.png)
7 hours ago
1
Last week I rented a BMW from Sixt (Italy).
The default rental driver profile had Bluetooth disabled, so I created my own BMW ID, paired it with the car, removed the existing profile, and even triggered software updates.
When returning the car, I told the Sixt representative that I had linked my BMW ID — they assured me that the vehicle would be reset.
Today — just before deleting the “My BMW” app — I checked out of curiosity.
Surprise: I still had full remote access:
- live location tracking
- remote lock/unlock
- honking (hehe)
- turn lights on/off
At this point, the car was presumably already rented to someone else. I could track the new renter’s location and remotely interact with the car.
IMO, this exposes a serious security/privacy issue:
- BMW ConnectedDrive still had my account associated to the vehicle VIN
- Sixt’s reset procedure didn’t revoke my BMW ID access
I suspect this may not be limited to Sixt, but could affect other rental fleets using ConnectedDrive if proper backend disassociation isn’t done.
BMW allows fleet integrations via ConnectedDrive Fleet Services, but I wonder how many rental cars globally still have previous renters’ IDs attached.
