Cars equipped with the automaker's Connected Drive remote-services system are affected, according to the German Automobile Association (ADAC), which first discovered the problem.
Researchers found they could lock and unlock car doors by mimicking mobile communications and sending phony signals to a SIM card installed in affected vehicles. An attack could be launched "within minutes" of accessing the system without the perpetrators leaving a trace, according to their report, in part because once they had gained access to the network, the communications were not secure.
In response to the security gap, BMW says it has been upgrading software via over-the-air updates over the past week, so no visits to dealerships are needed to remedy the security hole. In fact, owners of affected cars may not have even noticed the updates taking place.
The problem affects BMW, Rolls-Royce and MINI vehicles equipped with Connected Drive since 2010.
Flaws were first reported to BMW last year by ADAC, which is the country's equivalent of AAA. ADAC says it withheld a public announcement until the car company could address the problem.
While BMW has pushed the software patch to most affected vehicles, the organization said it's possible some at cars in the United States had not yet been updated. BMW did not respond to a request for comment Monday. In a written statement, the automaker said it knows of no real-world breaches.