
A Dutch first: Ingenious BMW theft attempt - rapnie
https://mrooding.me/a-dutch-first-ingenious-bmw-theft-attempt-5f7f49a96ec8
======
Rjevski
I used to fix cars for a living. Sometimes it involved “cracking” alarm &
immobiliser systems.

My clients all claimed they broke/lost their keys to their car - most of the
time they were believable (car stuck in front of their driveway, etc).
Sometimes less so, but I’d do it anyway because I needed the money and I had
no proof of the contrary (innocent until proven guilty right?), although given
the sad conditions of the cars I really doubt anyone would bother stealing
them.

Car security is based on obscurity. There is very little cryptography involved
(if any), and where there is, the car’s “computers” would happily install new,
untrusted firmware through the diagnostics (OBD) port, which means you can do
pretty much anything - program new keys, disable the immobiliser or alarm
completely (by installing patched firmware) or even rewind the odometer.

I’m frankly surprised it took this long for “high tech” car theft to appear,
unless it’s been going on for a while but executed perfectly so nobody would
find a trace.

Happy to answer any questions if anyone’s curious.

~~~
vbezhenar
In Russia and, I guess, similar countries, it's quite rare to encounter a car
which isn't protected by an external protection system (not sure how it's
called in English, in Russian it's usually called "Сигнализация") which
includes shock sensors, alarm system, remote control and car block which
protects some vital engine circuits. There are systems with dialog protocol
between remote control and car with actual encryption inside, so it might be
not so trivial to break it. In practice such cars are either stolen inside
trucks or an entire system is by-passed by a separate automobile computer
connected directly to necessary engine sensors, ignition coils, etc. Quite
clever technique, you don't need to bypass protected electronics if you can
bring and connect your own electronics.

~~~
taneq
> not sure how it's called in English

"Immobiliser", usually. :)

~~~
Rjevski
"Сигнализация" would be more akin to alarm.

------
avar
Reading this article is honestly a bit of a domestic culture shock for me,
where does this guy live in The Netherlands?

Here in downtown Amsterdam we called the police because the rear window of
someone's car had just been smashed outside our office, and the police's
response was "Has anyone been hurt? Nope? Then we're not coming".

Meanwhile, wherever this guy lives they're sending officers because some BMW
call center calls the police in the middle of the night telling them that some
car reported unspecified distress within some radius, and they sent officers
to search the whole neighborhood for the car and locate the owner.

I guess the next time I need police help I'll use a burner phone and tell them
a BMW is in distress.

~~~
hellofunk
> Here in downtown Amsterdam we called the police because the rear window of
> someone's car had just been smashed outside our office, and the police's
> response was "Has anyone been hurt? Nope? Then we're not coming".

Amsterdam currently has a big police shortage, that's why. It's not normal,
it's just a problem in Amsterdam.

[https://www.dutchnews.nl/news/2018/07/amsterdam-is-not-
lawle...](https://www.dutchnews.nl/news/2018/07/amsterdam-is-not-lawless-
jungle-but-it-does-need-more-police-says-new-mayor/)

~~~
lucb1e
> It's not normal, it's just a problem in Amsterdam.

Right, the two times we needed police in Limburg (Echt and Maastricht, few
years apart) it didn't happen either. It had to be life-threatening and the
people didn't literally shout "we'll kill you" so the police wasn't gonna
bother.

Meanwhile on TV they're cycling through parks to fine people some 99 euros for
not having a well-behaved dog on a leash (could have used discretion there),
or fining some poor dude 370 euros for standing literally 2 minutes on a
disabled spot to pick someone up.

~~~
Freak_NL
Poor dude? You don't park in a disabled spot unless you have a right to be
there. That should be common sense.

~~~
lucb1e
It was wrong and s/he was caught, but that fine is just ridiculous. Sure,
someone who stood there for 2 hours in a busy spot where disabled people were
indeed turned away, then they definitely chose to risk that fine. But when
someone was standing with the car (not even parked) for 2 minutes, I might (as
police(wo)man) decide to give a warning instead. That fine is
disproportionate. Most people on HN probably earn enough to sustain it easily,
but for many people, that's an entire month's worth of food that just went
down the drain. Sure, it's a good deterrent, but is it fair and just? Should
we just give exorbitant fines on every petty crime just as a deterrent? That's
not the kind of country I want to live in.

------
barbegal
This definitely isn't the first time this technique has been used. I'm sure
I've heard many similar stories before and the internet backs me up.

[https://www.askaboutmoney.com/threads/attempted-car-theft-
wi...](https://www.askaboutmoney.com/threads/attempted-car-theft-wires-cut-
with-hacksaw-blade-thru-door-jamb.181216/)

[https://rutlandnhw.org.uk/crime-update/rutland-south-
crime-r...](https://rutlandnhw.org.uk/crime-update/rutland-south-crime-
report/)

------
mrooding
Hi guys, very cool to see how this is being picked up over here. Shame on me,
but I actually forgot to submit it to Hacker News.

The key fob method is out of the question for my car. I've known about it for
a while and store my keys in special bags.

I see quite a few people asking why a sting wasn't organised. I of course
shared the M.O. with the police and we actually had a few phone calls from
them over the past few days. They are sharing the information with their
colleagues but to be frank, they are not going to spend an entire night
waiting around for a potential car theft.

We live in Ijsselstein, a city just south west of Utrecht, and car burglary
and theft is quite a big issue in our area. My previous car, a BMW F20,
actually got broken into twice in 2 weeks. Both times they stole the entire
nav system. I've become quite adapt at filing reports but besides filing a
report the police can't do anything for you.

The first time it happened they asked me whether or not I saw visible blood
stains. Only then would they send a patrol car to do sample research. In any
other case, they just ask you to file a report and be done with it.

Let me know if there are any questions you'd like me to answer while I'm at
it.

I'm also interested in writing some follow-up articles about car
security/theft prevention. If there's anyone willing to contribute, let me
know!

~~~
Scoundreller
You may want to look into rewiring your OBD port so that it doesn’t work
without you flipping a switch somewhere, or building a “key” with a male and
female port + some wires, then storing the “key” in some hidden location
(spare tire?).

Or just expose two data lines from the OBD wiring harness and jump them
together. Remove the jumper to operationalize the OBD port.

FYI: cutting off VCC may not always work since some devices may derive enough
power through other lines that have pull-up resistors to function. I’ve seen
it happen in other industries.

Not sure if such products exist commercially, but it would have some value for
someone to build them.

~~~
mrooding
A few days ago, I read on the most reliable source in the world, the internet,
that if you have a class 3 alarm system from BMW, the OBD port is blocked as
soon as the alarm goes off. I do want to verify this with the dealer once my
holiday is over.

I also read about the OBD key cloning, but I'm not sure whether or not that
was an issue with the first F30s. I'm unsure whether or not it still works
with the F30 LCI from 2017 that I have

------
giobox
I've anecdotally heard a lot of stories about the relay/replay attacks on
keyless ignition systems used in many BMW models and other cars as well. No
need to smash the window at all in some cases. Remarkably simple attack in
principle, and probably a nightmare to explain to your insurer given there
will be no evidence of a break in.

Makes you wonder if you should start storing the key in a metal/RF shielded
box at home...

> [https://www.bbc.com/news/uk-england-
> birmingham-42132689](https://www.bbc.com/news/uk-england-
> birmingham-42132689)

~~~
blensor
That's actually not hard to explain to your insurance or the police at all.
This happened to me 5 weeks ago. The car was parked directly in front of my
entrance door and the key was basically on the other side of that door.

The scene of my car not being where it was supposed to be was so surreal that
I did not even realize it was missing the first time when I walked out the
trash. I basically walked around an invisible car.

Only when I wanted to leave the house and thought, well shouldn't my car
supposed to be there did it dawn on me that something is amiss.

When I went to the police, the first thing they asked me was how far my keys
were away from the car. My insurance was asking the exact same thing.

Remarkably the car was found when the police in our neighboring country
stopped a driver under the influence of drugs.

Getting the car back (still ongoing) was so much hassle that I almost would be
happier if it would not have been found.

It goes without question that all my keys are now stored inside a metal box
when not in use.

I was a bit worried that the box does not shield the signal enough. The best
way I could think of to test it was to put the key inside the box and hold the
box to the steering column and try to start the car. It's probably not
foolproof but I hope it is enough.

~~~
akira2501
> I was a bit worried that the box does not shield the signal enough.

They make "Faraday Bags" exactly for this purpose.

~~~
blensor
I needed a quick fix that everyone in our house would be adopting quite
quickly, and it should also fit into the style my wife used to decorate the
entrance area. So the bowl where our keys were usually collected was replaced
by a metal box with a lid.

However, in the long run I won't bet on workarounds to prevent the signal to
be repeated, I will rather use one of those steering wheel locks that's
brightly visible from the outside. That does not prevent someone from breaking
into the car, but it will prevent them from easily driving away with it.

A security camera has also been placed there, so I hope overall it is enough
of a deterrence

~~~
Cthulhu_
I think you can also disable the keyless entry (that is, entry without hitting
a button on the fob) in most cars. Said cars should also just stop if it
doesn't detect the key while driving, so starting keylessly should still work.

------
mabbo
The thieves would have been wiser to take something, _anything_ to make the
narrative of the original break in more believable. They didn't sell the
narrative well enough, which left people curious.

~~~
Nasrudith
I wonder why they bothered with the smash - broken glass would make people
take their car to a dealer. Just the "failed jimmying" might have gone if not
unnoticed as a police issue procrastinated in fixing. Maybe they were just
frustrated auto thieves.

~~~
flak48
How would they have disabled the alarm without breaking into the car?

------
ironjunkie
Why did they not park the car back and wait with the police on call in order
to catch the thieves that would have come back the next night?

~~~
test6554
With the alarm disabled, they could wait a month.

~~~
Cthulhu_
I'd argue they would have to act quickly though - there was an alarm going on
the dashboard when the car was started.

------
noncoml
I was sure he would wake up next morning and find the car missing. I think he
was really lucky that this wasn’t the case and the thieves waited(?) for the
next night.

~~~
jimmy1
Yeah, I don't understand this. After you went through all the work of
disabling the SOS, you can just take the car then, unless breaking the window
was the way they initially got inside, and maybe they were thinking that the
person would blindly repair the broken window to increase the value of the car
on the black market? I don't know.

~~~
rconti
Because the police arrived 5 minutes after they disabled the SOS button.

The next night, there would be no SOS notification when they broke the window
again. Or maybe they'd only have to tear away a plastic bag, if the owner
hadn't gotten the window replaced.

Or maybe they were hoping to find a valet key in the car, making their job
even easier, either that night, or the next night.

~~~
rosege
I don't know why he didn't talk to the police and tell them what he suspects
and see if they would set up an ambush for the car thieves that night. Put the
car back in place and wait for them to show up

~~~
justwalt
The thieves didn’t have to come back the first night. Could have done it weeks
later.

~~~
Cthulhu_
Yeah but would you drive around in your brand new car for weeks with a big SOS
error light in the dashboard? Knowing it's covered by insurance and/or
warranty, too.

~~~
flak48
The theft relies on the few people who would actually ignore the error light,
I mean theft shouldn't be so easy...

------
Coding_Cat
After the frst paragraph(s) I was expecting the security center to be fake,
the actual thieves, and have them send out a 'customary repair service' that
would have to take the car back to the dealer or something.

------
jasonmaydie
I think the proper cause of action in that case was to return the car and do
an old fashioned stake out with lots of beer.. I mean redbull and catch the
burglars redhanded.

~~~
ironjunkie
yes. I honestly don't know why this was not done. It sounds like the most
obvious thing to do if you know that the burglars are going to come back
anyways the next day.

------
purpleidea
The smart thing to do would have been to leave your car outside again, and
have the police hidden down the street, so when they returned they could catch
the crooks!

------
londons_explore
It's clear what has happened here...

Cutting that wire loom disables the cars 'call home' functionality (probably
by cutting it's antenna), as well as conveniently disabling the alarm.

The thieves who cut it this time were too slow though. Presumably, the 3G
connection takes ~30 secs to boot up, find a cell tower, and connect to BMW
servers. The thieves hoped to break the window and cut the loom immediately,
before the connection to the server was made.

~~~
rtkwe
Aren't they just always on? Also the modem would have to be on the other end
of that cable loom for that to work when it's much more likely to be down in
the glove box with the rest of the control modules and you don't need an
antenna that long for a WAN modem.

~~~
londons_explore
You probably want the antenna away from all the metal body panels of the car.
Hence normally running a cable up the A pillar.

The modem itself probably isn't booted up to reduce vampire power drain. If it
was always on, it would drain the battery after a few weeks. More likley, when
the alarm goes off it starts booting up.

~~~
rtkwe
My cell phone still gets decent signal sitting down in the center console in
the cubby below the entertainment system, enough to stream music at least
which is more than it'd need for an SOS function. If your phone can send a
text it's got more than enough signal to do the SOS functions.

------
gagabity
More surprising that the car has some call home feature that the owner doesn't
seem to know about.

~~~
drglitch
Having recently gotten a new BMW (in USA), they give you a huge packet of
about 30 pages explaining the BMW TeleService and the "SOS" button. They also
make you sign a power of attorney-style doc giving them rights to notify
police in case they believe your vehicle is in trouble and provide police/EMS
with its exact location.

Mercedes and Audi have similar systems, as do others via OnStar. This is one
of few cases where i believe having an "oh shit" button/system that
automatically activates in case of serious accident or another event is
valuable.

EDIT: oh, and this is entirely opt-in, at least on BMW.

~~~
jiveturkey
No, not entirely. Please give me the instructions on how to opt out. Whenever
someone asks (which is rare), the forums are filled with replies like "why
would you not want BMW to monitor you? are you a fraudster?" IOW the forums do
not know how to opt out either.

Everytime I take my 2016 in to service, I ask both sales and service to
disable teleservices. They say they cannot. I then call BMW teleservices
(every time), and they tell me that the dealer has to do it.

There are explicit instructions _from BMW_ online that _in Germany_ you can
take it to the dealer to have it disabled. No mention of any other country.

Yes, the emergency aspect of it is valuable. It's not worth the compromise in
privacy, at the complete discretion and ineptitude of a corporation that has a
profit motive.

In 2016, I certainly did not sign (and was not asked) any kind of doc
authorizing location disclosure. My car definitely does have teleservices
activated. (don't know if they will report my location)

~~~
driverdan
Can you pull the SIM card?

~~~
chrisper
No, because this is an embedded system and fiddling around with that is maybe
going to void your warranty?

~~~
driverdan
Not in the US. So long as your changes don't cause damage your warranty can't
be voided.

------
hartator
It seems overly complicated when just relaying your key fob is a known attack
that's working. The scenario of them just failing to steal the car seems more
plausible.

------
vanous
Would it be possible, that the order of actions was actually different? The
thief first pushed thin tools through the door gasketing and actually cut the
wires from the outside. Not sure how well and how successfully, but i actually
presume that this wasn't as good cut as they tried to achieve. Then, they
tried to break the window and continue with the theft, but the system reported
them too fast anyways...?

~~~
mrooding
I doubt that this is what happened. I'd like to see someone remove the jamb
cover from the outside and also cut the loom from the outside. Not sure what
kind of tool would be able to fit through the door and do these things. You
can clearly see on the third image that they forcefully removed the cover with
a screw driver or something else since it's completely bent

------
post_break
If you have a car that has keyless entry store your keys in a metal box and
confirm it wont unlock the vehicle even if you take the box and put it next to
your door. Also if you drive a modern ford do everything you can to block
access to odbii port as they can clone a key in seconds using special tools.

------
spockz
BMW burglars appear to be very skilled. The entire board computer was taking
from a friend’s car and the screws and cables etc were all tidily set aside as
if it was a professional replacement. And this within an hour, on the front
porch..

~~~
samstave
Makes me wonder how many of the thieves of modern cars are professionally
trained service people from the respective car companies who are paid off to
get the vehicle into a state where it can be cleanly taken away.

You are basically just paid to bypass security.

~~~
Rjevski
The difference is that in IT, whether you are a professional or not, the
systems you’re working on will still ask you for authentication.

In cars, it’s security by obscurity. If you know the protocol to talk to the
car’s computers via the OBD port, you are pretty much root without even
providing any credentials.

------
danielovichdk
Funny reading this. I had the same experience with a rental bmw 530 in italy.

Nothing stolen, only window shaddered and SoS going blind.

I left for Germany that day though, so I must have been lucky.

Thanks for posting

------
dig1
Since all protection in cars (no matter how complex is) is mass produced, it
is very easy for thieves to purchase same/similar car and study it. However,
I'm wondering what will happen if an ordinary Hacker Joe (a guy who knows a
little bit of electronics and software) installs custom protection, no matter
how simple is?

Knowing that for thieves, the most precious resource is time and if you force
them to work more than expected, they might gave up...

------
trukterious
Thieving isn't a good life -- for one thing, thieves lie awake at night
worrying that someone's going to steal their stuff.

------
danieltrembath
I wonder if they were in fact intending to steal the airbag, but were
disturbed in the process. Airbag theft is fairly common and lucrative. You can
extract the A-Pillar bag through the window without opening the door. In cars
without the radar/pressure sensors you have some chance of doing that without
setting off the alarm.

------
ashleyn
Immediately, I'd be wondering what very powerful spy agency or organisation
felt the need to break into my car, and why.

~~~
soneil
I'm not sure I'd be so paranoid. We've read of people managing to hack the key
openers, etc. They're an attractive target.

I mean, if you were going to leave a box containing $30,000 on your doorstep.
A box not only containing 30k, but a box that was labelled that it contained
30k. How would you protect it? Put a serial number on it so you can prove it's
yours? A bike lock? A motion sensor? Cement it into the ground?

What lengths would you expect someone to go to, to try to walk away with this
box? Just give it a little kick to see if it moves? A screwdriver or a pry
bar? Angle grinder?

Once you divorce yourself from the commonality of a car, it's quite bizarre to
think that not only do most people leave their second most valuable possession
(or most valuable, if you rent your home) on their doorstep .. but that they
just assume it won't happen to them. It doesn't take a targeted attack for
someone to realise that that exposed, valuable, mobile asset is .. well,
exposed, valuable and mobile.

~~~
dsfyu404ed
$30k in cash is not the same as a $30k car. A $30k car that's been stolen is
not worth $30k, then there's liquidity, risk and a bunch of other things.
Having your car parked outside is not at all like having a box containing $30k
outside your house.

~~~
soneil
I have to worry about a $1,000 bicycle. For some reason it's just socially
accepted that this will happen to a $1,000 bicycle. But park a car worth an
order of magnitude, and the level of worry actually goes down. That's the bit
that throws me for a loop.

I'm not trying to argue that anyone should live in fear. Just that assumptions
of state-sponsored action severely overestimate which ballpark this lives in.
This is more complex than an opportunistic thief, but well within career
criminal - and probably well below "steal to order".

~~~
vkou
That's because most of us recognize that 20 seconds with angle grinder will
make that $1,000 bicycle disappear. 20 minutes at a stolen bike dealer - which
are everywhere - will turn it into $50.

20 seconds with an angle grinder will not make a $30,000 car disappear.
Selling it on the black market is also a much bigger pain in the ass, then
selling a stolen bicycle.

People leave $300,000 dollar homes unattended all the time - protected by
nothing more then a flimsy lock, and a few panes of glass. Yet, most of the
time, people don't worry about someone stealing their house.

------
ransom1538
In Sacramento car theft is a big problem. The scheme there is to steal a nice
car, purchase a wrecked one at a lot (salvaged) for pennies, then swap the
vins and serial numbers with the salvaged car then sell it. It works really
well. So if you buy a used car in sacramento there is a %90 chance it has a
salvaged title.

~~~
tempestn
However large an issue it is, I'm pretty confident a majority of used cars
sold in Sacramento are not stolen, let alone 90%. (Maybe you were just
exaggerating.)

------
jmnicolas
The author should feel lucky that he encountered "fancy" thieves.

Modern cars are so hard to steal that mots thieves resort to violence to get
your car.

Contrary to insurance companies, I'd rather have my car stolen than to be
knifed.

------
hashifynet
It would seem the person took the time to review a wiring diagram or had some
previous experience.

------
mobilemidget
Hope he still went on vacation as planned, I kind of miss that information

~~~
mrooding
We are actually. Not with the BMW as intended but with my girlfriends car.
Currently driving from the south of France to Bretagne for our last week. The
car has been fixed by now and will be picked up the 18th. I'll update the
article later today too!

------
multjoy
Amateurs, frankly.

The current modus operandi is to find your BMW/Land Rover/Mercedes. Wait for
it to come to your hand carwash, tyre company etc and get uninterrupted access
to the OBD port along with the key. Program new key, find the address of the
vehicle, walk up a few days later and drive it off at 3am in seconds.

If that's too much like shooting fish in a barrel, then the 'keyless relay
theft' is probably more your bag. Using a relay transceiver, if the key is in
the house within range, then you can trick the motor into thinking the key is
present. Many cars will allow you to continue to drive them even if the key if
out of range. Provided you don't turn the engine off, this gives you plenty of
scope to get away and clone a new key in the meantime.

Tl;DR, OBD and keyless technology is basically flawed. The best countermeasure
is a good old fashioned crook lock.

------
chrischen
Sounds like a perfect opportunity to do a sting.

------
jeroentrappers
Just use a steering wheel lock.

------
stealthmodeclan
Theives are usually lazy and they don't make more efforts then required.

My friend has holes in the front of the car to make it easier for theives to
attach a hook and then tow the car into a truck.

But if you put pressure above a threshold on any of the holes, car keeps
sending one SMS to his number every 5 minutes.

This is in Romania.

------
gok
How is cutting the line to a car's panic button unlike cutting a car's brake
line? (that is, attempted murder)

~~~
tempestn
Even cutting brake lines wouldn't automatically be attempted murder; it would
depend on circumstances. Equating that to cutting off the panic button is
quite a stretch though. I've never owned a car with a panic button, nor known
anyone whose life one has saved (unlike brakes).

