Slashdot Mirror

← Back to Stories (view on slashdot.org)

BMW Cars Vulnerable To Blank Key Attack

Posted by timothy on from the now-that-is-a-catchy-slogan dept.

Techmeology writes "Thieves have discovered how to steal BMW cars produced since 2006 by using the onboard computer that is able to program blank keys. The device used — originally intended for use by garages — is able to reprogram the key to start the engine in around three minutes. The blank keys, and reprogramming devices, have made their way onto the black market and are available for purchase over the Internet."

15 of 291 comments (clear)

  1. Imagine if this was self-driving car by Googlefu · · Score: 5, Interesting

    Not only would Google's self-driving car be vulnerable to this attack, it would start driving around itself! And you would be responsible for everything the hacked vehicle did.

    I agree with the previous note. It raises some very interesting points and why Google's self-driving cars would be bad. Just imagine if someone hacked your car and it ran over someone.

    1. Re:Imagine if this was self-driving car by DigiShaman · · Score: 4, Interesting

      Take the first law for example

      A robot may not injure a human being or, through inaction, allow a human being to come to harm.

      So a robot walks in a warehouse and finds 100 people all tied up. One of them in the middle has explosives. In this scenario, the robot concludes that the only way to save the other 99 is to kill the one with the explosives. He only has 5 seconds to make a decision.

      What does he do? By the first law, he's screwed no matter what decision he makes. Does he opt for the greater good option and kill the one man to save the 99? Or let all 100 die?

      --
      Life is not for the lazy.
    2. Re:Imagine if this was self-driving car by Pieroxy · · Score: 4, Interesting

      It's not security vs ease of use. It the proof that you should not let a hardware company reinvents itself as a software company. At least not for critical stuff. Whether the car lock is critical or not is another debate.

      Look at drivers for printers or scanners, or GC to see that hardware companies have no shame at all when it comes to releasing software that any software developer would qualify as a pile of smoking shit.

      --
      Write boring code, not shiny code!
    3. Re:Imagine if this was self-driving car by Chatsubo · · Score: 3, Interesting

      Geek BMW driver here: I only go to work in T-shirts with game logo's on them and jeans. I can't tell you how priceless the looks are when I get out sometimes. This unruly looking nerd?

      BUT, Pro tip: Since driving a 5 I've had multiple job approaches from strangers on the street. I'd go so far as to call it an investment in your career (even if you buy a cheaper 2nd hand one like I did).

      That's not the way it's supposed to be, but my RL experience bears it out. Typical convo (I swear on my grandma's grave, this has really happened to me. Even at a funeral - no relation to grandma):
      "Hey, that's a nice car you have there"
      "Uhh, hi, yeah, thanks"
      "What do you do?"
      "I'm a software developer"
      "Looking for a job? My name is X and I work for...."
      I've verified that those I didn't immediately blow off were indeed mgmt at software companies.

      So, ya'll have fun bashing bmers!

      --
      > no, yes, maybe (tagging beta)
    4. Re:Imagine if this was self-driving car by 1s44c · · Score: 4, Interesting

      "Hey, that's a nice car you have there"
      "Uhh, hi, yeah, thanks"
      "What do you do?"
      "I'm a software developer"
      "Looking for a job? My name is X and I work for...."
      I've verified that those I didn't immediately blow off were indeed mgmt at software companies.

      So, ya'll have fun bashing bmers!

      Are you making this up? Basing recruitment decisions on the car someone drives sounds crazy to me but this is one crazy world.

    5. Re:Imagine if this was self-driving car by Joce640k · · Score: 3, Interesting

      Nope. Just look at what happened to Toyota, Audi, et. al. because somebody blamed the accelerator pedal for their inability to drive.

      --
      No sig today...
  2. Ford Comparison by Anonymous Coward · · Score: 2, Interesting

    I know ford around the same era required other valid keys to be present when the new key was programmed. I'm surprised BMW didn't have a similar requirement

    1. Re:Ford Comparison by mlts · · Score: 3, Interesting

      There is that, or use security by obscurity. For example, on Ford PATS systems, one can put a switch in on the circuit of the ignition antenna which reads the key's RFID chip.

      Flip the switch, and even if a thief was able to clone a 40 (S) or 80 bit (SA) PATS key, they will still be stuck scratching their head as the ignition still wouldn't start.

      Of course, this doesn't mean that the thief will not resort to vandalism, but it will mean the vehicle most likely will remain in the same spot unless towed.

    2. Re:Ford Comparison by Lumpy · · Score: 4, Interesting

      Why so complicated? a simple $3.29 switch that interrupts the power to the fuel pump. Works on 99.98765% of all cars and will foil any thief.

      Flip switch under seat, and leave the car. Thief tries to start car and it acts like it is out of gas. No thief will look under the seat for a switch they have less than 30 seconds to get in and get the car moving or they risk getting caught, so if they cant do a fast smash and grab they move on.

      --
      Do not look at laser with remaining good eye.
    3. Re:Ford Comparison by CanHasDIY · · Score: 3, Interesting

      So put the switch different places in different installs. Under the seat, in the glovebox, and under the dash (above the accelerator) all come to mind. Better yet, repurpose an unused factory switch, or find a factory switch you don't really use, put that elsewhere, and hook the old switch up to the fuel pump. Maybe you have to push the tire pressure monitoring system reset button before the car will start...

      This is security by obscurity, but when it's different and non-obvious on each car, it's good stuff.

      No, that's not "security through obscurity," it's "security through ridiculously circuitous nonsense."

      Most modern cars, i.e. the type to have a tyre pressure monitoring reset button, don't like it when people start hacking up their wiring harnesses. And by "don't like it," I of course mean "will refuse to start until a professional technician fixes all the wiring you fucked up."

      Not that a fuel pump cut-off switch is a bad idea, but your suggestions on placement and operation indicate a fundamental lack of knowledge concerning modern automotive systems.

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    4. Re:Ford Comparison by Dayze!Confused · · Score: 3, Interesting

      I had a friend who's car had to have the headlights turned on or else it would honk if you tried to turn the ignition. That was a wacky way to keep people from stealing your car.

      --
      "All tyranny needs to gain a foothold is for people of good conscience to remain silent." [Thomas Jefferson]
  3. Re:In other news: by dywolf · · Score: 3, Interesting

    Why I rarely bother to lock my car. Granted its an older model. Truth is, ya, a determined theif will steal the car about as quickly as I can unlock the door and start it normally with the key. Most people aren't so motivated, and governed by basic morals. As long as the key isnt in the car, and there's nothing worth stealing in the car, and I'm in a reasonably low crime area, the car is gonna be fine in all likelihood. Just as well since hte lock has started acting finicky about 6 months ago. I really need to take it apart and degrime it with some WD or something.

    --
    The guy who said the election was rigged won the presidency with the second-most votes.
  4. Re:In other news: by jeffmeden · · Score: 3, Interesting

    Highly advanced cyber-thieves discover method to steal cars with a coat hanger and a screw driver! Everyone cower in terror!

    Not that this isn't dumb security on BMW's part, but the thing keeping people from stealing your car is their conscience and the police, not your hyper-powerful super-locks. They might keep some dumb teenagers out of your car, but not car thieves who buy blank keys on the black market and learn to reprogram them.

    The seemingly odd thing is that there are other implementations that work the same way (I have seen this done to Honda cars many many times) but don't suffer from this kind of attack, since the car computer purposefully responds very very slowly to the reprogram command. Leave it to those hyper-efficient Germans to think that reducing the time required was a good thing.

  5. Re:In other news: by 54mc · · Score: 4, Interesting

    I stopped locking my car for a similar reason. Nothing in my car is worth more than the cost of a broken window. I will say that I've lost a few jackets I've left in there during the winter, but, as I said, they were a lot cheaper than a new window.

    --
    Joy! Beautiful spark of the gods!
  6. Passive alarm system. by SternisheFan · · Score: 5, Interesting

    True story. Some years back in N.Y.C. thieves stole a restored vintage car, not knowing the owner had installed his own homemade anti-theft deterrent system. As they're tooling around in Manhattan, the thief who's driving sees a large unlabled red button mounted all by itself in the dash. The guy says to his buddy, "Hey,I wonder what this does...", and presses it. In the middle of a block the engine shuts down, the horn blares, and the car's lights keep flashing on and off. Unable to restart it, the thieves abandon the car, and that owner was laughing when he got it back, unscathed, the same day. So this story shows how you don't always need an expensive complicated alarm system to get the job done.