dslreports logo
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
4885
share rss forum feed


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

Hackers steal BMWs in 3 minutes using security loophole

quote:
There has been an unusual spike in the number of BMWs stolen in the UK this year, with some sources suggesting the number may be 300 cars or higher. The cars are being stolen without activating car alarms or immobilizers.

The suspected method involves the use of devices that plug into the car's OBD port and can program blank key fobs, leaving owners with keys to missing cars.

The essential theft process varies in detail, but all reports seem to have a fundamental methodology in common. First, the car is entered, either via nearby RF jammers that block the fob lock signal from reaching the car (preventing owners from securing their vehicles) or, more crudely, by breaking a window, as seen in the video in this post of the 1 Series being stolen. In cases of the window break, the thieves seem to be exploiting a gap in the car's internal ultrasonic sensor system to avoid tripping the alarm.

Once some sort of access to the vehicle is gained, the thieves connect a device to the car's OBD-II connector which gives them access to the car's unique key fob digital ID, allowing them to program a blank key fob to work with the car right then and there.
»www.technolog.msnbc.msn.com/tech ··· e-868400

»www.youtube.com/watch?v=DshK4ZXP ··· K4ZXPU9o


Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
FWIW, also being discussed in the Automobile Social forum. By which I don't mean to imply it should not also be discussd here.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

I think posting it here is appropriate given its a technical hack.

I guess I'm not the only one with an OBDII harness and other toys

Dam-it all my businesses are getting competitors, first it was my drone rental business »Drones vulnerable to terrorist hijacking, researchers say, now its my car rental business.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:4

1 recommendation

reply to Link Logger
This sounds like a "working as intended" exploit to me, and reminds me of the way it's possible to unlock the doors, even start the cars via the internet with these new satellite connected cars.


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3

1 recommendation

said by BlitzenZeus:

This sounds like a "working as intended" exploit to me.

A lot of exploits can be classed as "working as intended", its a common design problem of limited thinkers.

Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to Link Logger
quote:
Dam-it all my businesses are getting competitors,
Steal a better mousetrap, and the world will beat a path to your door.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

2 recommendations

reply to BlitzenZeus
Use the Force



--
Don't feed trolls--it only makes them grow!


Duncan Hurst

@switchvpn.com
Smartmeters will do the same thing for your home, a hackers delight, and also a delight for the feds to intrude on your privacy. All of this technology is a trojan horse that makes your privacy evaporate, and gives the control freaks and power monger sickos more manipulative ability.

This will end badly, mark my words.


ropeguru
Premium
join:2001-01-25
Mechanicsville, VA
said by Duncan Hurst :

Smartmeters will do the same thing for your home, a hackers delight, and also a delight for the feds to intrude on your privacy. All of this technology is a trojan horse that makes your privacy evaporate, and gives the control freaks and power monger sickos more manipulative ability.

This will end badly, mark my words.

So a hacker getting into a smart meter can get what? My electricity usage history? MY GOD! THEY CAN GET MY USAGE HISTORY! Running now to put tin foil around my meter!!!

Give me a break!

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
I think he's saying they'll be able to manufacture a new house key from the data in the smart meter.


ropeguru
Premium
join:2001-01-25
Mechanicsville, VA
said by dave:

I think he's saying they'll be able to manufacture a new house key from the data in the smart meter.

Ahhhh... Time to purchase those rotating security code locks for all the doors..


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to Link Logger
Sorta ironic that a high-end (expensive) vehicle can be hacked so easily. My low-end one has a hard to duplicate key with an embedded RFID (I think) so it's pretty hard to steal. I've always wondered about vehicles with a keypad on the door.
--
Don't feed trolls--it only makes them grow!

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
kudos:1
Reviews:
·Verizon FiOS
said by StuartMW:

Sorta ironic that a high-end (expensive) vehicle can be hacked so easily. My low-end one has a hard to duplicate key with an embedded RFID (I think) so it's pretty hard to steal. I've always wondered about vehicles with a keypad on the door.

Actually it has nothing to do with a keypad (BMWs don't use these) and does have to do with the electronic identification of the physical key. Every vehicle that uses such technology (including your "low-end") needs a way for the on-board ignition computer to validate the key being used. Similarly, a mechanism must exist to remove/add authorized keys (AKA paring the keys) to that known list stored in the on-board computer. That appears to be what is exploited here.

I would not be surprised if we learn that many other vehicles are similarly "at risk". In slightly older vehicles a physical key was still required to be inserted and used to turn the ignition, but more and more we are now seeing vehicles that depend entirely upon the electronic identification of the key only: When the key is close enough to be read (IE: inserted in a small pocket/slot in the dash) the driver simply presses a start button.

At one time, BMW (and many others) used an internal motion sensor in addition to the ultrasonic detector. It would not be possible to enter the car at all without setting it off, however it was possible to disable that when arming the alarm for certain circumstances (I set one off by walking close to an open window one time). If these still are used I'd question how easy this would be without being detected (IE: perhaps this was disabled in the video for increased effect)


sivran
Vive Vivaldi
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to Link Logger
Someone designed a feature and forgot the security?

What, they got the IE6 guys working at BMW now?

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
kudos:1
Reviews:
·Verizon FiOS

1 recommendation

reply to Link Logger
Is it me, or in the video do they simply push the car away by hand, rather than starting it and driving off? If they really did program a new key why wouldn't they just start the car and drive away?

I think this has more to do with the fact that a physical key is no longer used to provide mechanical lock which is only common on higher-end vehicles at the moment. The article does note this is an industry-wide problem that is only apparently focused on BMW for now.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by Shady Bimmer:

Is it me, or in the video do they simply push the car away by hand, rather than starting it and driving off? If they really did program a new key why wouldn't they just start the car and drive away?

It has been assumed that they didn't want to alert the owner by making a "hey, that's my car starting" noise.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
kudos:1
Reviews:
·Verizon FiOS

1 recommendation

said by dave:

It has been assumed that they didn't want to alert the owner by making a "hey, that's my car starting" noise.

I thought of that, but (a) The car is outside at night with nobody around, in apparently a public lot. Cars starting now are very quiet, and idle very quiet (this isn't a 'vette or a viper). (b) why wouldn't they push the car away from the cameras first if that were the case, knowing (obviously) full well that they were being watched?

Wouldn't the glass breakage make a bit of noise that would get attention?

It does appear that 1-series, just like their bigger brothers, also have an interior motion sensor (not just glass breakage sensor). That would have had to have been disabled by the owner or the alarm would have gone off as soon as the thief stuck his/her hand in the car.

I wouldn't dispute there is an issue, but it seems to me the video may be at least partly a fabrication to illustrate the (valid) point.

On the topic of the concern - given the regulations in both the US and in Europe requiring open access to the OBD II ports, which must also be a standard connector readily available, how do you implement security? Even if you were to implement a PIN that were only known by the owner there would need to be a failsafe in the event that PIN suddenly became unavailable (IE: forgetful owner). With that, you've most likely opened another opportunity for exploit by a thief (again - keeping in mind the laws in various countries around the globe).

To me physical security remains critical. To not have a physical lock in addition to the electronic lock is a big mistake, in my opinion. And to be honest, given time any car can be stolen. If you can defeat the alarm and push a car away (as in the video), with a little creativity you can buy yourself lots of time.

Hotch

join:2012-06-12
reply to Link Logger
Given the advancing technology of the electronics of cars and their operations as well as anti-theft device you might be surprise how effective as a backup anti-theft a simple out of sight and disguised kill switch is.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Shady Bimmer
I don't really have an opinion - just repeating what I read somewhere. But I did read that video as being 'outside an apartment block' or something similar.

how do you implement security?

For this particular vulnerability: at the least, you could have a configurable option that determined whether or not the id was present on the ODB II interface.

(Reconfiguration would require the presence of a key).

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
kudos:1
Reviews:
·Verizon FiOS
said by dave:

For this particular vulnerability: at the least, you could have a configurable option that determined whether or not the id was present on the ODB II interface.

(Reconfiguration would require the presence of a key).

So, would the insertion of a valid key be required before validating another key, enforced by the OBD II? If so, you would still need a failsafe in the event said key itself had been lost. Yes, there are those that choose not to replace lost/stolen keys given their immense cost. Lose the second key here and what would you do?

Electronic identification of keys was added as a protection against limitations of physical security. It was not meant to replace it.

There are many options, all of which themselves either have flaws that make them irrelevant themselves, or run against government regulations.

The requirement to make an industry-standard, public/open interface available to everyone without restriction presents the greatest challenge to security here. Without physical security layered, unless a manufacturer is willing to leave themselves open to the possibility they will provide drivers with very expensive permanently-immobile bricks there will be a risk of "easy" theft.


Ward Reyes

@webnx.com
reply to ropeguru
said by ropeguru:

said by Duncan Hurst :

Smartmeters will do the same thing for your home, a hackers delight, and also a delight for the feds to intrude on your privacy. All of this technology is a trojan horse that makes your privacy evaporate, and gives the control freaks and power monger sickos more manipulative ability.

This will end badly, mark my words.

So a hacker getting into a smart meter can get what? My electricity usage history? MY GOD! THEY CAN GET MY USAGE HISTORY! Running now to put tin foil around my meter!!!

Give me a break!

Maybe you should stop and think for a moment.. Smart-meters can provide intense detail on a home. Such as who is home, what they are doing, if they are sleeping or not, or if they are heading to work, etc. Then we can go further into how they can isolate voice discussions from the signal variances of the lines, this of course isn't new technology. I happen to know a few insiders at our power company who tell me their ability to extract data is quite stunning. This doesn't even address the potential for your device to be hacked, or what about the ability to potentially cause overloads? CIA has already been bragging how much they will 'enjoy' every home being hooked up. Each device in your home has a specific EMF signature that can be remotely identified when a smart-meter is installed. In the old days pot growers could be spotted based on power usage, that's nothing with what they can do with the meters installed!

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Shady Bimmer
Good point... although the config option could simply come with a warning that you're totally screwed if you lose all your keys. So, the owners choices would be (1) leave it alone, or (2) make sure there is always an offsite backup key somewhere.

But I imagine that BMW themselves know the VIN to keycode mapping. At what point is the keycode baked in, and how hard? By definition, if I choose this config option, I am locking out the 'independent garage'.

Does BMW have any vacancies for amateur security programmers?

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:4
It does seem like they were backed into a corner, and advertising this exploit in the regulation would have only made the problem worse. Yet hiding it, and claiming ignorance is just as bad.

It would seem a multi-layer method would mostly work, definitely not allow the car to be stolen in a few minutes. A new set of keys comes with a rom controller, you can't just replace it as the cars main controller needs to register it with a series of codes to register the device which even register via the satellite uplink, and when this car is stolen the kit can be tracked to the shop/person who sold it. The kits could only be bought by licensed dealers, and all must be accounted for. Any stolen kits can be reported so they can be blacklisted in the database. This assumes that there is no other exploit to bypass this, and that employees are not part of an inside job. Nothing is perfect. Remotes already tend to have revolving codes, so the next time they communicate they send a different code so a scanner just can't send the previous code, but even that code generation could be cracked.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent out necks before emperors. But today we kneel only to the truth- Kahlil G.

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
kudos:1
Reviews:
·Verizon FiOS
reply to dave
said by dave:

But I imagine that BMW themselves know the VIN to keycode mapping. At what point is the keycode baked in, and how hard? By definition, if I choose this config option, I am locking out the 'independent garage'.

Without going into too much detail, every key has a unique electronic ID along with technology to thwart snooping/copying/replicating, which could potentially include but would not be limited to rolling codes. It wouldn't matter if anyone knew an existing individual key ID alone as this would not be valid. This is where adding an electronic ID to a physical key provides its benefit: uniquely identifying every key with the ability to authenticate only a specific authorized set of keys. That authentication is two factor, combining physical characteristic ("something you have") with an electronic characteristic ("something you know"). Take away either, as is the case with pure electronic key fobs or with pure physical keys, and you have what could now be considered a vulnerability or weakness.

Does BMW have any vacancies for amateur security programmers?

This is by far not limited to BMW, which was noted in the OP's quoted article. Any vehicle that uses an electronic key fob solely as its security is at risk, and this audience grows with every model year.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
said by Shady Bimmer:

This is by far not limited to BMW,

Maybe not, but that's the only one of concern to me!


anon12345

@charter.com
reply to ropeguru
My electricity usage history? MY GOD! THEY CAN GET MY USAGE HISTORY!

Exactly. From that, someone can determine what time you go to work, go to bed, when you've gone on vacation, etc. to determine the best time to break in. You'd be suprised to know what can be determined from a log. Some of these systems allow for remote appliance control. How would you like getting pranked: Coming home to a house w/ no AC and temp of 100 degrees...

Stuff like this needs to be designed with security built-in from the start.


Russ Ewing

@webnx.com
said by anon12345 :

My electricity usage history? MY GOD! THEY CAN GET MY USAGE HISTORY!

Exactly. From that, someone can determine what time you go to work, go to bed, when you've gone on vacation, etc. to determine the best time to break in. You'd be suprised to know what can be determined from a log. Some of these systems allow for remote appliance control. How would you like getting pranked: Coming home to a house w/ no AC and temp of 100 degrees...

Stuff like this needs to be designed with security built-in from the start.

This can be deadly, what about coming home with a 100-110' home and a dead dog or cat from the heat? How about triggering an overload of smart appliances, or a surge on the meter itself? It's very likely all of this could be done. What about the govt. not liking an activist so much, deciding to surge his home, or tamper with things to mess with his mind? Very easy once everything gets hooked up.

My analog meter has a padlock on it, they've tried secretly switching it out multiple times. But if they eventually force me to do it it's a simple matter of installing a faraday cage over it, then removing it 'just before' they call to come out and see why it's not working. We can play that game for years and years if they want - watch me. Anyone can put one of these together quite simply, but enterprising folks are already selling them; »smartmetershield.com/order-shiel ··· -shield/


BronsCon

join:2003-10-24
Walnut Creek, CA
Reviews:
·Comcast Business..
·SONIC.NET
reply to Ward Reyes
said by Ward Reyes :

Then we can go further into how they can isolate voice discussions from the signal variances of the lines

That would require a direct tap into the line with the voice monitoring equipment. Smart meters do not do this, nor do they monitor the line with enough granularity to extract this data from their logs. 15 minute (or even 5 minute) snapshots will tell you how much electricity someone has used, but can not tell you what that electricity was used for, who it was used by, whether it was used while someone was awake, asleep, home, at the store, out for a drive, at work, having sex, or eating dinner.


BronsCon

join:2003-10-24
Walnut Creek, CA
Reviews:
·Comcast Business..
·SONIC.NET

1 edit
reply to Russ Ewing
The remote appliance control aspect certainly does alarm me. Luckily, that is an optional "service" with most providers. There are two ways I've seen it set up: either two meters and two panels, with the "switchable" equipment being on one panel and the always-on stuff in another; or, one meter and panel, with remote-controllable breakers paired to the meter for some appliances. The first options kills the entire "switchable" panel, while the second allows for more granular control.

I, personally, would never allow such a system to be installed in my home, but I do see the merits of it for some people, provided that they carefully weigh the consequences of losing power to the connected appliances unexpectedly. Until these systems can be proven secure (current systems are quite the opposite, for certain), they should not be made available, though.

I guess, though, that my perspective is a bit different than some, given that I live in an area that sees rolling blackouts during the summer, due to an overstressed grid. If a system like this can allow my critical appliances (stove, fridge, some lighting) to stay on, while cutting power to non-essentials like HVAC, most lighting, TV, video games, microwave, and water heater, I could certainly support it. I would want some level of control in the matter, however, and some assurance of security. For example, if the temperature of my water heater drops below a defined level for some amount of time, kick power back over to it. Likewise if the temperature in my home goes too high or too low, restore power to my heater or AC. Something like this would allow my power company to selectively shut off non-essential appliances when the grid was overloaded, rather than killing my stove in the middle of cooking dinner. I'm all for that.

As for the nonsense of "surging someone's home"... The meters can turn power on and off, they do not control the voltage or current flowing through them beyond that, they simply measure it. There are two 120v hot wires, of opposing phases, and a neutral wire, which run to the meter; the same wires which run to your analog meter now. The meter can't suddenly dial up the voltage. Period.

Unless you have your windows blacked out, no more information about your activities can be gleaned from reading your meter log than can currently be gleaned from simply watching your house. Even with blacked out windows, there is still a huge amount of information that can be found out through other methods, without tapping your power lines. If you've already gone so far as to black out your windows, you can bet you're under other forms of surveillance, anyway; if they want your electrical usage without you knowing they've got it, they have a smart meter on the transformer and each of your neighbors' homes. Subtract their usage from the transformer output and BAM, what's left?