Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
BMW ConnectedDrive lets me control my returned rental car (Sixt)
88 points by derturm666 4 months ago | hide | past | favorite | 57 comments
Last week I rented a BMW from Sixt (Italy).

The default rental driver profile had Bluetooth disabled, so I created my own BMW ID, paired it with the car, removed the existing profile, and even triggered software updates.

When returning the car, I told the Sixt representative that I had linked my BMW ID — they assured me that the vehicle would be reset.

Today — just before deleting the “My BMW” app — I checked out of curiosity.

Surprise: I still had full remote access:

- live location tracking

- remote lock/unlock

- honking (hehe)

- turn lights on/off

At this point, the car was presumably already rented to someone else. I could track the new renter’s location and remotely interact with the car.

IMO, this exposes a serious security/privacy issue:

- BMW ConnectedDrive still had my account associated to the vehicle VIN

- Sixt’s reset procedure didn’t revoke my BMW ID access

I suspect this may not be limited to Sixt, but could affect other rental fleets using ConnectedDrive if proper backend disassociation isn’t done.

BMW allows fleet integrations via ConnectedDrive Fleet Services, but I wonder how many rental cars globally still have previous renters’ IDs attached.



I rented a BMW from Sixt in the USA earlier this year. I wanted to use the ConnectedDrive features, but it was blocked by BMW because the vehicle VIN was (correctly) registered as a Fleet Vehicle (i.e. a rental car) and thus none of those features were allowed with that car.

I have rented BMWs in the Netherlands and don't recall being able to use these features either.

Thus you seem to have encountered a situation which BMW and Sixt know about and have procedures in place to prevent, but their Italian subsidiary seems to have missed it with a certain batch of fleet vehicles, or just this specific one. I'd report it Sixt and move on.


I've rented beamers with Sixt at LAX and O'Hare, the latter just a couple of weeks ago. I didn't have any issues connecting to bluetooth so that I could use CarPlay. Could it be inconsistencies in how their BMW fleet is set up?

I ususally set up the bluetooth connection before driving off the lot, just so I can get staff assistance if it doesn't work - not being able to connect to the car is enough for me to insist on a new vehicle if they're unable to fix it.


Bluetooth and carplay do indeed work as you need to be connected to the vehicle. I used those features too. The ConnectedDrive feature discussed here is when you install the BMW app on your phone and register the VIN number of the car to your personal BMW account, verified by tapping some buttons in the vehicle while linking, and "owning" the car in your BMW app. This gives access to things like remote location tracking, starting the car from anywhere to get the airco etc working.

n.b. Doing this in a rental car probably violates some of the terms and conditions one would have to agree to when linking the car, like "I promise this is _my_ car and/or I have permission from the owner to link it to my personal BMW account"...


I've read in multiple places that this "resetting" is something that is on a list of things to do, but is rarely done. I seriously doubt any person working at the rental place prepping the car for the next use does anything but the most basic/obvious of refreshing. I'm guessing after checking the fuel status and the mileage, they just don't care. I doubt that cars get vacuumed after each rental and only if it's obviously needed.

As the person that is entering their own personal information into a car that you do not own, you absolutely should be the one to remove that data. Do not depend on someone else doing their job. You took the time to add it, so take the time to remove it. It is the only way to be sure.


Most rental cars I get have numerous bluetooth profiles for previous drivers, confirming that the "reset" is rarely done.


I once rented a Peugeot 3008, and wanted to pair with Apple CarPlay. The car warned me that it's in "rental" mode and pairing will disable that and will share tons of data (which was listed as bullet points) about me and the car between my (apple) profile and the car.

I rejected and didn't go further. I appreciate the honesty, though.


That's interesting, as CarPlay is mostly just a fancy screen share.

You don't need a profile on the car, at least not a manually entered profile. I always assumed the "pairing" was more of a basic handshake than some big data load/share/whatever.


I assumed the same so, but as far as I remember, the data contained serial numbers (car VIN + phone serial), speed, location and some more data.

It's probably for automated emergency notifications, better route tracking when GPS is unavailable, etc.

Apple does a lot of magick with their own software, and also there are some telemetry related things, I guess.

Maybe car related data is used for car integration, IDK. Need to watch [0].

[0]: https://developer.apple.com/videos/play/wwdc2016/723/


Yes, this has been known for many years.

Most rental car companies don't bother setting up fleet services for their connected vehicle services. They require infrastructure that car rental companies don't seem to consider important.

I've used this mostly to remote start my rental car in cold climates. I delete my account after my rental is done, though I've learned recently that some providers, like Hyundai, make this SURPRISINGLY difficult.

The only exceptions I've seen to this are FordPass with Avis (this was locked down a few years ago) and Tesla with Hertz (before they unloaded them all).


What timing. I rented a BMW from Sixt in Italy last week. Worst thing I have ever experienced as a driver. I wrote about it here: https://x.com/thejoephase/status/1933156741031633159

Constant interruptions and problems from the computer. I've dealt with a few "modern cars" but this was over the top. I'll never rent or buy a BMW going forward.


I rented a similar BMW from Sixt in Spain just last week. The CarPlay issue was solved via a 45 minute OTA software update from the dash, which thankfully didn't require creating a BMW ConnectedDrive account. Pairing was seamless after I did this. Talk about frustrating—it nearly ruined my trip. Why these don't have wired CarPlay boggles the mind.


The modern iDrive 8 from BMW is an absolute hell.

No knobs for temperature & heated seats, but multiple pressed required.

Constant flashing of blue/red in the temperature adjust buttons when cooling/heating.

I'm looking for a used one, and I want one with the newest motor that I can get which still has iDrive 7(.5)...


This is amazing! I am vacationing in Spain and rented, I think, the same model as you. A BMW X2 M something or other.

Absolutely rock bottom by far the worst driving experience ever. Ultimate driving experience indeed. Insane and subtle annoyance, major wtfbbq moments, endless alarm dinging when you exceed whatever speed limit it incorrectly read from a sign, and on and on. The slamming on of the parking brake as you approach a large blade of grass in reverse is nerve wracking and startling even when you know it’s going to happen.

On narrow streets and in parking lots it feels less maneuverable than my full size American SUV. It may have the same turning radius despite being half the size.

Your tweet is making me laugh because honestly you cannot exaggerate how bad this car is. Every time we get in and start going my wife and I share a moment of incredulity. How can they have made this car this bad?


It's a fair question, how does it happen? The faults resemble a lot of problems across the industry, and is even analogous to the new Apple updates, which is a total lack of empathy or care of the person who has to use it. Like the screen behind the steering wheel has this UI like from an early 00s X-box game, and I'm sure when they're in the office, and they know what everything is, they go, "wow, that sure looks futuristic, like an X-box, ship it". And nobody thinks about the fact that your eyeballs use contrast edge detection to discard information, or the fact that in some places you have a bright sun on the screen, or that I might need some information more than some other information. Careless, shameless and ignorant.

Before this, the strangest I had seen was in a new Renault Clio where they had removed the tachometer and instead had a large icon of a green leaf that fades in and out of existence.

I felt like that was peak modern UI "design" but now I know you can do so much worse.


> endless alarm dinging when you exceed whatever speed limit it incorrectly read from a sign

That's mandated by the EU, and also that it gets reenabled every time you start the car again. BMW made it pretty simple to turn it off. You can just press the car with the green circle about it and disable the assist systems or you press the microphone button and say "Hey BMW, disable speed warnings"


Same experience here, with a brand new Audi I got "upgraded" to. I'd take an old Yaris over that zoo any day.


>How can they have made this car this bad?

Typical German beancounter MBA run company treating SW like a cost center.

"We need to add interactive computers on cars because that's the latest hip trend, but we need to outsource it to the cheapest bidder because SW development is not a "real" engineering discipline and we don't like paying for good SW developers."

Then a manager from another division hears there's computers in cars and decides to improve his KPIs by forcing ConnectedDrive signup in every car and gets a massive promotion.


When I saw Mercedes' "HyperScreen (TM)", and read that EQS doesn't recommend you pop the trunk and hide the latch behind a screwed cover, I decided that I'd never approach them for a very long time.

BMW lost its (not only visual but whole company) soul when they decided that catering to Chinese aesthetics will be their global image forward, and the details of how the car behaves is... nuts.

VAG lost my trust with DieselGate already.

Zee Germans.


Well, I switched from BMW to Mercedes because I was done with BMW's "performance over reliability" philosophy. I'm staying away from their EVs though, thanks for the tip.


None of these things happen in my X5. It will even detect my bike rack and not automatically stop like my wife’s X7 does with iDrive 7. You can turn off all the speed warnings but no one is going to do it in a rental.

Not surprised the X2 sucks it’s the cheapest model and usually the Germans do not do well in this category. The cheap small Mercedes are similar.

The biggest annoyance is the horn beeps when I leave the car running and grab something from the trunk.


I believe some of it should be configurable, but I'm mystified that the default configuration should be so aggressively unempathatic to the driver. I did manage to turn off the thing where it covers the map with my forward camera view. But if Car Play worked, I wouldn't have bothered, and would have kept using Google Maps.


Reminds me of:

https://www.theverge.com/2023/9/7/23863258/bmw-cancel-heated...


I have a BMW X3 and never have had any of the problems you describe. I use Android, not Apple, so that might be a factor.


I would admit it could be possible that the iPhone is what slams the brakes while I'm slowly and cautiously reversing, or turned on the parking brake while I'm trying to move, but since the pairing wouldn't restore on start up, and I gave up on having Spotify or a good map app, in fact the phone was often not connected at all.


I have no pairing problems in general. What I did notice if that if certain apps are running, e.g. Youtube Premium, then it seems to pair for audio rather than full Android Auto.


The phone had absolutely nothing to do with it.


1) The "pointless text" was a reminder that the system detected you were tired, and asked you to take a break. Which is usually a good idea because it kicks in, when you're really tired and your reactions are shit.

2) It looks like you pressed the Microphone button for the voice control by accident

3) It's the AR-Navigation which shows you where you need to drive in the real-life situation. That's usually a paid extra and you need to enable it


The pointless text is a complex, visual distraction and false positive. Hypothetically, if I'm really tired and have bad reactions, pedestrians better hope I'm not reading that text at the wrong time. You seem to think it's a safety feature to ask the driver to read while driving. I just think that's interesting.

As for the AR-Navigation, I already see what's ahead of me by looking forward at the actual road.

Embedding everything into a grainy image, and using a transition effect to command attention, is unhelpful in a tense moment.

It was enabled by default. I disabled it.

Normally, I would have used Google Maps, which shows very clear and strong, clean icons to indicate lanes. This is extremely helpful! Smart and empathetic design that understands my needs when driving in an unfamiliar place.

But the Car Play was too dysfunctional to use.

As for the microphone button, I didn't see a microphone button. Maybe they should make it more visible, or find a more ergonomic way to handle an error.


I used to have a BMW that was doing that. My 'capacity/tolerance' to driving is max 10-12 hours. All I need is meat, caffeine, and SecurityNow and/or Metallica. I get it that BWM is trying to do the 'right' thing, but they should allow people to turn the darn thing off.


They do. You can deactivate all assistance either completely or selectively by pressing the button with the car symbol and the lighting circle around it. (Green if you have all activated, red if all deactivated)


If you want to invest the time you can report this DPA violation. They are obliged to reset the car to ensure the next renters privacy, especially if you told them. Violations can be expensive and it is generally a good idea to report so the big corps keep getting reminded that privacy is an important right of their customers.


Not sure how it varies across the pond, but I've rented a few cars in the States and they've never been reset. You'd think they'd have a rental mode or something. But instead, it's full of their preferences, phones, etc. Very annoying when they turn off modern safety features and stuff


Somedo have rental/fleet modes, including BMW. The rental agencies just aren't using them.


I just rented a BMW from Sixt and there was no way to disable the annoying wheel-yanking "lane departure" technology.

It showed disabled in the menu, but it was definitely still active.

So SIXT are forcing this horrible feature on everyone

A much worse feature than the one everyone complains about, the one that kills the engine when idling

In the rain, driving through roadwork, with abrupt lane changes, you have to cope with the car yanking the wheel back and forth when it can't figure out where the lanes are.


I have a year old BMW and the software is a complete and utter f*cking trash. The whole UX is just garbage.

Basically BMW goes out of its way to force drivers onto ConnectedDrive. Half of the functionality is hidden - for no clear reason - behind online ID.

You'd assume that if my wife or I open the car with our respective keys, we'd have the matching profile loaded, the seat adjusted, etc. Mwahahaha. NO! Unless the key is linked to an online ID - no soup for you! Infuriatingly stupid.

The dealer essentially forced me to create an online ID and activate ConnectedDrive saying they can't deliver the car otherwise. Immediately after, the car enrolled itself in some sort of Premium trial and never bothered to mark what functions are included and which are premium. It took 2 phone calls to get the trial cancelled and - what do you know - the traffic info was a part of it! What a bunch of wankers.

Even then, you'd assume that if they are so set of online bullshit, it would be polished. Ha, dream on. If you unlock the car and it has no cell connectivity, you get a guest profile. Car starts speaking German, all settings are at defaults, including the seat position.

I mean ... it's not my first BMW, but the pace of its enshittification is beyond belief. Stay the heck away.


Not limited to BMW. I have owned and rented cars from many different marques and terrible software is a constant. Haven't tried Tesla, but people say it is better.

My biggest peeve is when the car has several different contexts for configuration and/or auth that have been layer on each other like mud deposits. The user meanwhile has no idea that's what happened. So for example the seat position can be saved by pressing a button. But also is saved in a driver profile when the vehicle is locked. And then that driver profile can be backed by a cloud account. There's no user feedback at all as to what and where the car stored your seat position and the driver is left bemused as to why the seat is where it is and how to have it in the right place.


Not limited, for sure. Many vendors are behaving this way. They should all be named and shunned.


I'm baffled how we've come to accept such poor quality software in our products and key services. We seem to shrug off software issues that would deter purchase if they were material or mechanical.


How is this a software quality issue? This is a process issue with the rental company. It doesn't sound like the car itself is doing anything wrong.


I don't have a BMW, so I may be wrong, but from the comments it sounds as though:

1) physical access gives remote privileged access - this is a car, not a server! We don't lock cars in data centers, friends, family, mechanics, the car wash, valets or an entire custom base in this case may have access.

2) there is an idiosyncratic process that must be followed to ensure the vehicle is suitable for this use which is sufficiently obscure that it's often overlooked. The risks of which, are quite grave (remote tracking).

3) even if everything is done "correctly", it will limit the functionality to the product you've paid to rent.


If you were the owner of such a car, how exactly would you expect to link your phone to the car using the first party app if not for physical access?

There's a standard reset process that the rental company is simply not following here


I built an exploding pie, put it in the fridge with a "do not eat me" sign, not my problem somebody blew off their arm.

Processes should/must be built with the users in mind. Users do unexpected, stupid things.

So, yeah, the car itself isn't doing anything wrong, but the whole "fleet use" system designed by BMW+fleet owners appears massively flawed. And that system includes all the software.


> the whole "fleet use" system designed by BMW+fleet owners appears massively flawed.

It would seem that the system works just fine, it's just completely being ignored by the rental company.

I could just as easily tape a cheap cell phone inside a hotel room to the wall and record the other guests with it. If the hotel cleaning staff doesn't clean the room and remove the device, how is that any different?


I am sure missing something: couldn't you just remove yourself your profile/BMW ID before returning the car ? I guess the answer is yes, but you are stating that somebody could act like you in purpose so to have control of the car when is in somebody else hand?


Enterprise Holdings manages theirs via fleet, so while a BMW ID can be added, the car is generally fleet restricted. Includes restrictions on capabilities like using (the cursed) subscription "features" you've paid for.

So yeah at least one of the big renters has handled it appropriately on the cars I've rented from them.


They seem to be better with some brands of cars than others, the sports car I rented from them was not reset or restricted in any way.


OMG rental cars AV systems and bluetooth are the bain of traveling ... my travel buddies and I will spend up to 5% of our entire trip talking and dealing with this pain cause we have iPhone and or Android.

The UX is painful and now bluetooth is controlling even more portions of the car ... hilarious yet dumb and concerning.


I'm about 50/50 with rental cars working with CarPlay easily (ie, the pairing dialogs pop up and run without issue).

But, when the pairing fails, I just don't bother. There's nothing on CarPlay that is 100% necessary to use a rental. Yeah, it's nice to have. But, I'd rather do without than waste a few hours trying to configure it on a car I don't own.


I see a lot of complaints in this thread about modern cars. What kind of contemporary car do you really like and have great things to say about?


My standards are low. I wouldn't even expect a car rental company to handle this sort of thing properly.


So... did you press the honk button?


So, which carmaker does surprise you pleasantly nowadays?


The only new cars I'd consider are the Mazda MX-5 and Dacia, to be honest. Porsches are also generally good, but they are way too expensive new and too good for the street. Even the old ones have so much potential that pushing them to the limit on the way to work is straight up dangerous and antisocial.


I bought a Tesla from Carvana in 2021. It was still linked to the previous owner, along with their card details. I could have pulled up to a supercharger and plugged in and charged on their dime.

This is frankly just bad customer service. Companies don't take it seriously as a problem because nobody is upset about it and it doesn't affect their bottom line.


Love these types of 'hacks' :)


Well, the deterrent here is that because of enshittification, OP risks being charged monthly on the BMW account for having the right to open the passenger door.


Write the authority concerned with GDPR-Enforcement in Italy about this. Sixt will act very quickly then




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: