BMW Cars Vulnerable To Blank Key Attack

Techmeology writes "Thieves have discovered how to steal BMW cars produced since 2006 by using the onboard computer that is able to program blank keys. The device used — originally intended for use by garages — is able to reprogram the key to start the engine in around three minutes. The blank keys, and reprogramming devices, have made their way onto the black market and are available for purchase over the Internet."

Re:Imagine if this was self-driving car

[Krneki]

It can happen yes, but what is more likely to happen an incompetent/drunk driver running you over or a hacked AI car?

AI car will not be perfect, but I'm sure as hell they will be much better then the regular Joe.

Re:Imagine if this was self-driving car

[Googlefu]

If they can't even get "little" details like car locks working, how is full-driven AI going to be any better?

Re:Imagine if this was self-driving car

Why would you be responsible?
Are you responsible when someone steals a normal car?

In other news:

[AtomicDevice]

Highly advanced cyber-thieves discover method to steal cars with a coat hanger and a screw driver! Everyone cower in terror!

Not that this isn't dumb security on BMW's part, but the thing keeping people from stealing your car is their conscience and the police, not your hyper-powerful super-locks. They might keep some dumb teenagers out of your car, but not car thieves who buy blank keys on the black market and learn to reprogram them.

Re:In other news:

[rot26]

PREVENT crime?

You're thinking of some organization other than the police. They're just there to fill out the paperwork afterward.

Re:In other news:

Yes, but do you think the crook would have broken a window to get your coat?

Re:Imagine if this was self-driving car

[MetalliQaZ]

Heh. When did Asimov's rules become law?

Also, just FYI, Asimov created those laws to break them down. He wrote a whole collection of stories that examine how the "3 laws of robotics" can fail.

Re:Imagine if this was self-driving car

[Krneki]

It's security vs ease of use. Maybe they hopped no one would bother, now they know it and the next model will be more secure. The thing about science is that is moving on, while human driving is not.

Security and lifetime of your typical car

[sinij]

Cars are expected to last at least 10 years, many last much longer, well into mid 20s.

Such timescales are 'forever' in the sense of IT security. Just look at 'recent' examples - WEP was rolled out around 2000 and is now broken in just a couple minutes. Most cars made in 2000 are still on the road.

I'd go as far as saying that it is impossible to secure your car for its expected useful life without the use of physical security.

Re:Security and lifetime of your typical car

[0123456]

PGP is over twenty years old, and I'm not aware of it being broken other than by rubber hoses or brute force on short keys.

You don't need physical security, you just need security developers of clue.

Re:Security and lifetime of your typical car

[iluvcapra]

Note that PGP has changed its encryption and hashing algos several times. A PGP encrypted message today is safe from prying eyes today; a PGP message sent twenty years ago, with the original BassOmatic cypher, is quite vulnerable given modern hardware.

Re:Ford Comparison

[TWX]

I'm not surprised.

Essentially no one thinks about security, or more accurately, while one team is thinking about security, another team is thinking about something that totally and completely bypasses that security.

And as for Ford, there was an article in Wired several years ago about the possible failure of immobilizer systems in various Ford/Lincoln vehicles.

In my opinion, if there's a legitimate way to make the vehicle move, there's a way to make the vehicle move. If you don't want the vehicle to move then you need to remove something from it that makes it move, preferably something that a thief wouldn't normally bring with them, like a coil wire on a vehicle with a distributor, or a fuel pump relay or ASD relay, or something like that. Come to think of it, one could probably relocate such a relay to the passenger compartment to allow one to use the relay itself like a key, removing it to immobilize the vehicle.

Either way though, relying on an electronic means from an automaker is foolish.

Re:Imagine if this was self-driving car

[Joce640k]

AI car will not be perfect, but I'm sure as hell they will be much better then the regular Joe.

I can tell you're not a lawyer...

Re:Ford Comparison

[19thNervousBreakdown]

Or security by economy of effort. As it is, it takes 2 minutes to access the port to reprogram keys. If that port and its wires were buried in the engine so that you had to put the car on a lift and take it half apart to access, they'd move on to easier targets.

Being able to create duplicate keys from the car itself is great. The lock doesn't have to be unbreakable, just more trouble to break than it's worth.

Re:this works great though

[characterZer0]

If you're too much of a lazy fat ass to crank-start your engine and you need to turn a metal key, you deserve to get your car stolen.

Re:Imagine if this was self-driving car

[tibit]

Not any crazier than selecting candidates based on keyword matches in their resumes, I'd think.