This is a total non-issue.
If somebody wants to steal stuff from inside your car they won't waste time dicking about with apps and passwords. They'll just put a hammer through the front window, grab what they want and run.
New BMW cars have security shortcomings that could allow thieves to pop open a victim's flash motor from a smartphone. Ken Munro, a partner at Pen Test Partners, uncovered security issues in the systems that pair the latest generation of beamers with owners' mobiles. By stringing together the flaws, a crook could open doors, …
Not a hammer. A sparkplug. Toss a sparkplug at any side window, and the window will do it's job ... disappear into thousands of bits of glass that are unlikely to even scratch the perp reaching in.
Security & safety & automobiles ... Pick two. The trifecta doesn't exist.
Not a sparkplug but a small bit of ceramic broken off a sparkplug. A sparkplug itself is just a throwable object.
Unless, knowing jake of course, you spent the last thirty years as a sparkplug technician while doing part time glass compound analysis, in which case I'll bow to your obvious superiority.
I shattered one with my hand, once. I was riding a motorbike and about to overtake a car - uphill, so not really fast - when it suddenly decided to go back the way it came. I could see my head was going to the rear side window so I stuck my hand out to try to reduce the damage I was expecting my handsome mug to sustain. I was pleasantly surprised when the window shattered as per jake's description. It didn't even hurt. I ended up half in the motor looking up at the occupants. I forget what I called them though.
"Not a sparkplug but a small bit of ceramic broken off a sparkplug. A sparkplug itself is just a throwable object."
No. A sparkplug. Not a tiny bit of ceramic.
The place: Junkyard in East Palo Alto.
The time: Mid 1970s.
The car: 1970 Datsun 510 2-door.
The destination: Uncracked dashpad and factory "full gauge-pack" dash.
The problem: No keys to get into the car.
The owner of the yard casually picked up a discarded sparkplug and flung it at the passenger-side door glass. It shattered nicely. Seems that the mass and shape of a sparkplug ensures that it'll (almost) always hit with a point, and enough energy to break the window.
@other AC (would ElReg please bring back proper time-stamps?):
I've never stolen anything in my entire life. Doesn't mean I don't know how to get away with it, mind, but I have a rather well developed sense of ethics and ethos. Can't train animals (including children and commentards!) if you are trying to lie to them.
Throw a sparkplug at your driver's side door window, AC. I double-dog dare you. (Or, more likely, your father's car's driver side window). And then repeat the experiment on all the other side glass. Make careful notes as to how many times the sparkplug bounced without damaging the glass.
Come back & report. And admit that you are an idiot.
Honestly, the mind boggles.
In the meantime, organised gangs have been trawling London and exploiting CANBUS security flaws and making off with hundreds of BMWs and Range Rovers without needing to bother with pesky things like keys.
The reported flaw is probably nothing, but it highlights that vehicle manufacturers are failing to get to grips with the fact that the in-car IT is vulnerable and can be exploited, and this is just a symptom of the issue.
Most people would think this yes but it isn't really the case. The car is worth more as parts than what is inside it so the ability to take the whole car is rather useful to a thief with a beavertail.
People also think thieves don't take time to set things up but they do. Motorcycles for example with alarms, the old trick was to tie a length of fishing line to it at night and tug from a distance setting the alarm off. Owner eventually thinks the alarm is playing up so turns the alarm off and bike is stolen. Might take a few nights of sitting around but to a thief a few nights for a few grand is time well spent.
Now think of that in relation to a car that can be crated up and out of the country or stripped down in 12 hours and any lapse in security or even merely mistrust of security could net someone a fair few grand for a few nights messing around.
I hear the hot spare parts market is booming - which would be a lead to stolen cars, even if they don't onsell the *car*, the parts more than make up for it. Heck, they're even doing smash and grabs for airbags on ordinary family cars...
Still, the BMW thing isn't nearly as bad as some security gaffs some other manufacturers have done.
"Isn't nearly as bad as some security gaffs some other manufacturers have done"
Well yes. They don't seem to be good on secure by design. On a number of car makes the electronic door key can be replicated or copied by a device which the police tell me can be bought easily on the interwebs. Which is why my Honda has had its doors opened several times and stuff nicked from the glove compartment. Until I realised it wasn't just me forgetting to lock it, so now I don't leave anything in there. Which is a pain when I suddenly discover that I could really do with using the Satnav that I have left safely at home so that it doesn't go the same way as the previous ones.
I'm not sure what area of the world you're located in, but here in the US the insurance industry pretty much killed the market for stolen parts for vehicles still in production. Something like 85% of auto insurance payouts are made directly to the repair shop and not the policy holder.
It used to be common business for the insurance company to pay the policy holder directly and put disbursement of the funds on the policy holder. The repair shop would buy parts of uncertain provenance at a greatly discounted price without the knowledge of the policy holder who had been sold genuine, new parts.
Now most insurance companies will have preferred partners in an area who handle all the repairs and are paid directly, the policy holder never has a role in the financial transaction. The insurance companies also have negotiated pricing from parts suppliers and the end result is a big circle of provenance paperwork for every last part the insurance company is paying for.
Sure, you could get into bent repair shops and such, but those are exceptions anymore. Most of the stolen parts market here is for expensive, out of production cars. Exotic and top shelf cars generally aren't parted out, but disassembled and shipped to a foreign land where they are reassembled. Customs busted three vessels carrying a total of 40+ disassembled cars in just the Port of Baltimore last year.
Regardless, it's one thing for a warlord to want a Maybach or a Lamborghini, that's fairly understandable. But I'm going to go with my gut and say most of the people who would drive an electric BMW don't fall in the warlord or shady repair shop patron categories :)
> Uh-oh, sounds like somebody forgot to hash
Not necessarily. If the thing is meant to be used primarily via mobile devices, it might have been a deliberate design decision, which sacrifices *some* security (lower entropy) for the sake of usability.
INSERT INTO credentials (username, secret) VALUES (:user, SHA1(STRTOUPPER(:password));
I understand why it isn't good practice to use your own name as an account name, but it should be! I was given my name, I use my name all the time so why shouldn't I be able to use it for online services? Well, apart from it not being unique.
Likewise, people tend to liek having one name they take with them. When I sign up for different services, I have my first choice, second choice, third choice and then random. Why? Because I want to have a common name across different services, so that people can recognise me, when we have some shared services in common.
It should be up to the service to ensure that using a "known" name isn't an issue for the customer.
"I understand why it isn't good practice to use your own name as an account name, but it should be! I was given my name, I use my name all the time so why shouldn't I be able to use it for online services? Well, apart from it not being unique."
Being able to use "any" username, and "any" password, effectively gives you two factor authentication. Perhaps it wasn't intended that way, but the point "Pen Test Partners" makes is, if you can, then you should take advantage. If the username is forced to be in a particular format, you're effectively making it single factor authentication - which is inherently less secure.
That doesn't make it a bad thing, it just means you need a more securely designed password. And I'm not confident the drivers are smart enough to do that(*).
(*)The owners are probably smart and sensible people, it takes brains to make that class of money that buys this class of vehicle. However, around these parts, I've seen spouses who *drive* the cars on a day to day basis who are - dare I say it - not quite as smart and sensible. To them "4321" would be the pinnacle of secure.
"Being able to use "any" username, and "any" password, effectively gives you two factor authentication"
Not quite it is two step verification but it is single factor (it is equivalent to a single password that is the combined length of the username+password but sometimes worse if the system individually lets you know if the username is wrong regardless of password).
Two factor could be available if the mobile phone, for instance, had to be verified and unique so that only a verified mobile phone could be used along with a (username/)password
Wrote :- "[BMW] owners are probably smart and sensible people, it takes brains to make that class of money that buys this class of vehicle."
Wow, this is turning into a BMW admiration forum? There are many idiots who get big money purely by luck. The obvious example is lottery winners, but people also get money by inheritance by default from distant wealthy childless aunts for example. It is precisely at such moments that some people are likely to splash out on an expensive car, the less brains the more likely in fact.
I was in a motorway traffic jam recently, the sort where the delay is so long that people get out and start chatting. I was struck by the lack of correlation between the type person they seemed to be and the the type of car they were driving. FWIW I could go straight out and buy the top-of-the-range BMW, but I drive a car that is 20 years old. Call me tight if you like.
"it takes stupidity to make that class of gullible fool that buys this class of vehicle."
Fixed that for you. The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership. (or any other brand of overly expensive car)
Big money has never been a requirement for owning any production line automobile. Gone are the days of (many) ethnically targeted colloquialisms but 'trailer park Cadillac', 'car poor' and 'all hat, no cattle' work just as well. All that's required is that a person prioritize their car over all else. Some people are perfectly happy to live in a house with wheels on it as long as they can make the payments on a car that let's them feel important.
They completely miss the point in having those sorts of vehicles, but what can you do: It's their choice. The reverse is true as well. Plenty of people here in Northern Virginia buy homes far outside the realm of reason and eat Ramen noodles for dinner everyday because the electric bill is 25% of their monthly income. They too miss the point.
Fancy cars in their 'proper' environment don't impress anyone because everybody has a fancy car too. Same with houses. Everybody's got a fancy one and no matter how great you think it is, somebody there is always going to have one that's bigger, better, faster and more expensive. Competing with others and attempting to impress with things that come off a production line is just as stupid for poor people as it is for extremely wealthy people.
"The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership."
I've seen this in some (primarily European) countries, but it doesn't apply here in Australia. You either need a bucketload of money to buy one, or, if it's a shitbox, you're paying a bucketload of money to keep it on the road. Either way, you're not getting away with it on the cheap. I'm thinking it's the import fees that try to encourage the purchase of Australian-Built cars (even though that industry is nearly dead now anyway), plus the local perception that a beemer = money.
Maybe because when you give your name to someone in Real Life (TM), you don't expect them to be going through the roof of your house in the next ten minutes to check out all your stuff, mosey in the cellar and leave a turd in the fish bowl.
Because on the Internet, they can do that and more, if they are determined.
There's not really much point in making an uber-secure unlocking app when alternative methods of gaining entry (and driving off the car) are so much simpler. Once it's at least as hard to crack as breaking into the owner's house and stealing the keys, or even threatening the owner to make them hand over the keys, then it's really good enough.
> If you allow users to choose their own username that weakens security,
The username is supposed to be publicly disclosable, after all that's how you identify a user (cf. email). Good security should not rely on attempting to hide usernames (which users will end up writing down anyway). What Professor Whathisface is advocating is security through obscurity.
> which is why banks don't allow it.
The hell they don't.
Actually, what he's advocating is security bolstered by obscurity. Security through obscurity relies on obscurity as the primary defense (e.g, a proprietary encryption algorithm, or even a hidden private key).
He's not saying that they should use obscure usernames and that's all, he's saying if they can use obscure usernames on top of a good password/encryption scheme, that adds an increased level of security. He's not saying rely on obscure usernames, but take advantage of the opportunity.
Furthermore, one's e-mail address need not have anything to do with one's login name, even within the e-mail system itself, beyond an association in some database.
The trade-off between security and usability is never easy. From what the article says, it seems BMW have made a fair attempt at trying to make the system secure, but easy to use by non-nerds.
Is it perfect? No. (But is any security system perfect?)
Is it hideously broken? No.
The appropriateness of that trade off is a reflection of how well a company understands its customers. At least 2/3 of the people I know who own BMW autos (not motorcycles :) are the same sort of people who return a box of screws because it contained 199 instead of 200. The same sort who write Amazon reviews blasting a $75 waterproof phone case and its manufacturer because they took it scuba diving in 60' of water. The same sort who sue because they stabbed themselves in the dick with a knife and blame it on the lack of a 'do not stab self in dick' illustration and warning callout on the package.
Based on the comments, I feel safe assuming a fair portion of BMW owners in Europe and the UK are the same as we've got here. That being the case, I think BMW has a pretty good handle on the security/usability tradeoffs :) It's not designed to be secure, it's deigned so Twonk1 can show off the app to Twonk2 without it hindering his presentation with boring passwords and stuff.
In the US the 'Binner/Beemer' was traditionally directed at the 3-Series vehicles popular with some of of our least desirable citizenry. It's exceedingly rare to see anything less than a 3-Series here, I've never seen a new one on a lot. It used to be fairly rare to see the 5 and 7-Series cars as well, but they seem to become more popular in direct proportion to the growth in the organized displacement of labor.
Ha! Holy Shit! That needs to become a standardized measure in economics; the BMW factor. The correlation between the level of finished goods produced in a country compared to the number of 5 and 7-Series BMW's in that country. I would like to propose that measurement be formally developed and added to the El Reg system of weights and measures!
> It's exceedingly rare to see anything less than a 3-Series here
Not in the US itself, but the 1-series seems to be fairly popular amongst Merkins stationed in Germany, I'm led to believe.
I agree about the 3-series being essentially a chavmobile.
Same goes for the 5-series really. While I like the smoothness of the eight-gear automatic transmission, thanks to rear wheel drive they're fucking annoying to drive, especially in the winter if you live in a cold, icy place. It's also telling of what their intended audience is if you read on the manual (3- and 5-series) the bit explaining the presence of a "traditional" handbrake (which is unusual in higher-range cars: it's electric and mostly automatic on Audis, and pedal-based on Mercedes): the more or less explicit rationale is so that you can do handbrake turns. :-/
With that said, one should not generalise too much: the 3-series is a relatively good car for a relatively affordable price and station wagons make for decent middle-class family vehicles. Especially if they like handbrake turns.
"It comes with this thing called a "Key" which I keep on my person at all times. The car is remarkably hard to open or start without it."
Not really. If you're willing to limit the type of vehicle you wish to aquire, a half brick and a screwdriver will do nicely.
What happens when the original owner sells the car? How can the new owner be sure the seller has deleted all installed apps on all his phones, thus has no more access to the car? Can you disable individual phones from the dashboard/display?
Does the new owner need to phone the call centre to create an account and register the car? What's to stop anyone doing that - current means for stealing some up-market cars is go to a delaer in a foreign country and request a new key. Sounds like something similar mayb be possible here. Mind you, why a new key works without being programmed into the car is something of a security oversight.
"What happens when the original owner sells the car?"
The previous owner would need to reliquish the old password, then it would be smart if the new owner changed it.
However, if past experience is anything to go by, that's not going to happen. (as per the anti-theft four digit car radio code that disables the radio when removing the battery).
The new owner will have to go to a dealer, who then takes a form with suitable identification and VIN number, which then gets passed on to the factory who uses a lookup table for that radio's code, then passes that back to the dealer who gets in touch with the owner. Six years later, the ower has sold it to someone else and doesn't care anymore because he pulled out the factory radio and replaced it since then anyway.
This is the same, except the remote functionality is never used, and the car operates much in the same way as any other car. And this bit I learned the hard way: If you're sold a car, that is claimed it drives like any other car, the manufacturer is under no obligation to fix any other special features - because they don't stop it from being a "car".
"Can you disable individual phones from the dashboard/display?"
That would make this system a lot more secure, if an individual mobile had to be verified and activate from the car with the ignition turned on. You wouldn't be able to load the app onto any other phone then and use it as the mobile would not be verified.
BMW, like all other production car manufacturers generate an enormous portion of their operating revenue and have their highest margin products targeted directly at the used car market.
Ideally you trade your BMW back in at the dealership where you bought it and BMW will be more than happy to merge your existing negative equity with your new negative equity. But if you're going to be difficult they'll just get you on the genuine BMW parts and fluids most BMW owners demand. There's fuck all money in new car sales. In 2002 BMW surpassed the $2k per car holy grail in new auto manufacturing. Most production manufacturers tend to hover around the $6-700 per car range. Trade ins, financing, service and parts is where the money is. New cars and game consoles have the same business models with the difference being margins on the post sale products.
Is it any different than an RF radio on your keychain? I can actuate the door locks, open or close the windows and sunroof, move the seats to preassigned configurations, start and turn off the engine and mute the radio if I left the volume to high the night before, so as not to disturb the neighbors with my music while the car is warming up. It's nice because it wasn't so long ago that the key fob was just a transmitter and you had to look out the window to verify the car received your commands. Now the fob is a two way radio and provides command verification without anyone having to look out the window.
Furthermore, the person with the key fob has control of the vehicle. Full stop. No passwords, biometrics, test questions or social engineering required. You are logged in simply by possessing the fob. With the exception of command verification, none of that is new technology. I'm not sure how using that technology via a smartphone instead of 30 year old key fob tech is any different.