Got a BMW? Thicko thieves can EASILY NICK IT with $30 box
BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less. On-board diagnostics (OBD) bypass tools …
This topic is closed for new posts.
Re: On X5/X6 it's fixed. The rest of us have to wait 8 weeks
Not sure why BMW even bothered with these. They managed to make them as unattractive as possible is every conceivable way to ensure nobody would actually want to steal them. Even thieves have some standards.
For other (true) examples: See Ford's Ka. So utterly dire than not a single UK vehicle has been stolen since production of v2 started.
BMW have known...
BMW did know about this last year, but why would they care if a few motors got nicked? Now it's been widely publicised they need to protect their brand. They need to be seen to be doing something and they don't want to put off future customers, their attitude is not good.
The CAS software module on the ECU is what will be updated eventually.
Oh, part of the reason why BMWs are easy to pinch is because the drivers side window can be smashed in the corner and reaching a hand down to the OBD port doesn't set off the interior alarm!
Re: BMW have known...
So their alarm system doesn't recognise the sound of the glass being smashed? Pretty sure that the change in the ultrasonic reflection pattern would trigger most alarms.
My Vauxhall (Opel)..
..doesn't have this flaw, so it doesn't seem hard to avoid. Not only is the OBDII port right in the centre under the handbrake (you'd most definitely have to reach past the sensors), but the ignition needs to be on position II for it to be powered up, AND you need a 4 digit code to programme the key, although admittedly mine is in the folder with the car handbook.
So much for BMW security..
Re: My Vauxhall (Opel)..
You'll find there will be a back door just in case the 4 digit code ever gets lost tho.
Re: My Vauxhall (Opel)..
No, there is not. GM have a record of the codes for each car and its ECU held centrally.
If the code is ever irretrievably lost, the ECU has to be removed from the car and reprogrammed. That cannot be done using the OBD port (vulns and bugs notwithstanding of course).
You can change the code via OBD, but you need the current code in order to do so.
Re: My Vauxhall (Opel)..
And your Vauxhall has an additional security layer denied to most aspiring luxury cars: "Security through undesirability".
Re: My Vauxhall (Opel)..
I was considering buying a Land Rover Defender last year, and am glad I did some research on the landyzone forums. Turns out there's a whole section on stolen Landrovers with a huge amount of those in the Sheffield/Derbyshire area where my parents live. Thieves were using flatbeds to lift the Landys over walls and other cars that owners thought would block them in ok.
Needless to say, I decided to buy another £500 Punto Mk1 to replace my broken Punto Mk1. A full fuel tank constitutes 10% of the vehicle's value. I can park it up anywhere and have few worries about it. Same goes for the old bike I've had for the last 15 years. Don't drive something you can't afford to lose.
Re: Security through undesirability
I'd rather drive an "undesirable" car than demonstrate to the world I have an over-inflated ego and a belief I own the road.
Re: Security through undesirability
Envy is a terrible thing. Yes I would rather live in a small house to save on heating bills - yes I would rather wear crappy clothes to show the rest of the world I don't care what they think.
Re: My Vauxhall (Opel)..
My phone is worth more than your car - think you need to be looking for a better job m8.
Re: Envy is a terrible thing
It certainly is. Luckily I've never been envious of a car that doesn't have indicators, has a design fault preventing it from driving in lane 1 on a motorway and brakes that are so bad they only manage to slow you down when you get to within six feet of my bumper at seventy mph.
Oh, and vanity is a terrible thing too.
Re: My Vauxhall (Opel)..
So you didn't buy a Landie because they are vulnerable to being lifted out of a carpark by a crane - and you consider this a security failing !
Isn't that a bit like complaining to the landlord is someone crashes a plane into your office ?
Re: My Vauxhall (Opel)..
£500 Fiat banger (nowt wrong with that) to Landie Defender - you would have been disappointed, and I owned both at one point. Defenders are somewhat 'agricultural'.
And yes it seems a little harsh to consider lack of resistance to a pikey with hiab-truck to be a security flaw...show me a car that doesn't suffer from this? (South African flame-thrower upgrades notwithstanding!)
Re: My Vauxhall (Opel)..
I guess I should clarify that my post was not a criticism of Land Rover Defender security. It was more the fact that there were criminal gangs operating around a regular destination for me that were stealing these vehicles to order that put me off the £5k to £10k Landy decision. The solution shouldn't be a race to the bottom of the food car chain; but on the other hand, I suspect the police have quite a job on their hands dealing with such crime.
Piracy flag because you wouldn't steal a car.....
Re: Envy is a terrible thing
Believe me that is not limited to BMW drivers.
Re: Security through undesirability
"I'd rather drive an "undesirable" car than demonstrate to the world I have an over-inflated ego and a belief I own the road."
Luckily for you, the facts show you get the best of both worlds - you can drive a s*** car, AND have it stolen, because the Corsa and Astra are regularly in the top 5 of UK stolen cars.
Re: Security through undesirability
Wow, I thought you were a pragmatic free-thinker for a moment there :P
The Nature of the Problem
I've been reading about this for years.
The problem is that the BMW is configured such that it can have ten key fobs over it's life time, you know so if you lose your key the garage can program you a new one. should you lose all 10 you need a new car.
these 10 keys (obviously including the two it comes with,) are preprogrammed in to the ECU and their rolling key encryption seed (or serial number as it's really called,) can be read.
it's the equivalent of in pc security of storing unhashed and unsalted passwords on a device that is open to the public.
obviously if it was just a password the solution would be to store the salted hash in the ECU and BMW keep a record of the key. but it's not a password, the password we are talking about is itself the seed to the rolling algorithm used so the fob can transmit different codes each time it's pressed. so both the fob and the car need access to it.
the solution is just maths though innit.
It was the Insurance companies that drove the manufacturers to fit coded immobilisers due to the volume of theft.
When this type of theft becomes a serious source of loss for the Insurers then once again they will force the manufacturers to fix it.
I'm not saying I agree with the process or the outcomes, but that's how risk analysis works. And at least with it being higher end cars it should occur more quickly than if it were Ford Fiestas.
How I would program it...
If I were given the task of programming this device I would look at the following options:
1) Make the OBD port inactive while the alarm is set, or
2) Make security functions inactive while the alarm in set, or
3) Make it so that to access any security functions while the alarm is set the alarm will sound for 10 seconds, then a delay of 2 minutes, then alarm again for 10 seconds, then another delay, then access to security.
If none of these make the car "legal" then give in and stop designing for high-tech cars!
Re: How I would program it...
Making the OBD port inactive when the immobilizer is active is a bad idea. Early Peugeots and Citroens with Lucas diesel injection were like this and it meant that if there was any fault with the immobilizer system that the diagnostic tool which might tell you what the problem was, would not connect.
BMWs bleating about the standard OBD protocol is also bogus. The standard mandated protocol is limited only to reading emissions related fault codes and data from the engine ECU, there is nothing in the standard about ABS, transmission, airbags, or immobilizer systems and the manufacturers have all defined their own protocols for these purposes. The only requirement for such a proprietary protocol is that it doesn't stop the standard one from working, so a different destination address in the packet headers will acheive that.
Once you have defined a non standard destination address you simply put your own crypto and authorization on the top, in the packet payload, and for reprogramming of immobilizer key codes, you should certainly do this. With many manufacturers the car is supplied with a special code which the tool will need in order to authenticate to that particular car for security related processes. If you loose the code then you have to get it back from a dealer and for that you will need the registration docuement and proof of ID. Just don't leave that piece of plastic with the code on it inside the car....
It would seem that BMW have used a universal code rather than a vehicle specific one, or have encoded it with something that a tool can freely be read out, and that this algo has been cracked.
The solution for this is for BMW to rewrite their immobilizer firmware for every BMW that's affected, and then offer all owners a reflash. Normally these ECUs have a way update firmware using the same OBD port. They may also need to find a way to stop theives simply rewriting old vulnerable firmware back, such as adding some security into the reflash protocol.
Re: How I would program it...
I assume that nay car with a complex and vital component made by Lucas already has a pretty effective immobiliser
@ Brian Morrison
From what I've heard it is because there's a 'dead' area in the ultrasonic sensors field of view (presumably near the mirror) I've read accounts from folk who've gone outside to find their car gone and a small amount of window glass on the drive.
In any case I agree that the OBD port should be wired to the alarm at a minimum. I can understand the port is 'live' all the time, for example to reprogram a new key if both original fobs are lost. But I'm stunned there is no form of authentication.
I am on the list to have a call back in a months time when a fix is available for my car. It's only a bog standard 320d so hardly high on the crims priority list I hope!
Even my house's front door's Magnum cylinder has a 'keycard' with a code on if I need a spare as these can't be duplicated on the high street! FFS
Re: @ Brian Morrison
@Dave 45: I am on the list to have a call back in a months time when a fix is available for my car.
Have you a link to this list? Or did you just phone the dealer?
Re: @ Brian Morrison
Nice of you to tell us all about your home and car security. Publicly. With your name (Dave). :-)
Re: @ Brian Morrison
OBD is a specification... KW82 / SAE protocols are mainly used for authentication...
We get back to the problem with BIOS security again... forget the password, disconnect the battery will reset it... or theres a reset button / jumper..
This technology does not exist!!!
Does this apply to old jalopies like my 2002 320d Touring? Not that anyone would nick it; it's varicose-vein blue, only Apollo 13 had a higher mileage, and it's usually parked in the garage to save the blushes of the neighbours.
If you have a physical key that you push into a barrel and twist to start it (which I suspect you do), then no, you're not affected.
This is good news. I got a second-hand Toyota a few weeks ago and have totally failed to register a new, spare key to the immobiliser by using the documented procedure.
But if the criminals can do it through the OBD, then I should be able to as well.
Is it true...
...that BMW's workaround is to disconnect the OBD port?
Re: Is it true...
No, they've disconnected the fog lights and etched a suitable warning into the windscreen to make the car less desirable to potential drivers of stolen BMWs. Maybe I could patent that idea, something along the lines of a security code needed to enable the fog lights and/or but no limited to etc, the emergency lights aka parking invisiblity shield.
Pissed off owner
As someone who has owned premium BMW's for the last 12 years this has royally pissed me off - I have £60k worth of car sitting on my drive which could be nicked by a scumbag at any moment due to BMW incompetence.
I have no issue with the OBD port "problem" itself - criminals will always come up with new ways of bypassing any security as we in IT can lay testament to day in, day out.
My two issues are much simpler:
1) This problem started occurring 18 months ago and was brought to BMW's attention but they did jack shit until Watchdog reported on it. Total disregard for their customers.
2) What idiot designed an alarm system which allows you to break the side window AND put your arm into the body of the car WITHOUT setting off the alarm and how the hell did that ever get Thatcham approval?
BMW may well have just lost a customer through their incompetence - the service I have received has always kept me going back but this is really a step too far.
Re: Pissed off owner
No worries, import yourself a Hyundai Equus 5.0 V8, confuse the crooks and have a huge wafty car with the same name as a schlock-art film and stage show as a bonus! :P
https://www.hyundaiusa.com/vehicles/2013/equus/?
Disclaimer- I have no connection with these guys, although it looks shiny. Other makes of car exist, may cost more, and might be better in some ways.
2nd disclaimer - I actually want a G400CDI which came from one of their competitor companies :P
3rd disclaimer - I wish ;)
Re: Pissed off owner
"I have £60k worth of car sitting on my drive"
Maybe put in the garage rather than leaving it out on full view then?
Re: Pissed off owner
Never understood why anyone feels the need to spend that much on a car anyway. Especially on British roads where much of the time you can't go much faster than about 10MPH average.
It took a work colleague about 20-30 minutes to move about a mile the other day. I can cycle to work in 20 minutes and bypass all that traffic as no car can take the short cuts a bicycle can. Plus I don't get fat, poor and angry either.
Re: Pissed off owner
The need to point out you have a premium BMW probably says a lot about you that we shouldn't go into but it also says something about the brand. What allegedly prestigous car maker has the need to make bland low end models? Still, I suppose it increases sales and allows a load of plebs to be able to say they have a BMW. We all know if they don't say the model number its a one series and those that point out it's one of the premium models, well, as I said let's not go there.
The same also goes for Jaguar, no mention of the model then it's a refurbished Sierra, but what the hell they can say they have a Jaguar.
Also, I assume you mean you paid 60k for your car but I seriously doubt it is worth that.
Re: Pissed off owner
Park it under a 'no parking' sign.
Someone will then come around and put a nice, yellow security device on one of your front wheels.
Sure, it costs a bit to remove the device any time you want to take it for a spin, but if you can afford a £60.000 car, I figure you can afford it...
Re: Pissed off owner
I've often wondered if Halfords would be interested in my idea to market sticky-backed plastic, fake blue veins for car obessed blokes to stick to the the side of their precious motors/manhood compensators?
Re: Pissed off owner
"Maybe put in the garage rather than leaving it out on full view then?"
You tried to get anything larger than a bicycle into a new build garage recently?
Re: Pissed off owner
"Never understood why anyone feels the need to spend that much on a car anyway. Especially on British roads where much of the time you can't go much faster than about 10MPH average.
It took a work colleague about 20-30 minutes to move about a mile the other day. I can cycle to work in 20 minutes and bypass all that traffic as no car can take the short cuts a bicycle can. Plus I don't get fat, poor and angry either."
I don't need to - I choose to in the same way as you choose to buy a bicycle which, IMO, is the scourge of the earth especially when the cyclists take the "short cuts a bicycle can" like riding on the pavements, going the wrong way down one way streets and jumping red lights...
Re: Pissed off owner
You may cycle in - but you get wet and run the risk of being knocked off / killed. You also can't carry a wife, 2 kids and a boot full of shopping - nor can you do a 60 mile trip in about an hour.
Re: Pissed off owner
"The need to point out you have a premium BMW probably says a lot about you that we shouldn't go into but it also says something about the brand. What allegedly prestigous car maker has the need to make bland low end models? Still, I suppose it increases sales and allows a load of plebs to be able to say they have a BMW. We all know if they don't say the model number its a one series and those that point out it's one of the premium models, well, as I said let's not go there.
The same also goes for Jaguar, no mention of the model then it's a refurbished Sierra, but what the hell they can say they have a Jaguar.
Also, I assume you mean you paid 60k for your car but I seriously doubt it is worth that."
This is a post about BMW's - considering many who are posting don't even own a BMW I thought it might be useful to establish that I am an owner of an affected vehicle and have a vested interest in the story to justify my concern.
For the record, mine is not a "bland low end model" nor is it a one series - it is a premium model so I highlighted it is a premium model which makes it MUCH more attractive to thieves hence my increased concern.
Re: Pissed off owner - Jase 1 08:48
>going the wrong way down one way streets and jumping red lights...
Ah, typical car driver, blind to the errors of their own ways and only see them in others. At least if I get hit by a cyclist going the wrong way down a one way street it's unlikely to be fatal.
Re: Pissed off owner
Maybe put in the garage rather than leaving it out on full view then?"
You tried to get anything larger than a bicycle into a new build garage recently?
I'd have thought anyone spunking £60k on a penis extension could afford something big enough to put it.
This topic is closed for new posts.
