

Keyless BMW cars prove to be very easy to steal - mrb
http://hackaday.com/2012/07/07/keyless-bmw-cars-prove-to-be-very-easy-to-steal/

======
mootothemax
According to PistonHeads, this isn't limited to BMWs alone:

 _A quick internet trawl reveals it's not just BMWs that are vulnerable.
Devices similar to that used on BMWs are also available for Opel, Renault,
Mercedes, Volkswagen, Toyota and Petrol-engined Porsche Cayennes._

 _The reason this form of theft is currently so rife - and admittedly this
issue is not limited to BMWs - is that European competition rules require
diagnostic and security reprogramming devices to be available to non-
franchised garages. As we understand it, this effectively means that car
companies cannot restrict access to or use of OBD ports._

[http://pistonheads.com/gassing/topic.asp?h=0&f=23&t=...](http://pistonheads.com/gassing/topic.asp?h=0&f=23&t=1167974&mid=83226&nmt=RE%3A+Video%3A+Key+fob+reprogrammers+steal+BMW+in+3+mins)

~~~
josteink
Translated into not-evading-responsibility-esque:

The fact that the communication protocol used is openly known, much like all
internet communications, means that an attack is easy to craft.

 _Somehow_ that is a solved problem with internet and all other open security
architecture. Why isn't it solved on these cars?

This sounds like either NIH combined with piss poor security engineering done
in the name of looking fancy, result of financial constraints or both.

I'm sure some engineers objected that "this is fundamentally insecure!" but
got turned down from someone doing the budgets.

~~~
bradleyland
>Somehow that is a solved problem with internet and all other open security
architecture. Why isn't it solved on these cars?

>I'm sure some engineers objected that "this is fundamentally insecure!" but
got turned down from someone doing the budgets.

You're missing a couple of key points here:

1) This is not a network attack, so the internet is largely irrelevant.

2) This is similar to having an attacker sit down at the physical computer
they're attacking (a much harder problem).

3) Legislation in Europe forces car manufacturers to use an insecure design.

Anti-competition legislation in Europe dictates that the manufacturer cannot
stand in the way of the transfer of secret keys. This means that the entire
security communication must occur between the on-board computer and the OBD-II
tool. Other than a physical lockout on the OBD-II port, I can't think of a
good defense against this attack.

In the US, many car manufacturers take a different approach. The security key
is provided by the manufacturer, not the on-board computer, so you can't
simply walk up and re-program a key. I don't know if this is true of all
manufacturers though.

~~~
lusr
What's wrong a simple "Okay sir, before you can drive away with your new car
you need to pick a password. And before anybody can service the car they'll
need your password so please don't forget it, but if you do you can always
provide proof of ownership to your nearest dealer and they'll help you reset
your password."? That way non-franchise garages can still do repairs, as well.

~~~
Anderkent
They'd have to provide the 'password restore' functionality to non-franchise
garages as well, I guess. Otherwise they could do this except without the
password: 'Okay sir, here's your key. Anybody can service the car, but they'll
need the key. If you lose it, provide proof of ownership to nearest dealer and
they'll make you a new one'.

~~~
lusr
Good point; a physical key is just as good as a password and has the benefit
that people will treat it properly.

------
fauigerzigerk
So "very easy to steal" is when "sophisticated criminals" "somehow" manage to
circumvent multiple security features?

And the person claiming that it is "very easy" apparently doesn't even know
how it's done.

This is sensationalist rubbish.

~~~
breckenedge
Yes, it is.

------
Shivetya
I remember the good old days, where my key opened the doors of my friends car
and his key could not open mine yet it would start my car.

Where my Aunt drove her car to the mall, locked the doors, and when she came
out could get in as she had the keys to her husbands car.

Needless to say in both cases there were the same brand, within a year or so.
You did not even need to have same major brand (Ford/Mercury were
interchangeable)

Kids these days have it easy, cannot wait for the smart phone app for stealing
a ride.

~~~
freehunter
My roommate and I both have Toyota trucks. Mine is much more than a decade
old, his is almost two decades old, and as a consequence there are parts that
are starting to wear down. Like the ignition switch.

There have been many times I've called him up (or vice versa) and said "can
you bring my truck to me?" Even though the keys are not compatible, that
doesn't matter anymore. His could probably be started with a popsicle stick.
Mine can be started with something slightly resembling a Toyota key. The only
reason they haven't been stolen is a combination of the fact that they're not
worth any money, they have nothing of value inside them, and they're manual
transmission (so chances are a US thief wouldn't be able to get away in it).

~~~
silasb
If you're a thief and you can't drive a manual car then something is wrong
with you.

~~~
freehunter
Thievery comes in many forms. The ones who steal cars that aren't worth
anything on the black market aren't really going to be the smartest or most
well-connected. Street punks really, and in the US manual transmissions are
incredibly uncommon. A hoodlum will only know how to drive stick if he/she has
had access to one and someone to teach them. While manuals are more common on
cheap cars and street thieves are more likely to drive cheap cars, they're
still quite rare.

Basically, if you're a smart thief and you can't drive stick, you have
something wrong with you. But then again, if you're smart and also a thief,
there's something wrong with you. If you're smart and also a thief and also
stealing a rusty, beat up, 5-speed, early-90's Japanese truck, you obviously
want it more than I do. I could just buy another one for <$1000.

------
lloeki
> It can then be used to program a new keyfob

Is he programming the keyfob? or is he adding the key to the car's
_authorized_keys_ list?

~~~
__alexs
The keys are generally just passive RFID chips so it's more like an
authorized_keys file.

The problem here isn't that there's no physical key, those are usually
laughably easy to circumvent. I think the real trick here is the physical
attack they used to break into the vehicle and gain access to the OBD port
without setting the alarm off.

There's a number of cheap and obvious tricks BMW could have used to make the
RFID portion of this attack a lot harder. Including, making the OBD port more
difficult to actually get at without actually sitting in the car and not
letting the new key start the car for some reasonably long period of time.

~~~
CamperBob2
If the alarm system is ultrasonic, I can envision breaking into the car by
blasting several watts of power at the same frequency at the car. Loss of
receiver dynamic range due to gain compression or transducer saturation ==
loss of ability to detect changes in the phase of the transmitted signal
consistent with someone opening a door and climbing in.

What in the world was wrong with plain old car keys -- especially with an
added RFID security chip in the key handle or fob?

~~~
jrabone
You might be over-thinking this. It's possible to disable the factory alarm
motion sensor by double-pressing the lock button on the key fob. This is a
feature for people (like me) who take their car on ferries, and who don't
enjoy listening to a cacophony of car alarms while on the ferry (I appear to
be in minority here, if recent trips were anything to go by)

Apparently a fair few owners don't know this feature exists (didn't read the
manual/didn't have a manual) and were in the habit of "checking it was
locked".

So, if you can't remember if you locked a BMW, UNLOCK it first, then LOCK it.
Locking twice disables the alarm.

~~~
rdl
Wow, that is horrible UI.

~~~
colinsidoti
Agreed. I'm going to guess when I hit the lock button a second time, and all
the lights in the car went on, that was supposed to indicate the alarm was now
off? As opposed to indicating the car was indeed locked?

------
projectedoptics
If the alarm is armed shouldn't it be triggered if something connects to the
OBD port? Not actually prevent the port functioning just trigger the alarm.

~~~
stevejalim
This makes such good sense. I wonder if BMW could even enable it with a
software patch?

------
cs702
Alas, BMW buyers often cannot opt out of keyless entry, because for some
models BMW includes it in popular bundled packages, such that it's impossible
for the consumer to avoid buying it without losing other worthwhile features.

This _consumer-unfriendly bundling_ results in BMW buyers often facing what
can only be described as ridiculous choices ("which one do I want: a rear-view
camera that reduces the risk of accident, OR non-keyless entry that reduces
the risk of theft?").

~~~
illamint
It's not keyless entry, it's the electronic keys used for push-to-start (which
is also an unavoidable option, but it's one I like).

~~~
cs702
illamint: the feature is sold as "comfort access keyless entry," and it allows
the driver to start the engine without inserting the electronic key. (Without
this feature, the default setup for BMWs is that the driver must insert the
electronic key before starting the engine -- a form of two-step authentication
that isn't susceptible to the attack described in the article.)

FWIW, I know about this firsthand because I bought a new BMW last year and I
was adamant about not having the "keyless entry" feature -- for security
reasons. The BMW salesperson acted like I was a bit crazy.

~~~
kenperkins
Having the comfort access feature, and having a car stolen many years ago,
there's no way I would trade one of my most enjoyed features for a lower risk
of car theft.

The reality is that if someone wants your car they're going to get it.

Why get rid of an awesome convenience feature for the risk of something that
is a) unlikely and b) won't cost you anything (absent a small deductible) if
it does happen?

------
codeka
Isn't the solution here that only BMW authorized devices should be able to
connect to the ODB? Or is that already the case? I guess it just takes one
unscrupulous dealer to upload their certificate.

~~~
rdl
OBD-II is legally required (in the US) to be open to consumers. The idea being
that you can get diagnostics about your vehicle without being extorted by the
dealer. (Originally for environmental data about emissions, but later
expanded.)

[http://lobby.la.psu.edu/_107th/093_OBD_Service_Info/frameset...](http://lobby.la.psu.edu/_107th/093_OBD_Service_Info/frameset_obd.html)

~~~
codeka
That makes sense, but I can see the argument that not _all_ features need to
be open to consumers.

~~~
__alexs
But I'd rather not have to pay $200 for a spare key thanks...

~~~
jrabone
Um, it's a GBP 40K car; I don't care.

~~~
__alexs
OBD-II is used on loads of vehicles. If the regulation didn't mandate that
this was an open protocol in 10 years every $500 beater is going to be a write
off as soon as you lose the keys.

~~~
jrabone
Well, if that means an end to keyless / smart fob systems, I'm all for it;
they are nothing but trouble in my opinion. Right now, I think the OBD port
should be read-only unless a registered key is present, and recoding the ECU
to accept a new key should require more than just physical access.

People don't expect to be able to recode their front door to accept a new
blank key - why should a car be different?

~~~
jvdongen
A skilled locksmith or someone with a serious interest in locks will have no
problem [1] to open your front door without any damage using a lock pick tool
[2]. If there's no need for said lock to survive, a selection of power tools
make it even easier.

[edit] Which is not to say that cars should be easy to pry open of course ...

[1] in most cases, high-end specialized locks can be an exception. [2] see
<http://www.lockpicks.com/> for examples.

~~~
jrabone
That's not the point; I don't expect to be able to walk up to your front door
with a random Yale key, jam it in and out a few times and have your lock
reconfigured to accept my key instead of yours. That's what's happening here -
it's not as sophisticated as a lock pick attack, nor as brute force as
smashing the dashboard and shorting the appropriate wires.

It's a blind spot in the system that shouldn't exist if the car was locked.
The OBD port simply shouldn't be physically connected if the doors are locked.
A relay on the CAN bus pins trigged from the central locking might be a start.

~~~
__alexs
There's no evidence the OBD port was actually used in this attack. The
programmer could have been directly connected to an easily accessible CAN
connected component such as the wing mirrors.

~~~
jrabone
There has been evidence in the UK that this is how the thieves are doing it
(people finding their cars with the drivers window smashed and the OBD cover
lying on the floor). See
<http://www.e90post.com/forums/showthread.php?t=670339> \- at least one of the
guys posted there is police.

~~~
vecinu
Which gentleman is a police officer?

------
kogir
Why don't they just build in a delay before the new key starts working? Even a
few hours would be enough to prevent most thefts without being too
inconvenient on the rare occasion you lose a key.

This is just poor design, even given the EU laws and requirements.

~~~
Hovertruck
I'm not sure that would help. It just means the thieves need to steal the car
in two steps instead of one.

~~~
jQueryIsAwesome
It should also activate a big red sign in the controls that means: "The new
key will be usable in 3 hours"; so if you actually didn't changed the keys,
something is wrong.

~~~
benjohnson
I know the GM Passlock II system works this way - not only do you have to
wait, but you have to put the car in 'run' a few times during specific times
during the waiting process.

------
atakan_gurkan
If this is because of OBD regulations, perhaps it can be changed somewhat.
Give the owner a small electronic device that will be necessary to generate a
new key for the car they purchased. That device can be kept separate from the
car but when the key is actually lost, the owner can bring it to the mechanic
and generate a new one. The thieves would need to steal the device before
stealing the car, which would make their job harder (and admittedly perhaps
put the owner at greater danger).

~~~
Too
And what if the owner looses that "small electronic device", or forgets to
forward it to the new owner.

The whole point of this feature is that you should be able to get the car
running if you loose EVERYTHING apart from the car itself. The only way to
stop it is to give the manufacturer (or other trusted third party) exclusive
right to issue keys but apparently the regulations say no to that.

~~~
jasomill
Nonsense. Why not simply design it so that it's difficult and dangerous to
access the "reset button" unless you're a trained mechanic with a Rotary lift?
Then it's more difficult to steal than an ordinary car, and you are done.

In light of history, the answer is probably a combination of laziness,
inertia, and an attempt to steer customers to authorized BMW service centers.
Or perhaps the threat model includes theft by tow truck? (not kidding; perhaps
this is common in some places, at least for high-end vehicles?)

~~~
Too
Of course you can always make it safer physically, I'm talking about the
cryptographic safety.

About towing, look at the video in the article posted. One guy breaks in and
releases the parking break while the other 3 push the car. Doesn't show where
they push it to though.

------
RomP
How about the following schema for adding a new key to the list of Authorized
Keys when NO AUTHORIZED KEY IS PRESENT:

* the procedure requires a module produced and sold by the manufacturer( _) to any garage that can verify its identity and satisfy manufacturer's specified security requirements (e.g. owning a safe and having no history with local police);

_ each such module is unique. It contains unique public/private keys and its
public key is singed by the manufacturer;

* the procedure of adding the key to the list of Authorized Keys requires the car (actually, its ECU) to only accept incoming requests signed by such modules whose public keys are signed by the manufacturer. When the key is added, the ECU stores:

 __the key info;

 __the module's unique ID (IMPORTANT);

 __timestamp + lat/long;

* if there are no old authorized keys present (very rare scenario, since most of the time the owners want to replace just one lost/stolen key, but not both), the ECU requires 15 minute grace period with the module attached at all times, during which the car is flashing its hazard lights and honks. It makes a small nuisance in the garage once in a while, but attracts enough attention in the middle of the night if somebody is stealing it.

Now, if the car is stolen and then recovered, the police would dump the list
of authorization requests and identify the module used. If this module was
stolen or copied, the garage who owned the module becomes responsible for the
damage to the car's owner. The ID of the module is placed on the revocation
list. The revocation list is broadcasted via Sirius/XM/FM/BMW
Assist/OnStar/Intelsat/etc.

This allows independent garages working on the cars, but places enough
responsibility on them for keeping the system secure, with the override
mechanism in form of revocation lists.

This method would NOT prevent all types of thefts (thugs can put the car on
the flatbed and do the swap in the middle of the desert, or they can swap the
ECU unit completely, or do some manipulations with the stolen "good" key), but
it makes it significantly more difficult to authorize a new key and drive
away.

(*) in case the manufacturer ceases to exist, some other company (another car
manufacturer, perhaps) inherits the master key and will be responsible for
authorizing garages to do key management.

~~~
delinka
> the procedure requires a module produced and sold by the manufacturer

So now the manufacturer has yet another method of extorting would-be
mechanics. You'd have to regulate pricing or aggressively prosecute attempts
at anticompetitive tactics.

> in case the manufacturer ceases to exist...

And who goes to jail when the company folds and, in the fire sale, the master
key is on a system that gets wiped when being transferred to the new owner?
Key escrow sounds like a better idea to me. Perhaps legislation should specify
the creation of a public agency, or maybe we could leave it to private
competition.

As for the remainder of your points, I believe you're thinking in the right
direction.

------
brc
I don't understand this. I have an older BMW which developed starting problems
with the immobiliser computer. It doesn't have keyless entry but it is based
on rfid.

I did extensive research on the system and there were three parts - the key,
the immobiliser and the engine management computer. The key physically turned
the ignition, but the security was in a rfid chip inside the key, which was
physically matched to the immobiliser via an antenna ring that circles the
lock. The immobiliser was physically matched to the computer via a VIN-based
code. If you lost the key, you had to order a new one from germany after
producing the VIN and proof of ownership to a licensed dealer. They keys cost
about $500 from memory - don't lose the key. There is an upper limit of 10
keys to be produced per vehicle, with two of those supplied upon purchase.

In order to replace the immobiliser computer, again both the VIN and proof of
ownership had to be supplied to the licensed dealer, who then ordered a new
one from the factory in Germany. You cannot swap any of the parts between cars
- you can't reprogram keys, reprogram the immobiliser or reprogram the
computer.

If you do put a new computer or immobiliser in, it had to be taken into a BMW
dealership to re-sync and get all the devices to handshake each other and
agree that they were all legitimate. Otherwise - no start.

I know all this because I tried to hotwire the car myself to get it working
until the new computer arrived (3 week order period). While I could manually
activate the fuel supply and manually activate the starter, the computer
refused to tell the spark plugs to ignite and refused to tell the injectors to
inject.

What I'm curious about is how have they gone backwards from this seemingly
impregnable system to one where you can get the car to reprogram a key? Surely
it can't all be the fault of the OBD port - I doubt there is anything in the
legislation calling for the ability to reprogram keys via the vehicle itself?
Or is it just the fact that someone has come up with software that replicates
what the factory does?

Somehow it all seems a retrograde step. Given that the older systems worked
with rfid, whether or not you put the key in seems a moot point.

------
growt
You wouldn't download a car.

~~~
stcredzero
How about a tractor?

<http://opensourceecology.org/wiki/LifeTrac>

------
DugFin
"A device like the one seen above can be attached to the On-Board Diagnostic
(ODB) port"

On Doard Biagnostic?

Someone needs a proofreader

------
jbarham
Funnily enough I just watched _The Amazing Spider-Man_ and the car thief scene
featured a stolen BMW: <http://www.youtube.com/watch?v=3aPU8q-bni4>

(Also, apparently Spidey's preferred search engine is Bing, but I assume
that's a paid product placement.)

------
tibbon
Cars aren't secure. Most things aren't. The main thing that stops a theft is
putting it in a place that's harder to get to (again, nothing is secure) just
so that no one sees it, or has the opportunity to steal it.

I'm at a coffee shop right now, and my BMW motorcycle is parked right outside
the window. Me keeping an eye on it is better security than any electronics
lock system (as I know I could hotwire this bike in 30 seconds, and surely a
criminal could too).

~~~
mikeryan
Heck my car got stolen once with a screwdriver. I'm sure it took all of 30
seconds.

------
delinka
When do I get encrypted Bluetooth access to my car? I'd bet if we did that,
we'd get more tech security hackers involved in making things more secure.

But I guess it all boils down to a single issue: remove the physical token and
it's got the same problems as attempting to secure access to your online bank
account.

------
philjackson
"Very easy" sound like a push. Getting into it, especially without the sensors
'spotting' you is surely pretty tough?

------
drivebyacct2
Right now it is not possible (that I'm aware of) to do asynchronous PKI-like
encryption without the contact-type SmartCards. Meaning that all of the
contactless RFID/(passive) NFC systems are vulnerable to attack and cloning.

In 3 years, do this, but with a smartphone and an active NFC app that can
perform async encryption challenges. Without stealing the phone and the PIN,
you can't steal the car.

------
gcb
Flag this.every car since the 80s has an odb port. Having access to it allow
you to unlock/disarm alarm/start car.

The headline is obvious link bait suggesting the radio protocol is easily
hackable remotely. Which is not the case

