The flaw affected models fitted with BMW’s ConnectedDrive software, which uses an on-board Sim card.
The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.
No cars have actually been hacked, but the flaw was identified by German motorist association ADAC.
ADAC’s researchers found the cars would try to communicate via a spoofed phone network, leaving potential hackers able to control anything activated by the Sim.
The patch, which would be applied automatically, included making data from the car encrypted via HTTPS (HyperText Transfer Protocol Secure) – the same security commonly used for online banking, BMW said.
“On the one hand, data are encrypted with the HTTPS protocol, and on the other hand, the identity of the BMW Group server is checked by the vehicle before data are transmitted over the mobile phone network,” it said.
This should have already been in place, said security expert Graham Cluley.
“You would probably have hoped that BMW’s engineers would have thought about [using HTTPS] in the first place,” he wrote on his blog.