Slashdot Mirror
BMW Cars Vulnerable To Blank Key Attack
Techmeology writes "Thieves have discovered how to steal BMW cars produced since 2006 by using the onboard computer that is able to program blank keys. The device used — originally intended for use by garages — is able to reprogram the key to start the engine in around three minutes. The blank keys, and reprogramming devices, have made their way onto the black market and are available for purchase over the Internet."
Not only would Google's self-driving car be vulnerable to this attack, it would start driving around itself! And you would be responsible for everything the hacked vehicle did.
I agree with the previous note. It raises some very interesting points and why Google's self-driving cars would be bad. Just imagine if someone hacked your car and it ran over someone.
Amazingly, the blank keys and the device are both available to buy at a bit of a price on the internet.
And the question is: how many BitCoins does those cost?
Mastering the English language is fucking easy: all you have to do is to put an f* word in every fucking sentence.
I know ford around the same era required other valid keys to be present when the new key was programmed. I'm surprised BMW didn't have a similar requirement
No more waiting around for a dog to crap out the 'laser encoded' keys he ate.
Oh, and i know Nick Cage sucks, but thats my girls favorite movie and it always makes her horny. So yeah, I have seen it too many times.
Silence is a state of mime.
Highly advanced cyber-thieves discover method to steal cars with a coat hanger and a screw driver! Everyone cower in terror!
Not that this isn't dumb security on BMW's part, but the thing keeping people from stealing your car is their conscience and the police, not your hyper-powerful super-locks. They might keep some dumb teenagers out of your car, but not car thieves who buy blank keys on the black market and learn to reprogram them.
Ze Atomic Device! It iz Ztolen!
and after the fix all work must be done dealership
http://news.slashdot.org/story/12/07/10/1657203/hackers-steal-keyless-bmw-in-under-3-minutes
Cars are expected to last at least 10 years, many last much longer, well into mid 20s.
Such timescales are 'forever' in the sense of IT security. Just look at 'recent' examples - WEP was rolled out around 2000 and is now broken in just a couple minutes. Most cars made in 2000 are still on the road.
I'd go as far as saying that it is impossible to secure your car for its expected useful life without the use of physical security.
(Since its a duplicate post, I'm going to include my reply from the last time it was posted)
The basic design flaw is how key duplication/recovery is handled.
On my motorcycle (a Concours 14 with keyless ignition), to program a new key you need an existing key, to tell the computer "hey, this is the new key to use". The disadvantage is, naturally, if you lose all your keys, you need to replace the computer!
But its better than the alternative. On the BMW, all you need to do is plug into the OOBDII port and tell the computer "Here is the new key". This means if you lose all your keys, you don't have to buy a new computer... But it also means that anyone who can break into the car can create a key and drive off.
Test your net with Netalyzr
They cost between 17,000 and more than 100,000 thousand pounds.
£100,000,000 is too much for any car, let alone one that allows anyone to steal it.
--
....like my personal favorite, the 2002. Sure, it can still be stolen using much less sophisticated equipment, but its arguably cooler than many of the modern iterations and a lot easier on your checkbook.
http://www.youtube.com/watch?v=kVmPfCFFkqQ&feature=related
All you have to do in the BMW is to tell te computer "This is a blank key, please put one of the legible, unencrypted 10 passwords you have in you on the blank key". The other keys already issued would still work and you could even program keys with them as well, just not using the car itself.
I was promised a flying car. Where is my flying car?
Push comes to Shove all you need to steal a car is a FlatBed Wrecker with an optional Crane.
Now this is STUPID since it enables you to not need to get to extreme methods to steal a very pricey car.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
On /b/ you can be certain, he is talking about his kids.
On /. you can be certain, whenever someone is talking about sex, he is lying.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
All you need to stop this is a car alarm and a .357 magnum.
Have gnu, will travel.
Yeah. And if you can get to the ODB2 jack, you can pwn not only BMWs, but Minis, Mercedes, and a bunch of other tasty cars. You download the key, and using the magick of eBay programmers, reset a "blank" key into a new one. Drive away. Try to look dapper.
---- Teach Peace. It's Cheaper Than War.
Lets be honest, the easiest of stealing cars is that you get in and drive away. If smart electronics, big mechanical bars, armored doors and breaks are preventing you from this you can always and quite easily use a truck with winch or towbar. Sound alarms might work on your drive way but not on a busy parking when a professional looking tow truck is having its go at your car. GPS antenna's are easily jammed/cut or covered. Besides the 'hacking' of electronics there are many ways to drill holes for cable clipping, fuse pulling or apply voltage to powered windows and/or locks . High value objects that are out there will always be of interest to people that have low moral values.
Where, god damn it, where?
(posting as ac 'cause i forgot my password)
I saw this on Slashdot last month or so...
Dapper?? does that mean wearing a top hat and tails while stealing one?
So, 2006 technology that made it more difficult to start a car after you've already broken into it has been circumvented using tools developed and sold for just that purpose? Wow! I would have never guessed that there was any possible way to start a car, especially an all-mighty BMW without the original key...
In other news, it turns out some clever thieves have discovered this amazing thing called a (likely used or stolen) tow truck that allows you to drive off with any vehicle, even if you don't have the keys.
...you don't "program" a key, rather, the serial number spat out by the key is stored in the car's computer and recognized as valid.
The mechanism for making 3rd, 4th, etc keys (you need 2 different originals in most cases) is present in most American vehicles that have a factory immobilizer.
For example, if you cut a key and want to program it for your Jeep:
- Insert original key #1, turn ignition to ON, wait a few seconds, turn to OFF
- Remove key #1, insert original key #2, turn ignition to ON, wait a few seconds, SKIS light lights, car beep, turn to OFF, remove key
- Insert new key #3, turn ignition to ON, wait for SKIS to stop flashing and beeping. Your new key is stored.
- Profit???
Always ensure you never give your mechanic two keys. Also ensure he doesn't own the more complicated and expensive units locksmiths and dealers own that can reset the immobilizer and program keys without originals (not as hard to get as you might imagine). Lastly, just don't trust immobilization systems to be worthwhile--at least in Canada the only requirement is that they resist a tools based hacking approach for 5 minutes or 15 (?) minutes without tools to be certified (they are required on all new non-fleet vehicles here).
It's all part of "Sharing the wealth"
If you're too much of a lazy fat ass to turn a physical metal key and you have to push a button instead, you deserve to get your car stolen. If you're stupid enough to buy a car with a system like this, you especially deserve to get your car stolen.
Dapper?? does that mean wearing a top hat and tails while stealing one?
Some of us prefer fedoras and wingtips, but yea, that's the idea.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
If this is such a big vulnerability, and BMW was amply aware of it and the customers weren't then this screams of Recall to me. I understand buyer beware, but you're paying a lot of money for a high end car with security that the consumer has been told (I'm guessing) is very secure. Here it's being proven that it is indeed not very secure at all. Furthermore, this sounds to me like owners who were unaware of this who may fall victim to theft may decide that a Class Action lawsuit would be a course of action.
BMW has put on a great Security Theater performance, but the magic trick has been exposed and it's not such great theater any more.
I hope BMW owners have some options to improve security of their vehicles.
Life takes interesting turns, but the most interest is when you're off the beaten path.
True story. Some years back in N.Y.C. thieves stole a restored vintage car, not knowing the owner had installed his own homemade anti-theft deterrent system. As they're tooling around in Manhattan, the thief who's driving sees a large unlabled red button mounted all by itself in the dash. The guy says to his buddy, "Hey,I wonder what this does...", and presses it. In the middle of a block the engine shuts down, the horn blares, and the car's lights keep flashing on and off. Unable to restart it, the thieves abandon the car, and that owner was laughing when he got it back, unscathed, the same day. So this story shows how you don't always need an expensive complicated alarm system to get the job done.
And does it work on SAAB cars? I was quoted $1500 to get a new key programmed.
It's certainly possible to build an anti-theft system that can't be bypassed without replacing major components. But if it's too good, owners who lose the keys will have bricked their car. There's a tradeoff between repairability and security.
This is a different tool for different keys. This thing is for cars with mechanical ignition locks, for one thing.
The cars being targeted don't have any mechanical locks at all and only use a transponder for security.
The tool that enables what the article is talking about, programs a transponder while it is in the car's transponder slot. It reads information from the car's security computer and writes it into the key.
To BMW's credit, they made it very difficult to retrieve this data without removing the black box, but eventually someone found a way.
To use the tool linked on ebay, you must first cut the key with a key cutting machine, so it will fit the mechanical lock. Then, you must remove the EWS box from the steering column housing, open it, and either boot it with one of the boards connected or desolder the PLCC microcontroller and read the eeprom, depending on which version of the tool this is. Then you are able to place the key on the black box in the key silhouette and your pc programs the transponder.
Not that I have any sympathy for people who buy ridiculously priced cars, but even still, don't most people have car insurance? Why do people go to such absurd lengths to protect their cars? I've never understood that. If somebody steals my car, I call the insurance company, and get another. It's not that complicated.
I wish someone would steal my 2001 Saturn sc1. It's like the cloak of invisibility.
All cars can be stolen in a matter of seconds. The key programming things are just a way for the dealers to rip people off charging $500+ for a new key which actually costs only a few dollars. There are reverse engineered or sometimes even authentic programming devices available for pretty much all but the newest cars (just wait a year or two and those will be available too).
Part of BMW's response FTFA:
"A vital point to acknowledge here is that there is no such thing as the ‘unstealable’ car, as Ron Cliff knows well. If a criminal decides they want your car, they will find a way to take it. Our job is to make it as difficult as possible."
Apparently, that means making it take three minutes, instead of, say, two and a half. Dare we dream one day of the car that can resist theft for... four minutes?
-Snorbert, somewhere in the antipodes
No one has posted a car analogy... Oh wait.
Glad mine's an '05!
OK. And now the next question is: So what?
I mean, what practical effect exactly do the fine tolerances have? That you can get from one stoplight to the next faster?
Well, you can't get there faster than the speed limit, so, again, so what?
Or, if it has no practical benefit, but rather it's more a matter of "I can afford it", that's fine, too, please state that. In that case, it would fall into the same category as fine china vs. normal dishware, silver vs. steel utensils, expensive wooden doors, "rich Corinthian leather" vs. fabric seats.
I'm not a lawyer, but I play one on the Internet. Blog
The answer to the financial liability question is to have the self-driving cars mow down all the lawyers!
I'm not a lawyer, but I play one on the Internet. Blog
Would a PKI-based system not work? The way it works now, I imagine, is that all the dealers in the world share a single password for the backdoor.
Instead, why not store dealers' public keys in the cars, and also 50,000 more for new dealer expansion?
I'm not a lawyer, but I play one on the Internet. Blog
Does everyone really think that a company as large and professional as BMW made its cars vulnerable simply due to an oversight?
Here in the EU it is illegal for a car manufacturer to encrypt the comms between the diagnostics port and anything connected to it -- so that local garage mechanics can compete for the servicing of cars along with the manufacturer's service centres. Unfortunately it is this diagnostic port that is used to reprogram keys. Admittedly it doesn't help that the port is in the footwell.
BMW effectively have their hands tied by EU bureaucrats and I'd be surprised if other manufacturers aren't affected by the same rules.
learn autocross on the interstate as all bimmer drivers do? bmw = sob