved 2025-01-01.
  11. "BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections". Beebop AI. 2025-09-01. Retrieved 2025-01-01.
  12. "Regulation (EU) 2023/2854". EUR-Lex. 2023-12-13. Retrieved 2025-01-01.
  13. "Upcoming API changes notification from BMW · Issue #149750". GitHub. 2025-07-31. Retrieved 2025-01-01.
  14. "BMW to disable remote charging control API". BMW i4 Forum. 2025-08-01. Retrieved 2025-01-01.
  15. "Upcoming API changes notification from BMW · Issue #149750". GitHub. 2025-08-31. Retrieved 2025-01-01.
  16. "BMW Electric Vehicle Charging". BMW USA. 2025-01-01. Retrieved 2025-01-01.
  17. "Upcoming API changes notification from BMW · Issue #149750". GitHub. 2025-09-04. Retrieved 2025-01-01.
  18. "BMW integration: No support from September for thirtparty providers like HA". Home Assistant Community. 2025-09-01. Retrieved 2025-01-01.
  19. "anyone using Home Assistant for their i4 with BMW connected drive?". BMW i4 Forum. 2025-09-02. Retrieved 2025-01-01.
  20. "BMW integration should handle call quota error · Issue #151500". GitHub. 2025-08-25. Retrieved 2025-01-01.
  21. "MyBMW - Bindings". openHAB. 2025-09-03. Retrieved 2025-01-01.
  22. "BMW API Changes Could Disrupt Utilities Using Unapproved EV Connections". Beebop AI. 2025-09-01. Retrieved 2025-01-01.
  23. "How To Hack a BMW: Details On the Security Flaw That Affected 2.2 Million Cars". Slashdot. 2015-02-07. Retrieved 2025-01-01.
  24. "BMW Fixes Security Flaws in Several Well-Known Car Models". Bleeping Computer. 2018-05-23. Retrieved 2025-01-01.
  25. "BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets". Bleeping Computer. 2019-12-06. Retrieved 2025-01-01.
  26. "BMW Hacked - OceanLotus Hackers Group Penetrate the BMW Networks". GBHackers. 2019-12-07. Retrieved 2025-01-01.
  27. "Data Breach Affects 384,319 BMW Customers in the U.K." CISO Magazine. 2020-07-06. Retrieved 2025-01-01.
  28. "BMW Data Breach Puts Customers Information At Risk!". The Cyber Express. 2023-03-29. Retrieved 2025-01-01.
  29. "BMW Security Error Left Valuable Private Company Data Exposed Online". TechRadar. 2024-03-14. Retrieved 2025-09-04.
  30. "BMW Hong Kong Data Breach Exposes Customer Information". Daily Security Review. 2024-07-05. Retrieved 2025-09-04.
  31. "BMW Financial Services Data Breach Affects Nearly 2,000 Customers". Claim Depot. 2025-03-01. Retrieved 2025-09-04.
Retrieved from "https://consumerrights.wiki/index.php?title=BMW_API_restrictions&oldid=23805"