dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2
share rss forum feed

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

1 recommendation

reply to Link Logger

Re: Hackers steal BMWs in 3 minutes using security loophole

Is it me, or in the video do they simply push the car away by hand, rather than starting it and driving off? If they really did program a new key why wouldn't they just start the car and drive away?

I think this has more to do with the fact that a physical key is no longer used to provide mechanical lock which is only common on higher-end vehicles at the moment. The article does note this is an industry-wide problem that is only apparently focused on BMW for now.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

said by Shady Bimmer:

Is it me, or in the video do they simply push the car away by hand, rather than starting it and driving off? If they really did program a new key why wouldn't they just start the car and drive away?

It has been assumed that they didn't want to alert the owner by making a "hey, that's my car starting" noise.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

1 recommendation

said by dave:

It has been assumed that they didn't want to alert the owner by making a "hey, that's my car starting" noise.

I thought of that, but (a) The car is outside at night with nobody around, in apparently a public lot. Cars starting now are very quiet, and idle very quiet (this isn't a 'vette or a viper). (b) why wouldn't they push the car away from the cameras first if that were the case, knowing (obviously) full well that they were being watched?

Wouldn't the glass breakage make a bit of noise that would get attention?

It does appear that 1-series, just like their bigger brothers, also have an interior motion sensor (not just glass breakage sensor). That would have had to have been disabled by the owner or the alarm would have gone off as soon as the thief stuck his/her hand in the car.

I wouldn't dispute there is an issue, but it seems to me the video may be at least partly a fabrication to illustrate the (valid) point.

On the topic of the concern - given the regulations in both the US and in Europe requiring open access to the OBD II ports, which must also be a standard connector readily available, how do you implement security? Even if you were to implement a PIN that were only known by the owner there would need to be a failsafe in the event that PIN suddenly became unavailable (IE: forgetful owner). With that, you've most likely opened another opportunity for exploit by a thief (again - keeping in mind the laws in various countries around the globe).

To me physical security remains critical. To not have a physical lock in addition to the electronic lock is a big mistake, in my opinion. And to be honest, given time any car can be stolen. If you can defeat the alarm and push a car away (as in the video), with a little creativity you can buy yourself lots of time.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

I don't really have an opinion - just repeating what I read somewhere. But I did read that video as being 'outside an apartment block' or something similar.

how do you implement security?

For this particular vulnerability: at the least, you could have a configurable option that determined whether or not the id was present on the ODB II interface.

(Reconfiguration would require the presence of a key).

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

said by dave:

For this particular vulnerability: at the least, you could have a configurable option that determined whether or not the id was present on the ODB II interface.

(Reconfiguration would require the presence of a key).

So, would the insertion of a valid key be required before validating another key, enforced by the OBD II? If so, you would still need a failsafe in the event said key itself had been lost. Yes, there are those that choose not to replace lost/stolen keys given their immense cost. Lose the second key here and what would you do?

Electronic identification of keys was added as a protection against limitations of physical security. It was not meant to replace it.

There are many options, all of which themselves either have flaws that make them irrelevant themselves, or run against government regulations.

The requirement to make an industry-standard, public/open interface available to everyone without restriction presents the greatest challenge to security here. Without physical security layered, unless a manufacturer is willing to leave themselves open to the possibility they will provide drivers with very expensive permanently-immobile bricks there will be a risk of "easy" theft.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

Good point... although the config option could simply come with a warning that you're totally screwed if you lose all your keys. So, the owners choices would be (1) leave it alone, or (2) make sure there is always an offsite backup key somewhere.

But I imagine that BMW themselves know the VIN to keycode mapping. At what point is the keycode baked in, and how hard? By definition, if I choose this config option, I am locking out the 'independent garage'.

Does BMW have any vacancies for amateur security programmers?


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

It does seem like they were backed into a corner, and advertising this exploit in the regulation would have only made the problem worse. Yet hiding it, and claiming ignorance is just as bad.

It would seem a multi-layer method would mostly work, definitely not allow the car to be stolen in a few minutes. A new set of keys comes with a rom controller, you can't just replace it as the cars main controller needs to register it with a series of codes to register the device which even register via the satellite uplink, and when this car is stolen the kit can be tracked to the shop/person who sold it. The kits could only be bought by licensed dealers, and all must be accounted for. Any stolen kits can be reported so they can be blacklisted in the database. This assumes that there is no other exploit to bypass this, and that employees are not part of an inside job. Nothing is perfect. Remotes already tend to have revolving codes, so the next time they communicate they send a different code so a scanner just can't send the previous code, but even that code generation could be cracked.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent out necks before emperors. But today we kneel only to the truth- Kahlil G.


Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to dave

said by dave:

But I imagine that BMW themselves know the VIN to keycode mapping. At what point is the keycode baked in, and how hard? By definition, if I choose this config option, I am locking out the 'independent garage'.

Without going into too much detail, every key has a unique electronic ID along with technology to thwart snooping/copying/replicating, which could potentially include but would not be limited to rolling codes. It wouldn't matter if anyone knew an existing individual key ID alone as this would not be valid. This is where adding an electronic ID to a physical key provides its benefit: uniquely identifying every key with the ability to authenticate only a specific authorized set of keys. That authentication is two factor, combining physical characteristic ("something you have") with an electronic characteristic ("something you know"). Take away either, as is the case with pure electronic key fobs or with pure physical keys, and you have what could now be considered a vulnerability or weakness.

Does BMW have any vacancies for amateur security programmers?

This is by far not limited to BMW, which was noted in the OP's quoted article. Any vehicle that uses an electronic key fob solely as its security is at risk, and this audience grows with every model year.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

said by Shady Bimmer:

This is by far not limited to BMW,

Maybe not, but that's the only one of concern to me!