back to article Can't afford a BMW or Roller? Just HACK its doors open!

BMW has plugged a hole that could allow remote attackers to open windows and doors for 2.2 million cars. The flaws were found by the German motoring association ADAC in the ConnectedDrive technology that allows BMW, Mini and Rolls Royce drivers to access their wheels with a smartphone. BMW patched the flaw remotely, thereby …

  1. bazza Silver badge

    Lunacy

    And so the lunacy of make cars "connected" begins. Adding a huge amount of standard networking technology is simply asking for trouble. There's loads of people out there who have made criminal livings out of hacking all these technologies, and they're very good at it. Using these technologies on a high value asset such as a car simply means exposing the car to a far larger level of threat.

    BMW and all the other manufacturers heading down this route are simply not going to be able to keep the determined hacker out.

    Upgrading to use https? What century is this? That shows a truly worrying level of naivety. Who in their right mind would have chosen http in the first place?

    At least with older cars someone had to smash a window, etc. to get in.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lunacy

      Spot on, like the issue with the furnace last month being hacked remotely, the question is very simple, "WHY are we connecting things up for the sake of it".

      If the insurance was pushed up a staggering amount for cars like this, that can be stolen *easily* by someone with a £50 OBDII bit of kit, people would stop buying them as the premiums would be so high. It may make the manufactures think about having the sort of pointless technology implemented in the first place.

      In other news, sales of "disclock" mechanical and frankly, bloody good, steering locks go through the roof...

      1. LucreLout

        Re: Lunacy

        If the insurance was pushed up a staggering amount for cars like this, that can be stolen *easily* by someone with a £50 OBDII bit of kit, people would stop buying them as the premiums would be so high.

        That's exactly what happened with the old Escort / Sierra Cossie. So trivial to steal that people could no longer get insurance (well, not up north anyway) which forced the manufacturers to start taking the issue seriously.

        The same thing will happen this time around. BMW seem to be leading the charge, being vulnerable to literally every major vehicle related exploit of the past few years. And this after they spent almost 2 years denying there actually was a problem.

      2. Alan Brown Silver badge

        Re: Lunacy

        "If the insurance was pushed up a staggering amount for cars like this, that can be stolen *easily* by someone with a £50 OBDII bit of kit, people would stop buying them as the premiums would be so high."

        Funnily enough, that's exactly what's happening in some areas.

        It used to be that Italian cars were the ones that looked good but were a bit rubbish. BMW has been taking lessons.

    2. adnim
      Childcatcher

      Re: Lunacy

      It doesn't stop at cars... The race to an E, e or even i everything is well and truly on.

      I don't see the *NEED*. Oh, there might be some convenience or a few seconds of time saving and a reduction in the usage of human thought processes as we hurriedly rush towards dumbing everything down to the point where perhaps a thought process is no longer even required.

      No doubt eventually predictive technology will even replace the need to think at all. Now wouldn't the megacorps, governments/oppressive regimes embrace that! It's far easier to control a society if they don't know that they are just consuming, conforming and obeying.

      As a bit of a sociopath, (I have lived around 75% of my life and I don't give a fuck for my species any more, I feel sorry for the Kittehs though) I am going to find the future amusing. Those of you that actually care about humanity should get your fingers out and stop the rot now.... Think of the children!

    3. chris 17 Silver badge

      Re: Lunacy

      security by obscurity is no defence & no substitute for doing security properly in the first place.

      1. bazza Silver badge

        Re: Lunacy

        @chris 17,

        "security by obscurity is no defence & no substitute for doing security properly in the first place."

        That's certainly true. But I don't believe the car industry has been very guilty of that up until now. By and large the car industry has got it right in the recent past. The only data interface to the car was the CAN bus, and that's not available outside the vehicle. You have to be physically in the vehicle already to be able to plug into it. So, as long as the blipper/keyless entry system was up to snuff (and generally they've been good enough at those), theft of a car mostly required breaking a window or somehow opening a door at least.

        So their security model was pretty easy to get right. Make sure the CAN bus is physically inaccessible, and use a simple yet effective remote key fob system. Get just those two simple things right, and the car is acceptably secure.

        Now they're beginning to put a publicly accessible wireless network interface on board there's a much larger threat to the car. There's so many more things they've got to get right in order to achieve the same level of security. No one has ever managed to fully secure any internet connected server; Windows, Linux, Mac OS X; they've all had their moments of weakness. What makes the car industry think they can do it any better than the software industry?

        And it doesn't matter if they think that they're OK by having a closed, non-internet connected wireless network. By having a standardised wireless network interface they're vulnerable to someone else using standardised wireless networking equipment to connect to it one way or another. I mean, how hard is it to get a pseudo cell base station these days?

        The OS vendors/creators are at least pretty good at publishing updates for the various versions of their products. I don't think the car industry quite realises the huge software maintenance burden they're bringing on themselves if they're to uphold reputations for long lived and reliable cars. Are they going to maintain software and fix bugs on 10 year old cars? I doubt it.

        From the owners point of view Connected Cars could be a disaster waiting to happen. Once an unpatched flaw is published for any particular car then every owner of that car will probably find it impossible to get car insurance.

        I can also see the insurance industry adding general exclusions to policies concerning car theft after a bug has been disclosed. Owning an older, no-more-updates car could become a real liability.

        It does certainly sounds like BMW have counted on obscurity for security in this new system of theirs. Here begins their lesson.

    4. JeffyPoooh
      Pint

      Who is paying the monthly fee?

      Connectivity costs money. Who is explicitly* paying?

      (* Not interested in the obvious and tedious, "The consumer ultimately pays, blah blah blah." Who get the monthly invoice from the cellular networks?)

    5. joed

      Re: Lunacy

      Think of the brights side - window will no longer be smashed when you eventually recover your car (happened to one of my vehicles, "perps" were just trying to pull the radio out, unfortunately for them I secured the back with the screw - per instructions - but still, the window repaired at the "stealership" never worked the same). Should had left the door open.

  2. Anonymous Coward
    Anonymous Coward

    Upgrading to use https?

    That's about right. "New" technology in most of the automotive sector is generally at least 10 years old and they often ignore the experience / best-practice to have evolved elsewhere over that time as it "wasn't invented here".

    Kind of surprised that BMW got caught by this though as they're usually much better.

    1. Anonymous Coward
      Meh

      Re: Upgrading to use https?

      "Kind of surprised that BMW got caught by this though as they're usually much better."

      http://www.autoexpress.co.uk/bmw/60264/bmw-owners-offered-fix-hi-tech-theft

    2. TeeCee Gold badge
      Meh

      Re: Upgrading to use https?

      Kind of surprised that BMW got caught by this though as they're usually much better.

      They'll be very pleased to hear that their bullshittingadvertising is still having the desired effect.

    3. JeffyPoooh
      Pint

      Re: Upgrading to use https?

      "...BMW ...they're usually much better."

      BMW is the same company that programmed "BRUM BRUM BRUUMMM!" noises into their car radio. Very silly.

      Respect(BMW) := Respect(BMW) / 2

  3. Anonymous Coward
    Anonymous Coward

    If Google found this exploit

    I wonder if they'd release it in 90 days? And if they did, I wonder if the insurance companies having to pay up for the crazy number of thefts that would occur from an publicly available exploit on the pre-2011 models would sue Google?

    1. Anonymous Coward
      Anonymous Coward

      Re: If Google found this exploit

      If Google found this exploit - I wonder if they'd release it in 90 days?

      I suspect that that "fixed" release schedule of 90 days would mysteriously suffer an administrative delay if any of the Google board had a top of the line BMW.

      As for anyone suing Google - do you really think an insurance company would dare suing their primary gateway to victims customers? Not that they could anyway - Google didn't screw up, BMW did.

  4. Anonymous Coward
    FAIL

    Deja Vu

    http://www.autoexpress.co.uk/land-rover/range-rover/89183/range-rover-owners-refused-insurance-due-to-theft-risk

  5. nematoad

    Mini, a luxury car?

    "The flaw meant crims could drive off with a luxury freebie... "

    Rolls Royce? Yes the luxury car's luxury car.

    BMW? Maybe, but they are like belly buttons, nearly everybody has one. Full of gadgets but a bit below luxury level in most cases

    But the new Mini? Surely no-one in their right mind would call one of those great dumplings a luxury car. If BMW were to go in that direction and fill the thing with fancy gadgets and fittings then they have finally lost any lingering reasons why the original was such a wonderful development.

    Minimal car, maximal utility.

    To do that meant that most aspects of the car were reduced to basics. Sliding windows, one speed heater and that was against Issigonis' original intentions, pull cords to open the doors, etc.

    The only thing these cars have in common is BMW.

    As you might have guessed I do not like the new "Mini", however if someone was to offer me a Rolls Royce I would quickly prove that I have no bias against BMW.

    1. TeeCee Gold badge

      Re: Mini, a luxury car?

      As you might have guessed I do not like the new "Mini"

      Hear hear!

      For a start it's not a Mini. It's a fairly ordinary small/medium car that happens to be vaguely Mini shaped[1]. If you want to have a look at what Alex Issigonis would have probably built as a replacement, have a look at a Daithatsu Cuore VII. It's like a roadgoing TARDIS for use of space.

      Also, if you look at what Daihatsu did to that later to make the Trevis (Europe only, not UK) you'll see that they were perfectly well aware of what they were doing.

      [1] Apart from most of the sinfully fugly niche models developed from it, which have even given that up.

    2. chris 17 Silver badge

      Re: Mini, a luxury car?

      I wouldn't describe a modern mini as a luxury vehicle but its certainly comfortable and more premium than an equivalent sized Peugeot, Citroen, Seat Skoda etc. Going from a 106 to a mini is definitely a luxurious upgrade.

  6. John Tserkezis

    There's something to be said about driving a shitboxen.

    I used to have a 20 year old piece of shit that showed its age, and had an extensive spare parts market, both official manufacturer and third party, so it wasn't worth stealing for parts. The only thing in that car worth stealing, was my wristwatch while I was driving. As it turns out, the wristwatch was also the most advanced electronics in the car too.

    I could leave it in any seedy part of town, and watch every other car being pinched except for mine. No car thief would touch it, in fear other thieves would find out and beat them to death out of shame.

    When I got rid of it, the only part worth recycling was the stainless exhuast, and even then I almost had to pay for someone to take it off my hands.

    Sure the BMs are nicer, but you'll only enjoy them for a short time before they're pinched. I might not get home in style, but I _will_ get home.

  7. theOtherJT Silver badge

    Was there something terribly wrong with using a key?

    You remember them, right? Small, funny shaped bit of metal? You keep them in your pocket and use them to open doors and start the ignition? Kinda like a physical id_rsa.pub you keep on your person?

    ...anyone?

    1. chris 17 Silver badge

      Re: Was there something terribly wrong with using a key?

      Laggards on an IT forum? why? you'll be complaining about multicore cpu's next!! Remember when all we needed was 640KB of RAM?

      1. theOtherJT Silver badge

        Re: Was there something terribly wrong with using a key?

        "Laggards on an IT forum? why? you'll be complaining about multicore cpu's next!! Remember when all we needed was 640KB of RAM?"

        I do and it was just better :P

        In all seriousness tho, how is this an improvement on having a key? I'm really glad my car is full of computers. It means things like the ABS and ASC actually work properly, and that it starts when it's cold, and that it's vaguely possible to get miles per gallon instead of gallons per mile when driving in a "spirited" fashion... but why the hell would I want them in the LOCK?

        Defeating a mechanical lock is hard and time consuming, even if you're good at it. No two are the same so it's not like you can just knock up a single use tool that's going to open every car you step up to.* Once a digital security mechanism is broken, it's broken for good and any idiot with a compatible transmitter and a mobile phone's worth of computing power can open it.

        I'm all for improvement, but sometimes computerizing things doesn't make them better and this feels very much like a case in point.

        *Unless that "tool" is the afore mentioned 8mm flathead screwdriver and the "car" is a ford transit... in that case the problem is more along the lines of "Why did you fit a mechanical lock that could be overwhelmed with a screwdriver and a hammer without even setting the alarm off?"

        1. Anonymous Coward
          Anonymous Coward

          Re: Was there something terribly wrong with using a key?

          Let me turn this one upside down for a moment: what do you lose when you do away with a mechanical key?

          Answer: a kill switch.

          The problem with a software controlled start/stop mechanism is that you have no way to kill the engine, especially if it's an automatic. If the thing goes rogue (and it's not like that hasn't happened already) you need something to tell the electronics and the ignition to call it a day and coast to a stop (or break, but let's assume someone told your ABS to stop the brakes from working - that too has already been done).

          Personally, I think a kill switch should be mandatory in a car with start/stop facility. I don't care if it's put somewhere out of sight and the garage may charge you $$$ for resetting it, but I want something that allows me to kill the damn thing, and that something must be mechanical/electrical.

          It's a good thing they make at least the locks in such a way you can override the door lock (well, in the front, in the rear you have child locks)...

          1. theOtherJT Silver badge

            Re: Was there something terribly wrong with using a key?

            "Let me turn this one upside down for a moment: what do you lose when you do away with a mechanical key?

            Answer: a kill switch."

            I'm with you all the way. I don't like electronic parking brakes for a similar reason. I once had a brake cable snap on me and watched the pedal disappear into the floor. Scary. Fortunately engine breaking down to something sensible by sticking it in 1st and then gentle application of the hand brake got me to stop. I know things like that (hello '70s austin!) aren't supposed to happen any more, but that's not to say they absolutely _can't_

            The more we "fly by wire" the less direct control you have over the oily bits that actually do the stopping, steering etc and frankly when I'm in charge of a ton plus of high speed steel I'd quite like options in the case something does go wrong.

        2. chris 17 Silver badge

          Re: Was there something terribly wrong with using a key?

          In the 80's it was possible to buy a key from a market that would open almost all fords, then there was the open with a half tennis ball trick. then there was the once in short the ignition system to start the car. Electronic security systems not only make it harder for a thief to open the door (they could and still can smash a window) they make it very difficult to start the car without the proper key, even the correct mechanical key won't start a modern (since at least 1994) vehicle with the correct immobiliser electronic signature.

          Most cars with electronic keys have a mechanical key to open at least 1 door, this is at least true with her mini and my merc.

    2. Tim Jenkins

      Re: Was there something terribly wrong with using a key?

      "...use them to open doors..."

      Also recalcitrant floor traps and jammed RJ45 socket covers. Try that with a BMW fob...

      1. theOtherJT Silver badge

        Re: Was there something terribly wrong with using a key?

        "Also recalcitrant floor traps and jammed RJ45 socket covers. Try that with a BMW fob..."

        I use mine for the little twist-n-push fuse bar at the bottom of the PDUs. Turns out that a car key is an excellent alternative to an 8mm flathead screwdriver.

        (Also to open the car from time to time...)

    3. VinceH

      Re: Was there something terribly wrong with using a key?

      Keys... and proper spare wheels.

      Any car that lacks either one of them is a car I don't want.

  8. Ogi

    One of the "benefits" pro-connected car people...

    .... would harp on about during my debates with them about the (imo) stupidity of filling cars chock full of electronics and wireless/keyless entry, is that yes, hackers can break into them, but how many petty criminals are also top-notch computer security guys?

    I keep pointing out that while that is true, the petty crims don't need to be hackers. Just need one to work out how to break into a car, and then sell a little dongle (or I'd imagine in these modern times, a mobile app) that does the magic. Just like the problem with piracy, the moment somebody somewhere gets in, it can be distributed high and wide really fast and with little cost, and every dumb tit who can run an app can break into a car.

    For a non-connected car, your petty crim has to have some knowledge of breaking in (That doesn't involve triggering the alarm by smashing the window). And their skill varies. Some are good, others just smash and grab. Either way, it usually involves them looking suspicious next to a car for about 5 minutes, and drawing attention to themselves. Far more suspicious than if somebody runs an app near the car, unlocks it, and then just walks in like they own it.

    Apart from the population of el Reg, most people haven't quite cottoned on to the situation it seems. Maybe like a previous poster said, Insrance companies should hike premiums for these cars, in order to send a message.

  9. chris 17 Silver badge

    unless a car is being stolen for parts its very difficult to pass on stolen vehicles in the UK to unsuspecting purchasers. When the purchaser registers the car its VIN & Registration will be checked by DVLA, when its due an MOT the VIN will be checked by the garage. Customs should be checking number plates and VIN's on vehicles transiting UK borders, Yes a crook could use a valid number plate for a matching vehicle when leaving the UK, but UK spec cars aren't as desirable on the continent as the driver is on the wrong side. Also in Europe the vehicle VIN will identify the car as stolen when the new owner registers it for tax or road worthiness.

  10. adnim
    Big Brother

    First thing

    to do with a WiFi enabled car.

    Root the fucker.

    Or accept the fact that someone else: manufacturer, manufacturers third party partner or a hacker owns your car.

    Trust in corporations is for the sheep. Are you ovine?

  11. Anonymous Coward
    Anonymous Coward

    It's unfortunate...

    ...that the crims are smarter than the engineers designing the hardware. It has been know for quite some time that many makes and models of cars with electronic door locks can be unlocked with hand held devices - not commercially available stuff, just home brew. Thus the crims can steal anything in the car and leave without a trace and the car is locked again. Explain that to your insurance company. At least police now know and can confirm this theft.

  12. Anonymous Coward
    Anonymous Coward

    Cobra

    I like the idea (based on the picture) that there's any electronics on an AC Cobra (Shelby Cobra if you're from the left of the big puddle)

  13. Anonymous Coward
    Anonymous Coward

    The whole Story

    All details on the hack: http://www.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html

  14. Polhotpot
    Holmes

    This is why I drive a car that you could leave the keys in and the door open and no car thief would want it. :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like