Got a BMW? Thicko thieves can EASILY NICK IT with $30 box BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less. On-board diagnostics (OBD) bypass tools …
Anything over a year old then.....
Whats that? 95% of all BMW's then? It certainly affects 100% of those in the staff car park.
Take pride in their security? There is none once you have broken the window, what is there to take pride in~?
Great example of more crap coming out of a company, talking to its customers as if they were morons.
You can still use the metal part that's encased inside the fob to open the door / boot manually. This was advice given to us years ago in our Houston office about hire cars and people stealing shopping when you went back to dump it of before getting more, especially at Christmas.
It is in part the fault of the others on the list - in that the OBD standard does not call upon any encryption requirement - it was designed to allow californian cops to read whether your car had declared to you that the emissions limiting equipment was faulty. - so the same readers had to work in perpetuity.
They could have designed it better, even to firewall off just the compulsory protocol commands.
the French have recently proposed anti-competetive legislation to the effect that all french garages shall be able to reprogram ECU's of any sort without having to be registered dealers and essentially under a FRAND type agreement. Though good for competition, its impossible for security - well the concept of a trusted dealer was never a good one, now it is busted we may get tools that require a session into the heart of the OEM in order to decrypt the protocols.
Meh, clearing/resetting/reprogramming certain registers in an ECU is not the same as reprogramming the same ECU. The OBD protocol is open is a good and healthy thing. The manufacturers not putting much or any sort of security into the individual modules is cost cutting. BMW are simply lying when they state that the techniques didn't exist when they designed the cars. An off the shelf kit didn't exist, but they and plenty of other manufacturers were worried about this sort of thing from a warranty perspective well over a decade ago.
Car manufacturers should (and to some extent do) treat data buses within their cars as the IT industry treats their networks, with a constant degree of suspicion. Firewalling off the OBD port or having a different protocol (GM/Ford US) or multiple CAN buses is something some manufacturers do, but it's not a real solution as you can always get physical access to the wiring (thankfully if you've got a fault to diagnose).
I was just about to say, Ford firewall the security from odb. In fact you need a dedicated ford reader to diagnose security module errors via odb as the aftermarket tools arent available.
It is akin to having an open network, sure if you have guest read only info then that is fine but not for a button that says "open doors".
They certainly do.
An unsecured "back door" into the system is a definite no no. The threat was a clear and present when the car was in the design stage!
Thinking about it from the point of view of physical keys and locks: What good is a car with a sold lock on each door if all a potential criminal has to do to get in is pop the hood?
"What good is a car with a sold lock on each door if all a potential criminal has to do to get in is pop the hood?"
i don’t know if BMW's are difrent the other side of the pond, but over here in li'l ol' blighty, along with 99% of all other cars, you cant open the "hood" or bonnet as we like to call it without opening the door first. The lever is usually in the drivers compartment, if no it , it requires a key to unlock it...
I can sort of see where BMW are coming from, The ODB has to be open so third party garages can actually work on the card. the connection point has to be a standard plug, within 100cm of the steering wheel, and needs no tools to access it. There is no way it would be possible to secure a car once entry has been gained with a system like this. No matter what hurdles are put in place, the memory of the ECU is not read only susceptible to attack. the bare minimum to gain access would be a clone of a key that you have a copy of the ROM for and flash the entire ROM.
this has really been caused by the EU making laws for the general good, but messing things up in reality..
I am pretty sure most of us could actually come up with some sort of security that would work within the ODB guidelines, but I would also imagine the cost would put the price of the car up to an unacceptable price, which would mean true security would be an optional extra.
>I don't recall Beemers being particularly cheap to begin with?!
But imagine if BMW managed to get the legislation overturned so that they could only be serviced by a BMW dealer and only MOT'ed/smogged by a dealer.
"I'm sorry sir your 1 year old car's ashtray is full and we don't service that model anymore" - "would sir like to buy a new one"?
'What good is a car with a sold lock on each door if all a potential criminal has to do to get in is pop the hood?'
"you cant open the "hood" or bonnet as we like to call it without opening the door first. The lever is usually in the drivers compartment, if no it , it requires a key to unlock it..."
This statement is similar to claiming the door can't be opened without a key. If there is a lever release to open the hood, it can be operated by yanking the cable that connects the lever to the latch. It's designed not to be easy, but it is possible.
i don’t know if BMW's are difrent the other side of the pond, but over here in li'l ol' blighty, along with 99% of all other cars, you cant open the "hood" or bonnet as we like to call it without opening the door first. The lever is usually in the drivers compartment, if no it , it requires a key to unlock it...
Here in li'l ol'blighty it is quite possible to open the bonnet (or "hood" as the American called it) on most cars by manipulating the release cable.
An important point that you all forget to mention is that regardless of how easy it is to physically open the lid, there is an alarm sensor as well which will alert the car's security system and immobiliser.
The alarm will be sounding loudly and you can bet wherever it's coming from has been designed to make it difficult to get to.
In my experience the OBD port is always located inside the passenger compartment anyway.
Sadly does anyone pay much attention to alarms going off on cars these days? I hear one I usually take a quick gander for anyone shifty standing near it but most of the time though I have other stuff to be getting on with, so I mutter something about "Complete dipstick with a stupid car alarm!" and ignore it!
A simple physical key lock on the OBD port should keep their techno mitts clear.
Wire that up to the alarm sensor as well. BMW could do that for a nominal charge of say £100 fitting (£35 parts + £65 labour).
I would be more worried why it doesn't seem hard for them to gain entry into the vehicle in the first place.
I don't know about BMW's - but my V70 has a key hidden in the keyfob that is used for nothing except unlocking the car when the battery is dead and locking the glove box when it's serviced (if you want to do that).
Why not simply use that to secure the ODB port. No special tools are required as per EU instructions.
There again, how long would it take them to force the lock and just gain access anyway? Would making key setting a main dealer only item then make fall foul of the EU law?
Could you have a two tier system:
- program key from key = non main dealer
- program kays from nothing = main dealer
"Could you have a two tier system:"
Some manufacturers (Ford? I'm looking at you...) have already done this. This means that if you do lose the "master" key, they will replace it at "got you by the balls and we're gonna squeeze really hard" rates.....
You see improved security, they see an opportunity to rip you off.
Unfortunately they will, but I am not sure what else you can do...
I know for my R6 it's even worse. I have a 'red' key. It doesn't start the bike, but does put it in learning mode for if you need a new key.
Should you lose the red key and then break your black keys you need to replace the ECU to get the bike working again. Gulp!
My red key is in a safe place!
I think this is why I've almost never bought a used car and gotten the original keys...just copies of copies that barely work. The previous owner probably put the original in a "safe place" and then forgot where that was. ;)
The one exception was, oddly, a 40-year-old Saab 95, which still had the original key. Unfortunately it didn't have most of the original LOCKS. ;)
ford arent really ripping you off. You can buy the part yourself, it is a standalone security module that comes pre pared with keys. Good luck fitting it though. Try buying an ECU for any electrical appliance, they arent mass produced items so cost more. If you lose BOTH keys then odd are it is your own fault (not always but in cases of fires, floods, theft thats why we have insurance). You can reprogram another key from an existing key EXTERNAL to the car. It is easier to reprogram a key within the car though.
Second point. DO NOT let your battery run flat on a modern ford key, you will need to reprogram it if you do. The capacitor is only good for 30 seconds or so too so dont be tardy when changing the battery.
>- program keys from nothing = main dealer
IIRC Merc did this for their super-ninja-laser-cut-kryptonite keys.
Unfortunately they allowed any dealer to order the keys - and didn't get suspicious when some dealer in Borat-istan was requesting new key codes for 1000s of cars.
I'd put the port in the door recess under a removable panel. That way, you have to have the door physically open in order to reach the connector. For ODB tests that require connection whilst the car is in motion, you could always lead the ODB connector out with a thin flexible cable pinched in the door seal.
ODB ports have to be open - yes.
But when it comes to security, it shouldn't be possible to plug and go - the security reprogramming routines should be encrypted with only the unlock certificates installed in stealership computers. Have they not heard of read vs read/write?
Shirley it must be possible to allow the local non-oem garages to be able to access and edit the ECU system settings, but prevent access to the really important bits?
"......but prevent access to the really important bits?"
that’s the point of the ODB system...... so that you are not locked into a visit to the dealers for ANY part of a repair for your car.
I can think of a few ways to make it secure without compromise, but price would be the overall factor that would rule it out as viable for mass production.
Quick off the top of my head thought; introduce an artificial 30, 60, or 90 minute delay in the process of programming a blank key - probably 2 extra lines of code. Yes, a bit of a hassle when you've lost your key, having a wait a short while to program a new one, but hardly the end of the world. What thief is going to want to sit and wait that long while the car does it's thing?
A BIT OF A HASSLE??!!!!???
At the labour rates those bastards charge it's a sight more than that! They're quite capable of coming up with enough excuses to rip you off already, without your giving them ideas.
What they need to do is fix the ruddy thing so you can't program a key to the car without the security code (i.e. fix the sodding great bug allowing this to happen).
"Erm, howabout they program the blank key, scarper and then come back a few days later to nick the car?"
Well, I think your suspicions would be raised when you go to get in your car to find it a) with a broken window, b) unlocked, and c) with a blank key (now programmed) sat in the slot.
"Quick off the top of my head thought; introduce an artificial 30, 60, or 90 minute delay in the process of programming a blank key - probably 2 extra lines of code. Yes, a bit of a hassle when you've lost your key, having a wait a short while to program a new one, but hardly the end of the world. What thief is going to want to sit and wait that long while the car does it's thing?"
+ With the alarm going off!
Not sure why BMW even bothered with these. They managed to make them as unattractive as possible is every conceivable way to ensure nobody would actually want to steal them. Even thieves have some standards.
For other (true) examples: See Ford's Ka. So utterly dire than not a single UK vehicle has been stolen since production of v2 started.
BMW did know about this last year, but why would they care if a few motors got nicked? Now it's been widely publicised they need to protect their brand. They need to be seen to be doing something and they don't want to put off future customers, their attitude is not good.
The CAS software module on the ECU is what will be updated eventually.
Oh, part of the reason why BMWs are easy to pinch is because the drivers side window can be smashed in the corner and reaching a hand down to the OBD port doesn't set off the interior alarm!
..doesn't have this flaw, so it doesn't seem hard to avoid. Not only is the OBDII port right in the centre under the handbrake (you'd most definitely have to reach past the sensors), but the ignition needs to be on position II for it to be powered up, AND you need a 4 digit code to programme the key, although admittedly mine is in the folder with the car handbook.
So much for BMW security..
No, there is not. GM have a record of the codes for each car and its ECU held centrally.
If the code is ever irretrievably lost, the ECU has to be removed from the car and reprogrammed. That cannot be done using the OBD port (vulns and bugs notwithstanding of course).
You can change the code via OBD, but you need the current code in order to do so.
This post has been deleted by its author
I was considering buying a Land Rover Defender last year, and am glad I did some research on the landyzone forums. Turns out there's a whole section on stolen Landrovers with a huge amount of those in the Sheffield/Derbyshire area where my parents live. Thieves were using flatbeds to lift the Landys over walls and other cars that owners thought would block them in ok.
Needless to say, I decided to buy another £500 Punto Mk1 to replace my broken Punto Mk1. A full fuel tank constitutes 10% of the vehicle's value. I can park it up anywhere and have few worries about it. Same goes for the old bike I've had for the last 15 years. Don't drive something you can't afford to lose.
£500 Fiat banger (nowt wrong with that) to Landie Defender - you would have been disappointed, and I owned both at one point. Defenders are somewhat 'agricultural'.
And yes it seems a little harsh to consider lack of resistance to a pikey with hiab-truck to be a security flaw...show me a car that doesn't suffer from this? (South African flame-thrower upgrades notwithstanding!)
I guess I should clarify that my post was not a criticism of Land Rover Defender security. It was more the fact that there were criminal gangs operating around a regular destination for me that were stealing these vehicles to order that put me off the £5k to £10k Landy decision. The solution shouldn't be a race to the bottom of the food car chain; but on the other hand, I suspect the police have quite a job on their hands dealing with such crime.
Piracy flag because you wouldn't steal a car.....
It certainly is. Luckily I've never been envious of a car that doesn't have indicators, has a design fault preventing it from driving in lane 1 on a motorway and brakes that are so bad they only manage to slow you down when you get to within six feet of my bumper at seventy mph.
Oh, and vanity is a terrible thing too.
"I'd rather drive an "undesirable" car than demonstrate to the world I have an over-inflated ego and a belief I own the road."
Luckily for you, the facts show you get the best of both worlds - you can drive a s*** car, AND have it stolen, because the Corsa and Astra are regularly in the top 5 of UK stolen cars.
I've been reading about this for years.
The problem is that the BMW is configured such that it can have ten key fobs over it's life time, you know so if you lose your key the garage can program you a new one. should you lose all 10 you need a new car.
these 10 keys (obviously including the two it comes with,) are preprogrammed in to the ECU and their rolling key encryption seed (or serial number as it's really called,) can be read.
it's the equivalent of in pc security of storing unhashed and unsalted passwords on a device that is open to the public.
obviously if it was just a password the solution would be to store the salted hash in the ECU and BMW keep a record of the key. but it's not a password, the password we are talking about is itself the seed to the rolling algorithm used so the fob can transmit different codes each time it's pressed. so both the fob and the car need access to it.
the solution is just maths though innit.
This post has been deleted by its author
It was the Insurance companies that drove the manufacturers to fit coded immobilisers due to the volume of theft.
When this type of theft becomes a serious source of loss for the Insurers then once again they will force the manufacturers to fix it.
I'm not saying I agree with the process or the outcomes, but that's how risk analysis works. And at least with it being higher end cars it should occur more quickly than if it were Ford Fiestas.
If I were given the task of programming this device I would look at the following options:
1) Make the OBD port inactive while the alarm is set, or
2) Make security functions inactive while the alarm in set, or
3) Make it so that to access any security functions while the alarm is set the alarm will sound for 10 seconds, then a delay of 2 minutes, then alarm again for 10 seconds, then another delay, then access to security.
If none of these make the car "legal" then give in and stop designing for high-tech cars!
Making the OBD port inactive when the immobilizer is active is a bad idea. Early Peugeots and Citroens with Lucas diesel injection were like this and it meant that if there was any fault with the immobilizer system that the diagnostic tool which might tell you what the problem was, would not connect.
BMWs bleating about the standard OBD protocol is also bogus. The standard mandated protocol is limited only to reading emissions related fault codes and data from the engine ECU, there is nothing in the standard about ABS, transmission, airbags, or immobilizer systems and the manufacturers have all defined their own protocols for these purposes. The only requirement for such a proprietary protocol is that it doesn't stop the standard one from working, so a different destination address in the packet headers will acheive that.
Once you have defined a non standard destination address you simply put your own crypto and authorization on the top, in the packet payload, and for reprogramming of immobilizer key codes, you should certainly do this. With many manufacturers the car is supplied with a special code which the tool will need in order to authenticate to that particular car for security related processes. If you loose the code then you have to get it back from a dealer and for that you will need the registration docuement and proof of ID. Just don't leave that piece of plastic with the code on it inside the car....
It would seem that BMW have used a universal code rather than a vehicle specific one, or have encoded it with something that a tool can freely be read out, and that this algo has been cracked.
The solution for this is for BMW to rewrite their immobilizer firmware for every BMW that's affected, and then offer all owners a reflash. Normally these ECUs have a way update firmware using the same OBD port. They may also need to find a way to stop theives simply rewriting old vulnerable firmware back, such as adding some security into the reflash protocol.
This post has been deleted by its author
From what I've heard it is because there's a 'dead' area in the ultrasonic sensors field of view (presumably near the mirror) I've read accounts from folk who've gone outside to find their car gone and a small amount of window glass on the drive.
In any case I agree that the OBD port should be wired to the alarm at a minimum. I can understand the port is 'live' all the time, for example to reprogram a new key if both original fobs are lost. But I'm stunned there is no form of authentication.
I am on the list to have a call back in a months time when a fix is available for my car. It's only a bog standard 320d so hardly high on the crims priority list I hope!
Even my house's front door's Magnum cylinder has a 'keycard' with a code on if I need a spare as these can't be duplicated on the high street! FFS
No, they've disconnected the fog lights and etched a suitable warning into the windscreen to make the car less desirable to potential drivers of stolen BMWs. Maybe I could patent that idea, something along the lines of a security code needed to enable the fog lights and/or but no limited to etc, the emergency lights aka parking invisiblity shield.
As someone who has owned premium BMW's for the last 12 years this has royally pissed me off - I have £60k worth of car sitting on my drive which could be nicked by a scumbag at any moment due to BMW incompetence.
I have no issue with the OBD port "problem" itself - criminals will always come up with new ways of bypassing any security as we in IT can lay testament to day in, day out.
My two issues are much simpler:
1) This problem started occurring 18 months ago and was brought to BMW's attention but they did jack shit until Watchdog reported on it. Total disregard for their customers.
2) What idiot designed an alarm system which allows you to break the side window AND put your arm into the body of the car WITHOUT setting off the alarm and how the hell did that ever get Thatcham approval?
BMW may well have just lost a customer through their incompetence - the service I have received has always kept me going back but this is really a step too far.
No worries, import yourself a Hyundai Equus 5.0 V8, confuse the crooks and have a huge wafty car with the same name as a schlock-art film and stage show as a bonus! :P
https://www.hyundaiusa.com/vehicles/2013/equus/?
Disclaimer- I have no connection with these guys, although it looks shiny. Other makes of car exist, may cost more, and might be better in some ways.
2nd disclaimer - I actually want a G400CDI which came from one of their competitor companies :P
3rd disclaimer - I wish ;)
Never understood why anyone feels the need to spend that much on a car anyway. Especially on British roads where much of the time you can't go much faster than about 10MPH average.
It took a work colleague about 20-30 minutes to move about a mile the other day. I can cycle to work in 20 minutes and bypass all that traffic as no car can take the short cuts a bicycle can. Plus I don't get fat, poor and angry either.
"Never understood why anyone feels the need to spend that much on a car anyway. Especially on British roads where much of the time you can't go much faster than about 10MPH average.
It took a work colleague about 20-30 minutes to move about a mile the other day. I can cycle to work in 20 minutes and bypass all that traffic as no car can take the short cuts a bicycle can. Plus I don't get fat, poor and angry either."
I don't need to - I choose to in the same way as you choose to buy a bicycle which, IMO, is the scourge of the earth especially when the cyclists take the "short cuts a bicycle can" like riding on the pavements, going the wrong way down one way streets and jumping red lights...
>going the wrong way down one way streets and jumping red lights...
Ah, typical car driver, blind to the errors of their own ways and only see them in others. At least if I get hit by a cyclist going the wrong way down a one way street it's unlikely to be fatal.
The need to point out you have a premium BMW probably says a lot about you that we shouldn't go into but it also says something about the brand. What allegedly prestigous car maker has the need to make bland low end models? Still, I suppose it increases sales and allows a load of plebs to be able to say they have a BMW. We all know if they don't say the model number its a one series and those that point out it's one of the premium models, well, as I said let's not go there.
The same also goes for Jaguar, no mention of the model then it's a refurbished Sierra, but what the hell they can say they have a Jaguar.
Also, I assume you mean you paid 60k for your car but I seriously doubt it is worth that.
"The need to point out you have a premium BMW probably says a lot about you that we shouldn't go into but it also says something about the brand. What allegedly prestigous car maker has the need to make bland low end models? Still, I suppose it increases sales and allows a load of plebs to be able to say they have a BMW. We all know if they don't say the model number its a one series and those that point out it's one of the premium models, well, as I said let's not go there.
The same also goes for Jaguar, no mention of the model then it's a refurbished Sierra, but what the hell they can say they have a Jaguar.
Also, I assume you mean you paid 60k for your car but I seriously doubt it is worth that."
This is a post about BMW's - considering many who are posting don't even own a BMW I thought it might be useful to establish that I am an owner of an affected vehicle and have a vested interest in the story to justify my concern.
For the record, mine is not a "bland low end model" nor is it a one series - it is a premium model so I highlighted it is a premium model which makes it MUCH more attractive to thieves hence my increased concern.
Park it under a 'no parking' sign.
Someone will then come around and put a nice, yellow security device on one of your front wheels.
Sure, it costs a bit to remove the device any time you want to take it for a spin, but if you can afford a £60.000 car, I figure you can afford it...
The requirements say the OBD port must be within 1m of the driver's seat, therefore allowing any equipment to be visible/usable from the operating position. Under the bonnet is not acceptable - therefore you need to have got inside the car first to get access to the OBD port.
Secondly, on my Ford Focus, the OBD port is only enabled when the ignition is on. Sounds like BWM have added extra features above the basic OBD functionality, and allow access without a key being present.
I'm not a BMW expert, but I suspect you could stop 99% of theives by finding out which of the 16 pins on the OBD port supply 12V to the diagnostic tool and put a hidden switch on the wire going to that pin.
I think that the standard says pin 16 but some manufacturers also provide power on pin 1 or others.
Pins 4 and 5 are always 0V.
The OBD socket is always fused so it means finding out which fuse, and then finding which pins are live with the fuse in and dead with the fuse out.
Without power the thieves key coding tool won't work.
"Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key"
There is a blind spot on the alarm system where it's possible to break a window and access the OBD port without setting the alarm off. Once they've gained access to the OBD they use the car to program the blank key. There's no need to get access to the original key, it's just a modern day version of 'hotwiring'.
Put simply, the central door locking / anti theft system modules are NOT directly related to the immobilzer... and should never be!
Method being highlighted: Transponder Channels and Frequencies
CDL/ATWS modules work upon the transponder keys frequencies and channels (with one limitation - range), which can be encrypted. it is possible to be programmed by OBD access, but travels WIRELESSLY during use! (WEP / WPA situation all over again!)
Thought i'd HIGHLIGHT that...
the immobilizer works upon programmed keys through security of a 'key code' usually... again programmed by OBD access, but given enough effort can be reprogrammed.
BACK to basics, USE KEYS, not wireless/wifi!
The annoying thing is that an engineer probably already cried out about the security failings and said that if they just give him an extra couple of weeks he would be able to make it secure. The bosses would have scoffed and told him that it's safe enough as it is. I know I've been there enough times (not for cars).
For so-called "keyless" models. Models that you need to use the key (to start the engine, for example) have an embedded chip which a sensor in the steering column reads (it also charges the battery of the remote). So, any thief would need the rolling code that the remote transmits, the chip embedded in the key and a copy of the metal part.
So, in fact, it is more modern BMW's that are at risk. I think the next question is, how many other cars (not only BMW) are at risk? With keyless entry becoming ever more popular (for people who are just too lazy to turn the key in the ignition), this is not an issue that's going away soon.
Seems to me the 'hi tech' aspect gets the headlines but the root of the problem is that the thieves can gain access to the inside of the car without setting off the alarm.
Pop one of those sun visor thingies, the ones that have suckers to attach them, onto the drivers door window. This will cause additional movement and set off the alarm should the perp break the window. Job done.
Given this 'bug' or 'feature' has been available to the light fingered since 2006 (someone must have known!), how do they get the vehicles out of the UK?
Or travel anywhere within the UK) without being nicked?
Seen how many cameras there are - surely as soon as reported as stolen, they are flagged up to the plod?
They can't all have made it across the channel from Blighty in the few hours they are "missing" without some 'blindness' in 'the system' with border controls, customs, freight, exports etc can they?
How fast Manchester to Calais?
I am not a professional theif. However, if I really had to write a plot for the sequel for "Gone in 60 seconds" in which they all travelled to Manchester to seek revenge on the old-new Dr Who, I'd have them run a plan like such:
- See the car they want
- See a similar car on the road (ie. wont flag up Tax, MOT, insurance, stolen), note down the numberplate
- Get a cheap set of numberplates made up (I've used "show plates" sites in a previous life to get GB-font otherwise legal looking MOT passable plates without the hassle)
- Run this bmw key bypass
- Put fake plates on
- Drive
Or, I'm sure they are organised and they aren't oppurtunistics, might watch where one is parked up at the house / in a car park for the working day. 8 or 9 hours, even from Manchester, is surely enough to get to the boat/tunnel to Calais?
it shouldnt be so networked.
why is door opening linked to the ecu and the odb protocol?
if they wanna put anti-grab encrypted door opening (incl ignition) why not make it a separate system?
am i being naive?
its the old - 'if you want your data secure dont put it on the internet' argument - people do for convenience but theres no reason for this
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
