Feeds

back to article DUDE, WHERE'S MY CAR? New leccy BMWs have flimsy password security – researcher

New BMW cars have security shortcomings that could allow thieves to pop open a victim's flash motor from a smartphone. Ken Munro, a partner at Pen Test Partners, uncovered security issues in the systems that pair the latest generation of beamers with owners' mobiles. By stringing together the flaws, a crook could open doors, …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

This is a total non-issue.

If somebody wants to steal stuff from inside your car they won't waste time dicking about with apps and passwords. They'll just put a hammer through the front window, grab what they want and run.

21
1
Silver badge

@AC "in the last few minutes" (Whatever that means, ElReg).

Not a hammer. A sparkplug. Toss a sparkplug at any side window, and the window will do it's job ... disappear into thousands of bits of glass that are unlikely to even scratch the perp reaching in.

Security & safety & automobiles ... Pick two. The trifecta doesn't exist.

7
1
Anonymous Coward

Re: @AC "in the last few minutes" (Whatever that means, ElReg).

Skill #124. Grand Theft Auto*

*The old fashioned sort

0
1
Anonymous Coward

Re: @AC "in the last few minutes" (Whatever that means, ElReg).

Not a sparkplug but a small bit of ceramic broken off a sparkplug. A sparkplug itself is just a throwable object.

Unless, knowing jake of course, you spent the last thirty years as a sparkplug technician while doing part time glass compound analysis, in which case I'll bow to your obvious superiority.

5
1

In the meantime, organised gangs have been trawling London and exploiting CANBUS security flaws and making off with hundreds of BMWs and Range Rovers without needing to bother with pesky things like keys.

The reported flaw is probably nothing, but it highlights that vehicle manufacturers are failing to get to grips with the fact that the in-car IT is vulnerable and can be exploited, and this is just a symptom of the issue.

2
1
Anonymous Coward

Re: @AC "in the last few minutes" (Whatever that means, ElReg).

I shattered one with my hand, once. I was riding a motorbike and about to overtake a car - uphill, so not really fast - when it suddenly decided to go back the way it came. I could see my head was going to the rear side window so I stuck my hand out to try to reduce the damage I was expecting my handsome mug to sustain. I was pleasantly surprised when the window shattered as per jake's description. It didn't even hurt. I ended up half in the motor looking up at the occupants. I forget what I called them though.

3
0
Anonymous Coward

BMWs have special glass which has a layer of plastic film between the layers of glass. This stops such a hammer attack working without some extra cutting tools.

0
1
Anonymous Coward

Anyone want to bet a tenner that in ten years plod will be able to apply the brakes in your car remotely?

1
1
Bronze badge

"BMWs have special glass which has a layer of plastic film"

Otherwise known as triplex, or laminated glass. Everybody, not just BMW, uses it for the windscreens. On the side windows it's very rare. And not a good idea either.

overlawyered.com/2005/05/laminated-glass-in-car-windows/

3
0

What, you mean the laminated glass that every car on the planet has had for decades?

Keep telling yourself that BMW's are somehow special. They're far from it.

1
0

Most people would think this yes but it isn't really the case. The car is worth more as parts than what is inside it so the ability to take the whole car is rather useful to a thief with a beavertail.

People also think thieves don't take time to set things up but they do. Motorcycles for example with alarms, the old trick was to tie a length of fishing line to it at night and tug from a distance setting the alarm off. Owner eventually thinks the alarm is playing up so turns the alarm off and bike is stolen. Might take a few nights of sitting around but to a thief a few nights for a few grand is time well spent.

Now think of that in relation to a car that can be crated up and out of the country or stripped down in 12 hours and any lapse in security or even merely mistrust of security could net someone a fair few grand for a few nights messing around.

2
0
Silver badge

Re: @AC "in the last few minutes" (Whatever that means, ElReg).

"Not a sparkplug but a small bit of ceramic broken off a sparkplug. A sparkplug itself is just a throwable object."

No. A sparkplug. Not a tiny bit of ceramic.

The place: Junkyard in East Palo Alto.

The time: Mid 1970s.

The car: 1970 Datsun 510 2-door.

The destination: Uncracked dashpad and factory "full gauge-pack" dash.

The problem: No keys to get into the car.

The owner of the yard casually picked up a discarded sparkplug and flung it at the passenger-side door glass. It shattered nicely. Seems that the mass and shape of a sparkplug ensures that it'll (almost) always hit with a point, and enough energy to break the window.

@other AC (would ElReg please bring back proper time-stamps?):

I've never stolen anything in my entire life. Doesn't mean I don't know how to get away with it, mind, but I have a rather well developed sense of ethics and ethos. Can't train animals (including children and commentards!) if you are trying to lie to them.

1
2
Anonymous Coward

Re: @AC "in the last few minutes" (Whatever that means, ElReg).

"ensures that it'll (almost) always"

Sure jake, scientific survey of 1 occasion, really qualifies an "(almost) always" analysis. Not the brightest spark(plug) are you?

0
1
Silver badge

Re: @AC "in the last few minutes" (Whatever that means, ElReg).

Throw a sparkplug at your driver's side door window, AC. I double-dog dare you. (Or, more likely, your father's car's driver side window). And then repeat the experiment on all the other side glass. Make careful notes as to how many times the sparkplug bounced without damaging the glass.

Come back & report. And admit that you are an idiot.

Honestly, the mind boggles.

0
3
Anonymous Coward

It's still fun to pop the trunk on the BMW beside you in traffic! I can also switch their headlights on or off. I haven't tried switching off the ignition - yet

0
0
MJI
Silver badge

Need they an app to stop wheels exploding

Then I would not have had my car written off.

2
0
Silver badge

Re: Need they an app to stop wheels exploding

Your fault, your driving in the UK. BMW wheels and pot holes don't mix.

3
0
MJI
Silver badge

Re: Need they an app to stop wheels exploding

Not my fault, but it was bloody scary and I now have anxiety attacks if a BMW drives too close. The front wheel on the BWM literally exploded, then there was the head on in front of me, then I was the sad owner of a slightly bananad Omega.

0
0
Silver badge

I hear the hot spare parts market is booming - which would be a lead to stolen cars, even if they don't onsell the *car*, the parts more than make up for it. Heck, they're even doing smash and grabs for airbags on ordinary family cars...

Still, the BMW thing isn't nearly as bad as some security gaffs some other manufacturers have done.

1
0
Bronze badge
FAIL

"Isn't nearly as bad as some security gaffs some other manufacturers have done"

Well yes. They don't seem to be good on secure by design. On a number of car makes the electronic door key can be replicated or copied by a device which the police tell me can be bought easily on the interwebs. Which is why my Honda has had its doors opened several times and stuff nicked from the glove compartment. Until I realised it wasn't just me forgetting to lock it, so now I don't leave anything in there. Which is a pain when I suddenly discover that I could really do with using the Satnav that I have left safely at home so that it doesn't go the same way as the previous ones.

2
1
Silver badge

I'm not sure what area of the world you're located in, but here in the US the insurance industry pretty much killed the market for stolen parts for vehicles still in production. Something like 85% of auto insurance payouts are made directly to the repair shop and not the policy holder.

It used to be common business for the insurance company to pay the policy holder directly and put disbursement of the funds on the policy holder. The repair shop would buy parts of uncertain provenance at a greatly discounted price without the knowledge of the policy holder who had been sold genuine, new parts.

Now most insurance companies will have preferred partners in an area who handle all the repairs and are paid directly, the policy holder never has a role in the financial transaction. The insurance companies also have negotiated pricing from parts suppliers and the end result is a big circle of provenance paperwork for every last part the insurance company is paying for.

Sure, you could get into bent repair shops and such, but those are exceptions anymore. Most of the stolen parts market here is for expensive, out of production cars. Exotic and top shelf cars generally aren't parted out, but disassembled and shipped to a foreign land where they are reassembled. Customs busted three vessels carrying a total of 40+ disassembled cars in just the Port of Baltimore last year.

Regardless, it's one thing for a warlord to want a Maybach or a Lamborghini, that's fairly understandable. But I'm going to go with my gut and say most of the people who would drive an electric BMW don't fall in the warlord or shady repair shop patron categories :)

4
2

Case-insensitive passwords?

Uh-oh, sounds like somebody forgot to hash

0
0
Anonymous Coward

Re: Case-insensitive passwords?

> Uh-oh, sounds like somebody forgot to hash

Not necessarily. If the thing is meant to be used primarily via mobile devices, it might have been a deliberate design decision, which sacrifices *some* security (lower entropy) for the sake of usability.

INSERT INTO credentials (username, secret) VALUES (:user, SHA1(STRTOUPPER(:password));

6
0
Silver badge

My name

I understand why it isn't good practice to use your own name as an account name, but it should be! I was given my name, I use my name all the time so why shouldn't I be able to use it for online services? Well, apart from it not being unique.

Likewise, people tend to liek having one name they take with them. When I sign up for different services, I have my first choice, second choice, third choice and then random. Why? Because I want to have a common name across different services, so that people can recognise me, when we have some shared services in common.

It should be up to the service to ensure that using a "known" name isn't an issue for the customer.

7
0
Silver badge

Re: My name

"I understand why it isn't good practice to use your own name as an account name, but it should be! I was given my name, I use my name all the time so why shouldn't I be able to use it for online services? Well, apart from it not being unique."

Being able to use "any" username, and "any" password, effectively gives you two factor authentication. Perhaps it wasn't intended that way, but the point "Pen Test Partners" makes is, if you can, then you should take advantage. If the username is forced to be in a particular format, you're effectively making it single factor authentication - which is inherently less secure.

That doesn't make it a bad thing, it just means you need a more securely designed password. And I'm not confident the drivers are smart enough to do that(*).

(*)The owners are probably smart and sensible people, it takes brains to make that class of money that buys this class of vehicle. However, around these parts, I've seen spouses who *drive* the cars on a day to day basis who are - dare I say it - not quite as smart and sensible. To them "4321" would be the pinnacle of secure.

2
5
Bronze badge

Re: My name

"Being able to use "any" username, and "any" password, effectively gives you two factor authentication"

Not quite it is two step verification but it is single factor (it is equivalent to a single password that is the combined length of the username+password but sometimes worse if the system individually lets you know if the username is wrong regardless of password).

Two factor could be available if the mobile phone, for instance, had to be verified and unique so that only a verified mobile phone could be used along with a (username/)password

5
0
Bronze badge
Holmes

@John Tserkezis - Re: My name

Wrote :- "[BMW] owners are probably smart and sensible people, it takes brains to make that class of money that buys this class of vehicle."

Wow, this is turning into a BMW admiration forum? There are many idiots who get big money purely by luck. The obvious example is lottery winners, but people also get money by inheritance by default from distant wealthy childless aunts for example. It is precisely at such moments that some people are likely to splash out on an expensive car, the less brains the more likely in fact.

I was in a motorway traffic jam recently, the sort where the delay is so long that people get out and start chatting. I was struck by the lack of correlation between the type person they seemed to be and the the type of car they were driving. FWIW I could go straight out and buy the top-of-the-range BMW, but I drive a car that is 20 years old. Call me tight if you like.

4
0
Silver badge

Re: it takes brains to make that class of money that buys this class of vehicle.

"it takes stupidity to make that class of gullible fool that buys this class of vehicle."

Fixed that for you. The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership. (or any other brand of overly expensive car)

1
0
Silver badge

Re: it takes brains to make that class of money that buys this class of vehicle.

Big money has never been a requirement for owning any production line automobile. Gone are the days of (many) ethnically targeted colloquialisms but 'trailer park Cadillac', 'car poor' and 'all hat, no cattle' work just as well. All that's required is that a person prioritize their car over all else. Some people are perfectly happy to live in a house with wheels on it as long as they can make the payments on a car that let's them feel important.

They completely miss the point in having those sorts of vehicles, but what can you do: It's their choice. The reverse is true as well. Plenty of people here in Northern Virginia buy homes far outside the realm of reason and eat Ramen noodles for dinner everyday because the electric bill is 25% of their monthly income. They too miss the point.

Fancy cars in their 'proper' environment don't impress anyone because everybody has a fancy car too. Same with houses. Everybody's got a fancy one and no matter how great you think it is, somebody there is always going to have one that's bigger, better, faster and more expensive. Competing with others and attempting to impress with things that come off a production line is just as stupid for poor people as it is for extremely wealthy people.

1
0
Silver badge

Re: it takes brains to make that class of money that buys this class of vehicle.

"The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership."

I've seen this in some (primarily European) countries, but it doesn't apply here in Australia. You either need a bucketload of money to buy one, or, if it's a shitbox, you're paying a bucketload of money to keep it on the road. Either way, you're not getting away with it on the cheap. I'm thinking it's the import fees that try to encourage the purchase of Australian-Built cars (even though that industry is nearly dead now anyway), plus the local perception that a beemer = money.

0
0
Silver badge

Re: I use my name all the time so why shouldn't I be able to use it for online services

Maybe because when you give your name to someone in Real Life (TM), you don't expect them to be going through the roof of your house in the next ten minutes to check out all your stuff, mosey in the cellar and leave a turd in the fish bowl.

Because on the Internet, they can do that and more, if they are determined.

0
0

Re: My name

as long as your name isn't one of those long used generic standards like smith, brown, chin, wu or other, you're fine. like people having the same birthday week in the same room, as production numbers increase the opportunity for 'identity intercept' also increases.

0
0

Re: @John Tserkezis - My name

depends on whos calling whom who. 'prudent' is a far more charitable description for yourself, as long as it's a 20 year old Bentley? ;-))

0
0
Anonymous Coward

Re: it takes brains to make that class of money that buys this class of vehicle.

The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership. (or any other brand of overly expensive car)

In London, BMW stands for "Black Man's Wagon"

0
0
Bronze badge

Only needs to be as secure as your keys

There's not really much point in making an uber-secure unlocking app when alternative methods of gaining entry (and driving off the car) are so much simpler. Once it's at least as hard to crack as breaking into the owner's house and stealing the keys, or even threatening the owner to make them hand over the keys, then it's really good enough.

5
0
Anonymous Coward

Ahem!

> If you allow users to choose their own username that weakens security,

The username is supposed to be publicly disclosable, after all that's how you identify a user (cf. email). Good security should not rely on attempting to hide usernames (which users will end up writing down anyway). What Professor Whathisface is advocating is security through obscurity.

> which is why banks don't allow it.

The hell they don't.

14
0
Silver badge
Boffin

Re: Ahem!

Actually, what he's advocating is security bolstered by obscurity. Security through obscurity relies on obscurity as the primary defense (e.g, a proprietary encryption algorithm, or even a hidden private key).

He's not saying that they should use obscure usernames and that's all, he's saying if they can use obscure usernames on top of a good password/encryption scheme, that adds an increased level of security. He's not saying rely on obscure usernames, but take advantage of the opportunity.

Furthermore, one's e-mail address need not have anything to do with one's login name, even within the e-mail system itself, beyond an association in some database.

1
1
Silver badge

Security Vs Usability

The trade-off between security and usability is never easy. From what the article says, it seems BMW have made a fair attempt at trying to make the system secure, but easy to use by non-nerds.

Is it perfect? No. (But is any security system perfect?)

Is it hideously broken? No.

7
1
Silver badge

Re: Security Vs Usability

The appropriateness of that trade off is a reflection of how well a company understands its customers. At least 2/3 of the people I know who own BMW autos (not motorcycles :) are the same sort of people who return a box of screws because it contained 199 instead of 200. The same sort who write Amazon reviews blasting a $75 waterproof phone case and its manufacturer because they took it scuba diving in 60' of water. The same sort who sue because they stabbed themselves in the dick with a knife and blame it on the lack of a 'do not stab self in dick' illustration and warning callout on the package.

Based on the comments, I feel safe assuming a fair portion of BMW owners in Europe and the UK are the same as we've got here. That being the case, I think BMW has a pretty good handle on the security/usability tradeoffs :) It's not designed to be secure, it's deigned so Twonk1 can show off the app to Twonk2 without it hindering his presentation with boring passwords and stuff.

2
1

Beamer?

It's "bimmer" for a BMW car. A beamer or beemer is a BMW motorcycle.

Just saying ;)

3
8

Re: Beamer?

And it's a bummer when it gets stolen

3
1
Silver badge

Re: Beamer?

It's "bimmer" for a BMW car. A beamer or beemer is a BMW motorcycle.

Never, ever heard of bimmer. Most be a local thing for local people.

9
0
Silver badge

Re: Beamer?

In the US the 'Binner/Beemer' was traditionally directed at the 3-Series vehicles popular with some of of our least desirable citizenry. It's exceedingly rare to see anything less than a 3-Series here, I've never seen a new one on a lot. It used to be fairly rare to see the 5 and 7-Series cars as well, but they seem to become more popular in direct proportion to the growth in the organized displacement of labor.

Ha! Holy Shit! That needs to become a standardized measure in economics; the BMW factor. The correlation between the level of finished goods produced in a country compared to the number of 5 and 7-Series BMW's in that country. I would like to propose that measurement be formally developed and added to the El Reg system of weights and measures!

2
0
Anonymous Coward

Re: Beamer?

> It's exceedingly rare to see anything less than a 3-Series here

Not in the US itself, but the 1-series seems to be fairly popular amongst Merkins stationed in Germany, I'm led to believe.

I agree about the 3-series being essentially a chavmobile.

Same goes for the 5-series really. While I like the smoothness of the eight-gear automatic transmission, thanks to rear wheel drive they're fucking annoying to drive, especially in the winter if you live in a cold, icy place. It's also telling of what their intended audience is if you read on the manual (3- and 5-series) the bit explaining the presence of a "traditional" handbrake (which is unusual in higher-range cars: it's electric and mostly automatic on Audis, and pedal-based on Mercedes): the more or less explicit rationale is so that you can do handbrake turns. :-/

With that said, one should not generalise too much: the 3-series is a relatively good car for a relatively affordable price and station wagons make for decent middle-class family vehicles. Especially if they like handbrake turns.

0
0

This is why I like my old BMW.

It comes with this thing called a "Key" which I keep on my person at all times. The car is remarkably hard to open or start without it.

4
1
Silver badge
Unhappy

Re: This is why I like my old BMW.

Yup, that's why YOU are the easiest way of gaining access. Lot harder to disable an immobiliser than the owner.

2
0
Silver badge

Re: This is why I like my old BMW.

"It comes with this thing called a "Key" which I keep on my person at all times. The car is remarkably hard to open or start without it."

Not really. If you're willing to limit the type of vehicle you wish to aquire, a half brick and a screwdriver will do nicely.

1
0
Anonymous Coward

Re: This is why I like my old BMW.

Actually, either of them applied correctly to the keyholder will get you access to AND full control privileges over more or less any car :)

3
0
Anonymous Coward

Re: This is why I like my old BMW.

> The car is remarkably hard to open

Have you heard of clay-based Improvised Entry Devices, otherwise known as bricks?.

1
0
Anonymous Coward

Selling the Car

What happens when the original owner sells the car? How can the new owner be sure the seller has deleted all installed apps on all his phones, thus has no more access to the car? Can you disable individual phones from the dashboard/display?

Does the new owner need to phone the call centre to create an account and register the car? What's to stop anyone doing that - current means for stealing some up-market cars is go to a delaer in a foreign country and request a new key. Sounds like something similar mayb be possible here. Mind you, why a new key works without being programmed into the car is something of a security oversight.

2
0

Page:

This topic is closed for new posts.