

BMW fixes lock security flaw - jackgavigan
http://www.bbc.com/news/technology-31093065

======
rdeboo
This is a real problem. Someone took two laptops from the Mercedes of a
colleague recently. They just hacked into the car, no physical damage.
According to the garage this is a known problem and not much was done about
it.

On the one hand, I trust old fashioned locks more. On the other hand, breaking
into a car is easy anyhow (just smash a window). At least, there's no physical
damage done to the car in this way (which often exceeds the costs of the lost
goods). So perhaps it's not so bad. Just never leave valuables in your car.

~~~
jsaxton86
3D printing will make old locks obsolete.

~~~
hawkice
I lost my apartment keys and picked my way into my apartment for about 7
months. I don't see 3D printing having a lot to do with that.

Even if I had a printer I'd need some fancy scanning equipment to figure out
how to make the key.

~~~
teraflop
Random tangent: I recently had two copies of a key made, and noticed that the
guy at the duplicating machine was able to remove the original after
"scanning" it to make the first copy. Seems obvious in retrospect, but I
hadn't realized that nowadays those machines had memory like photocopiers,
instead of just being purely mechanical.

With that in mind, seems like it should be possible for someone to scan a key,
save the pattern, and be able to use it later on to cut new keys on-demand.
Does a service like this exist?

~~~
jordanthoms
Yes it is, and you can even do it from just a photo.
[https://keysduplicated.com/](https://keysduplicated.com/)

Although it doesn't really matter if you are talking about common household
locks - they are trivial to open with a bump key or lockpick anyway.

~~~
jeltz
Depends on where you live. Here in Sweden it is common with doors with locks
which are both impossible to bump and hard to pick. Our insurance companies
require them.

------
oomkiller
I wonder if they are using key pinning and have mitigated SSLStrip and other
SSL attacks. Also, they say that it wasn't vulnerable to attacks on braking
and steering. If firmware updates are possible over the air, you could
theoretically capture and disassemble one and modify it to suit your purposes.

The device the software runs on most likely sits on the CAN bus with
everything else and could be used to feed false data in that could at least
confuse other systems on the car. Similar attacks have been done before in
experiments. Local (USB drive) system updates look to be cryptographically
signed, but who knows about the OTA ones, and even then the key might be
extractable.

------
acd
There have been active exploitation of this bug, basically they have been
stealing BMW key less with some kind of hacking tool / laptop like the real
version of the movie gone in 60 seconds

~~~
johngd
There was also this one[1] from a couple of years ago (that you may be
referring to?) where with a inexpensive kit, a thief could intercept the
drivers key fob transmissions to open the car, and then a ODB programmer to
pair the car with a key blank.

[1] [https://nakedsecurity.sophos.com/2012/09/18/bmw-stolen-
hacki...](https://nakedsecurity.sophos.com/2012/09/18/bmw-stolen-hacking-kit/)

~~~
kw71
I have heard that the cars without real ignition keys (in other words, those
rfid fobs without a mechanical ignition lock) that it could be possible to
authorize a new key by communicating on the OBD2 connector. You do not need
access to a working key if this is true, but it is my impression based on some
things that I have heard that the private part of some asymmetrical
cryptographic material must be known. Whether it varies from car to car, I'm
not sure. (This system is called CAS by BMW)

However, in the cars with real ignition locks, the immobilizer is not as easy
to defeat as the "nakedsecurity" piece implies.

Since 1994 or so (with the introduction of the EWS2 system) the ignition key
contains an RFID tag with a permanent shared secret and a password which is
updated every time the key is used. It has always been possible to get close
to such a key and read it, then write the information into a new key. Since
the password is updated when the key is turned to the 'run' position, as soon
as either of the "identical" keys are used, the other will stop working.

To authorize a new key on the EWS2 or EWS3 systems using the diagnosis
connector, the new key must contain a shared secret already known by the EWS
brain. The factory programmed ten such secrets into each EWS brain during
manufacture, and four keys were delivered with the new car when it was sold.
When a new key is requested through the parts department, that key is
delivered with one of the known shared secrets. Then it can be authorized with
a diagnosis request.

To change the shared secret information in the EWS brain to arbitrary
information, or to discover the shared secrets known by the EWS brain, it must
be removed from the car, physically opened and bootloaded. (It's one of the
68hc11 processors, and there are test points on the board for the mode select
pins, manipulating these can place the hc11 in a mode to run a bootloader
delivered over the serial line.)

(One difference between the EWS2 and EWS3 systems is that the EWS2 brain sent
another, static shared secret to the engine control to signal permission to
start - a simple 32 bit word. In EWS3, this communication involves some
cryptography.)

It is possible that the database of shared secrets became available when the
"Heartbleed" flaw became known. I have heard that their VPN was attacked. If
this material were stolen, probably the bitting information required to cut a
mechanical key were stolen along with it.

The keyless entry remote of these BMWs is more like the ones used in every
car, even though it is part of the same ignition key with RFID tag for
immobilizer: the key has a seed and does some transformation every time a
remote button is pressed.

~~~
johngd
Indeed. You can do this using the BMW manufacturer software (which is
comically not hard to find), at least for the E9* series of BMW's. Not sure
about the newer F3* series, but I wouldn't be surprised.

~~~
kw71
I think they really did not count on tools like NFS to find their way into the
de facto 'public domain.' However when CAS was designed, they knew (or should
have known) that somehow all the manufacturing-side tools were getting out.
Also some of the regional technical people who support the dealers carry them
around on their laptops. A couple of beers can earn you a lot of secrets
sometimes.

------
harel
I shouldn't be amazed by this in 2015, but a car that updates its software
over the air IS just amazing. I wonder if it can update while driving. Or be
on the receiving end of a DDOS attack.

------
CheckHook
It's a shame that BMW isn't committed to fixing the key-reprogramming method
of theft that affects many of their older cars. The previous "fix" that they
issued only prevented the windows being wound down from they key, not the
actual reprogramming.

[http://www.bbc.co.uk/news/uk-19562487](http://www.bbc.co.uk/news/uk-19562487)

------
stygiansonic
So, this update enables the use of HTTPS - but since it's delivered OTA, does
that mean patches (including this one) were previously delivered over just
HTTP, i.e. an unauthenticated, unencrypted channel?

------
72deluxe
Does anyone know if this is a widespread problem across the industry? Does it
affect VWs / Audis too?

~~~
CheckHook
Yes it affects many higher end cars but BMW's have suffered for a long time.
Their excuse for a "fix" prevents the windows from being wound down by the
key.

[http://www.bbc.co.uk/news/uk-19562487](http://www.bbc.co.uk/news/uk-19562487)

~~~
72deluxe
That's a pity. That is useful in some circumstances. I once accidentally did
that somehow and came out the next morning to find my windows down and
completely soaked inside thanks to the torrential rain all night long. Took a
while to dry the Golf out....... amazingly nobody had pinched anything from
inside it (rubbish CDs I expect).

I am still convinced to this day that it was my cat that pushed the button.

