BMW Cars Vulnerable To Blank Key Attack

Techmeology writes "Thieves have discovered how to steal BMW cars produced since 2006 by using the onboard computer that is able to program blank keys. The device used — originally intended for use by garages — is able to reprogram the key to start the engine in around three minutes. The blank keys, and reprogramming devices, have made their way onto the black market and are available for purchase over the Internet."

Imagine if this was self-driving car

[Googlefu]

Not only would Google's self-driving car be vulnerable to this attack, it would start driving around itself! And you would be responsible for everything the hacked vehicle did.

I agree with the previous note. It raises some very interesting points and why Google's self-driving cars would be bad. Just imagine if someone hacked your car and it ran over someone.

Re:Imagine if this was self-driving car

[Krneki]

It can happen yes, but what is more likely to happen an incompetent/drunk driver running you over or a hacked AI car?

AI car will not be perfect, but I'm sure as hell they will be much better then the regular Joe.

Re:Imagine if this was self-driving car

[Googlefu]

If they can't even get "little" details like car locks working, how is full-driven AI going to be any better?

Re:Imagine if this was self-driving car

Why would you be responsible?
Are you responsible when someone steals a normal car?

Re:Imagine if this was self-driving car

[MetalliQaZ]

Heh. When did Asimov's rules become law?

Also, just FYI, Asimov created those laws to break them down. He wrote a whole collection of stories that examine how the "3 laws of robotics" can fail.

Re:Imagine if this was self-driving car

[The+Grim+Reefer]

It raises some very interesting points and why Google's self-driving cars would be bad. Just imagine if someone hacked your car and it ran over someone.

Depending on who it runs over, this could be a feature rather than a bad thing.

Re:Imagine if this was self-driving car

[Krneki]

It's security vs ease of use. Maybe they hopped no one would bother, now they know it and the next model will be more secure. The thing about science is that is moving on, while human driving is not.

Re:Imagine if this was self-driving car

And when you see a geek, you see a filthy little zero with massive personality disorders, deranged sexual fetishes, completely unsupported arrogance and an impotent, hyper-ideological little shit who deserves to be kicked in the groin or punched in the face (as determined by 20 sided die roll) on an hourly basis as penance for being such an insufferably awful sack of misery.

Re:Imagine if this was self-driving car

BMW driver here. Absolutely correct. I always drive in the middle of the road and I also yell "ka-ching" and "score" when I:

Knock over bicyclists
Clip old ladies
Back up over children
Pass (usually on the right) morons in Priuses, Smart Cars and other econo-boxes like Hondas and Rustangs.
Cut off mom-mobiles where the housewives are talking on the cell phone to their mom.

My driver's seat is usually (partially) filled with a small asian chick with big tits and bigger sunglasses. It is a misnomer that I talk on cell phones while I pass you. In reality, I don't talk on the cell phone because my trophy passenger takes my calls for me.

However, I wouldn't be caught dead on spandex or on a bike. That's who we run over, man. Why would would a predator become prey?

Remember, the difference between a porcupine and a BMW is that with a BMW, the pricks are on the inside. Drive safe! Stay out of my way.

Re:Imagine if this was self-driving car

I have read quite a bit of Asimov, and would be interesting in knowing were any of the 3 laws (by the way, they were laws, not rules), was "broken". Certainly not in the books I've read. Or maybe with "breaking down" you mean Asimov presented his laws as leading to problems if applied, so actually he was advocating against them. If so, could you elaborate on that, with examples? I don't recall any situation were a robot was harmful *because* of the three laws. If anything, maybe *despite* the three laws.

Re:Imagine if this was self-driving car

[crontabminusell]

No, but typically you're not in the car when it's stolen, either.

Re:Imagine if this was self-driving car

[DigiShaman]

As just about anything in life, there are almost always an exception to the rule. While the 3 laws make for a good platform (in theory), they can be circumvented under the right conditions.

Re:Imagine if this was self-driving car

[Joce640k]

AI car will not be perfect, but I'm sure as hell they will be much better then the regular Joe.

I can tell you're not a lawyer...

Re:Imagine if this was self-driving car

[Joce640k]

No, it's impossible. The positronic brain would break down completely before one of the laws could be circumvented.

Re:Imagine if this was self-driving car

[daem0n1x]

Just imagine if a locomotive boiler explodes and kill someone. Steam trains are bad. We should use horses.

Just imagine if a house falls down and people get crushed. Houses are bad. We should live in caves.

Just imagine if your laptop explodes and you die. Laptops are bad, we should use abacuses.

Re:Imagine if this was self-driving car

[mr1911]

That escalated quickly.

You should talk to someone. Someone as in a psychiatrist or psychologist. Do it now, before you snap and your BMW driving boss is the target of your tirade and/or violence that leaves you in prison for a long time.

Re:Imagine if this was self-driving car

[geekoid]

Engineering.

Re:Imagine if this was self-driving car

[AwesomeMcgee]

Asimov's laws are a straw man argument?? Nonsense, he wouldn't do that to us! No, not him!

Re:Imagine if this was self-driving car

[MetalliQaZ]

I didn't say broken or circumvented, I said "fail". "fail" as in they failed to protect humans as they were intended.
Here is the most obvious example, and the one that most /.'ers are probably familiar with:

Humans have both the capability and the tendency to harm other human beings. Even good intentioned humans tend to make big mistakes that either directly or indirectly cause other humans to come to harm. By rule number one, robots may not harm a human, or by inaction allow a human to come to harm. The other rules can be overridden by rule one. Therefore, the only way to fully protect humans is to remove their ability to interact at all with other humans. Lock them up. This is basically a removal of nearly all rights and freedoms -- and obviously is counter to the actual intention of the three laws.

Re:Imagine if this was self-driving car

[flyingfsck]

If a self driving car makes a mistake, then it is an industrial accident. We already have laws for that situation.

Re:Imagine if this was self-driving car

[DigiShaman]

Take the first law for example

A robot may not injure a human being or, through inaction, allow a human being to come to harm.

So a robot walks in a warehouse and finds 100 people all tied up. One of them in the middle has explosives. In this scenario, the robot concludes that the only way to save the other 99 is to kill the one with the explosives. He only has 5 seconds to make a decision.

What does he do? By the first law, he's screwed no matter what decision he makes. Does he opt for the greater good option and kill the one man to save the 99? Or let all 100 die?

Re:Imagine if this was self-driving car

[Lumpy]

You forgot that we are required to wear wrap around sunglasses and dress in trendy bohemian casual business.
If you don't dress this way BMW will repo the car. I've seen it happen, Neighbor did not wear the approved clothing and the BMW came and took the car after browbeating him.

Re:Imagine if this was self-driving car

[Pieroxy]

It's not security vs ease of use. It the proof that you should not let a hardware company reinvents itself as a software company. At least not for critical stuff. Whether the car lock is critical or not is another debate.

Look at drivers for printers or scanners, or GC to see that hardware companies have no shame at all when it comes to releasing software that any software developer would qualify as a pile of smoking shit.

Re:Imagine if this was self-driving car

[Cormacus]

Depends. If it's one of the modified Nestors it will probably retrieve what it was sent to get in the warehouse and then walk back out.

Re:Imagine if this was self-driving car

[gstovall]

Asimov did study this scenario, and it led to the zeroth law, basically known only to the robots.

0. A robot may not harm humanity, or, by inaction, allow humanity to come to harm.

As in Star Trek, "The needs of the many outweigh the needs of the few...or the one"

Re:Imagine if this was self-driving car

[Yobgod+Ababua]

No.

It's a very, very different thing to get a computer to:
a) Do something it's programmed to do (like start up and drive around safely), but for the wrong person.
b) Do something it has NOT been programmed to do (drive unsafely).

You can't just conflate the two with "hacking the system", as they are COMPLETELY different physically, electronically, logically and mathematically.

Re:Imagine if this was self-driving car

[wbackner]

That's where the zeroth law comes in. It was added in the stories for that exact sort of scenario.

A robot may not harm humanity, or, by inaction, allow humanity to come to harm.

Re:Imagine if this was self-driving car

[rickb928]

So you never read I, Robot - you just saw the movie.

Pity.

Re:Imagine if this was self-driving car

[Colourspace]

Hate to respond to such an obvious troll, but I keep hearing this well worn trope about BMW drivers. I think you will find there are dickheads behind the wheels of all makes of cars. Yes I own a BMW, I am not a middle manager, have earned my own money and I always use my indicators and let people out of side turnings on a daily basis. But, you know, keep propagating the sweeping generalisation...

Re:Imagine if this was self-driving car

[Chatsubo]

Geek BMW driver here: I only go to work in T-shirts with game logo's on them and jeans. I can't tell you how priceless the looks are when I get out sometimes. This unruly looking nerd?

BUT, Pro tip: Since driving a 5 I've had multiple job approaches from strangers on the street. I'd go so far as to call it an investment in your career (even if you buy a cheaper 2nd hand one like I did).

That's not the way it's supposed to be, but my RL experience bears it out. Typical convo (I swear on my grandma's grave, this has really happened to me. Even at a funeral - no relation to grandma):
"Hey, that's a nice car you have there"
"Uhh, hi, yeah, thanks"
"What do you do?"
"I'm a software developer"
"Looking for a job? My name is X and I work for...."
I've verified that those I didn't immediately blow off were indeed mgmt at software companies.

So, ya'll have fun bashing bmers!

Re:Imagine if this was self-driving car

[1s44c]

"Hey, that's a nice car you have there"
"Uhh, hi, yeah, thanks"
"What do you do?"
"I'm a software developer"
"Looking for a job? My name is X and I work for...."
I've verified that those I didn't immediately blow off were indeed mgmt at software companies.

So, ya'll have fun bashing bmers!

Are you making this up? Basing recruitment decisions on the car someone drives sounds crazy to me but this is one crazy world.

Re:Imagine if this was self-driving car

[Dexter+Herbivore]

Hence Daneel's Zeroth Law.

Re:Imagine if this was self-driving car

[Pi+Is+A+Rational]

I do body work and honestly the douche'ist of assholes are the people who own BMWs and Audis. While we are at it, both of those cars have nothing special going on that commands them as a rite of passage. Maybe they have fast engines, I don't know. I don't really care. As long as it can keep up with traffic reliably that's all I give a shit about.

Re:Imagine if this was self-driving car

[19thNervousBreakdown]

I miss driving the 20-year-old BMW I bought for $2,000. Wish somebody would have told me about the trust fund, I sure could have used it!

Re:Imagine if this was self-driving car

Generally you can expect someone with a nice car (that he bought on his own) to have some sense of finances and career progress. You still have to do a interview obviously, but you start with some expectations.

Re:Imagine if this was self-driving car

[cellocgw]

And any number of philosopher types added an even more important law: "A robot shall know it is a robot." After all, if a robot thinks it's human, the 3 (or4) laws don't apply in the first place.

Re:Imagine if this was self-driving car

[Chatsubo]

No. Grandma's grave. Really happens.

Re:Imagine if this was self-driving car

[BronsCon]

One counterexample does not disprove a law.

Re:Imagine if this was self-driving car

[firewrought]

And any number of philosopher types added an even more important law: "A robot shall know it is a robot." After all, if a robot thinks it's human, the 3 (or4) laws don't apply in the first place.

But adding that law doesn't help...

Re:Imagine if this was self-driving car

[Joce640k]

1. A robot may take no action which may expose the Manufacturer to financial liability.

This is why self-driving cars will never make it to the streets

It doesn't matter that they'll be far safer than human drivers. There's thousands of lawyers out there who'll be waiting anxiously for the first accident involving a self-driving car.

The only way is if the manufacturers get some special no-liability dispensation from the government. That's not going to happen because there's a whole bunch of lawyers who'd go after that, too.

Re:Imagine if this was self-driving car

[Joce640k]

Nope. Just look at what happened to Toyota, Audi, et. al. because somebody blamed the accelerator pedal for their inability to drive.

Re:Imagine if this was self-driving car

[thePowerOfGrayskull]

Not only would Google's self-driving car be vulnerable to this attack, it would start driving around itself! And you would be responsible for everything the hacked vehicle did.

I agree with the previous note. It raises some very interesting points and why Google's self-driving cars would be bad. Just imagine if someone hacked your car and it ran over someone.

Hell yah. The car gets hacked and is all like "no way bitch" and gets all up in the thief's grill and is like "FO SHIZZLE" and runs him down like a scythe cutting wheat.

Bring it.

Re:Imagine if this was self-driving car

[kaatochacha]

I'm sorry, but that's the dumbest thing I've ever heard.
Every intelligent Engineer I know gets the best car for his money. They often drive around in ancient cars that are mechanically sound.
It's the marketing guys or the guys who spend all their money on the nice car ( bank teller living at home?) who drive the higher end rides.

Re:Imagine if this was self-driving car

[tibit]

A self driving car, is, you know, self-driving. The developers of the safety-critical software are the only ones who can be held liable for it running over someone.

Re:Imagine if this was self-driving car

[tibit]

Not any crazier than selecting candidates based on keyword matches in their resumes, I'd think.

Re:Imagine if this was self-driving car

[tibit]

I have to agree. Maybe my car looks like a pile of crap, but it drives sweet, and is in better shape mechanically than when it left the factory.

Re:Imagine if this was self-driving car

[ObsessiveMathsFreak]

Well, I personally would think twice about hiring a BMW owner if the job was for a position of responsibility. On the other hand, if the job _required_ the employee to be an insecure, obnoxious, risk taker, then the BMW would be an obvious mark of quality.

P.S.
I regularly encounter BMW drivers who do things on the road that no-one would, and this is from someone well used to rural chancers on the road.

Re:Imagine if this was self-driving car

[Lumpy]

No you cant, because even a pennyless fool can buy a BMW 7 series that looks great but has 450,000 miles on it and is 15 years old. Most in my town have 22" dubs on them and stick on fender vents as they are snatched up by the hip hop crowd around here. Anyone making a decision on someone's worth based on the car they drive is a fool. A complete fool.

Re:Imagine if this was self-driving car

[Lumpy]

"So, ya'll have fun bashing bmers!"

Just repeating what others tell me. And eew, a 5 series? that's low rent unless it's a M5. 750Li all the way for true BMW goodness...

Re:Imagine if this was self-driving car

[PIBM]

They still needed to break a window to get in the car and install their device to then clone the key. Should we stop people from building houses since people can break the window and unlock the door ?

Re:Imagine if this was self-driving car

[hawguy]

Not only would Google's self-driving car be vulnerable to this attack, it would start driving around itself! And you would be responsible for everything the hacked vehicle did.

I agree with the previous note. It raises some very interesting points and why Google's self-driving cars would be bad. Just imagine if someone hacked your car and it ran over someone.

With computer control of conventional cars becoming more common (automatic braking, etc), and fly by wire making inroads (throttle control for now, eventual braking and steering), I'm not sure that hacking an auto-driving car is much worse than hacking any other car since the car will be able to take control from the driver.

Re:Imagine if this was self-driving car

[bmimatt]

If you were doing engine work, you'd know that there's quite a bit of fine engineering that goes into these cars.  If you look at acceptable tolerances in fitting engine component together and compare them with American manufacturers, you will become enlightened as to why the German cars are just better.

Disclaimer:  Both BMW and Audi on the driveway.

Re:Imagine if this was self-driving car

[hawguy]

The article is a advertisement soak...

From the article 'I am pleased to say that we have now had further information from our technical team which means that we will be able to offer the same mitigating measures mentioned in relation to X5 and X6, to any concerned BMW owners, starting within the next eight weeks. This will mean that the car cannot be taken using the piece of equipment you highlight. Of course this will not render the car unstealable, but it will address this particular form of attack.'

Meaning they have already rendered this thing useless. Until the criminals figure out a way around it...

Well, I think you mean they *think* they will be able to render this attack useless starting in about 2 months from now, but until their fix makes it into the wild, they really don't know if someone will find an easy way around it.

Re:Imagine if this was self-driving car

[19thNervousBreakdown]

It's more polite to keep the finger when cutting someone up?

Re:Imagine if this was self-driving car

[mcgrew]

But the laws WERE circumvented in many of the stories. The one set on Mercury had the three laws almost kill the engineers; the one on the orbiting power station broke the second law because it thought it was following the first law, and many others.

Re:Imagine if this was self-driving car

[nitehawk214]

And when you see a geek, you see a filthy little zero with massive personality disorders, deranged sexual fetishes, completely unsupported arrogance and an impotent, hyper-ideological little shit who deserves to be kicked in the groin or punched in the face (as determined by 20 sided die roll) on an hourly basis as penance for being such an insufferably awful sack of misery.

So what are the other 18 things that deserve to be done to them?

Actually if you are determining how do beat someone up via 20 sided die roll... you probably are a geek. A geek with a lot of issues.

Re:Imagine if this was self-driving car

[nitehawk214]

No. Grandma's grave. Really happens.

I can believe it. Management hiring is all about cronyism, so much so that it is second nature to them. Oh you [drive same car / root for same sports team / drink same wine] as me? You're hired!

Re:Imagine if this was self-driving car

[vux984]

I drive a 911 myself; and I'll back the claim up. Some people see the cars and it says motivation and success to them, and that's enough to get them interested in at least starting the conversation.

I have friend in real estate who bought a Mercedes; and he thinks it directly impacted on his success. Clients see the car, assume he's successful... same idea.

Its just the old adage "dress for the job you want to have" with a new twist.

Of course, some people assume "spoiled trust fund baby" -- heh I wish. I just really like sports cars, and the Porsche is at least not completely impractical as a daily driver.

Re:Imagine if this was self-driving car

[oracleofbargth]

Take the first law for example

A robot may not injure a human being or, through inaction, allow a human being to come to harm.

So a robot walks in a warehouse and finds 100 people all tied up. One of them in the middle has explosives. In this scenario, the robot concludes that the only way to save the other 99 is to kill the one with the explosives. He only has 5 seconds to make a decision.

What does he do? By the first law, he's screwed no matter what decision he makes. Does he opt for the greater good option and kill the one man to save the 99? Or let all 100 die?

For an Asimovian robot, the correct course of action would be to move the 1 explosive laden human as far away from the 99 humans as quickly as possible to avoid as many injuries as possible to the 99, while in the process attempting to disarm the explosive in order to also save the life of the one. If disarming were not possible, it would attempt to remove the explosive device from that one, accepting the possibility of causing non-lethal injury in the process, followed by itself carrying the explosive device as far away from any humans which might be injured by its detonation. If possible, it would then distance itself from the device, to avoid harming itself, but otherwise would use its own body to shield any humans from the detonation.

The interesting part is when, due to plot contrivance, the robot was entering the warehouse in order to quickly retrieve some goods or device which would be used to save the lives of another 100 humans, and must choose which group to save, as also due to plot contrivance there is insufficient time or resources (or robots) to save both groups.

Of course, the point that Asimov usually makes is: a robot which survives such an ordeal wherein humans are killed usually goes catatonic due to the conflict in its positronic net due to allowing a human to come to harm.

Re:Imagine if this was self-driving car

[vux984]

Every intelligent Engineer I know gets the best car for his money. ... It's the marketing guys or the guys who spend all their money on the nice car

The implicit assumption is that the cars are more than they can really afford, and that intelligent people look for value over flash.

This is all true, engineering=smart and marketing=stupid stereotypes aside.

Only an idiots spend "all their money on a nice car", but what if one can buy nice car without using "all their money"? I own my 911 outright. Its marginally more expensive to insure; and markedly more expensive to operate. But I enjoy driving it far more than our Jetta, and it not a burden on us financially. So why not?

Re:Imagine if this was self-driving car

[Dragonslicer]

Are you making this up? Basing recruitment decisions on the car someone drives sounds crazy to me but this is one crazy world.

It sounds crazy to you, yet you question whether or not recruiters and managers ever do it?

Re:Imagine if this was self-driving car

[gstovall]

Which leads us to Star Trek III:

"The needs of the one...outweigh the needs of the many"

Re:Imagine if this was self-driving car

[HornWumpus]

I've seen no sign of Prius drivers improving.

Re:Imagine if this was self-driving car

[HornWumpus]

Civil damages yes, your insurance has to pay for any damage the thief does with the car.

Criminally no.

Re:Imagine if this was self-driving car

[Sketchly]

Ford Focus driver here - next time you're waiting at a junction for some kind soul to let you out into the traffic flow, why not spend the time considering exactly why people hate BMW drivers?

Re:Imagine if this was self-driving car

[geekmux]

It can happen yes, but what is more likely to happen an incompetent/drunk driver running you over or a hacked AI car?

AI car will not be perfect, but I'm sure as hell they will be much better then the regular Joe.

Prove to me a 50,000-car botnet is "much better" than regular Joe.

Regardless of what is more likely to happen today, imagine the destruction when a DDOS attack of that nature happens in the future on that kind of platform.

Re:Imagine if this was self-driving car

[bware]

If only that were really a joke, and not real life!

Whether I'm on a bike or in a car, anytime I see a BMW, I know that I'm about to witness a dick move. Planning for this, I'm rarely surprised. Oddly, it doesn't work that way with other expensive cars - Mercedes and Porsches, for instance. It does work that way with Saturns, but they're just clueless, and their fenders are always dented. BMW drivers are actively dickish.

Re:Imagine if this was self-driving car

[fredgiblet]

Which lends credence to the idea that managers are doing it.

Re:Imagine if this was self-driving car

[fredgiblet]

predict behaviors of pedestrians

Not strictly necessary if you have the reflexes and no analysis paralysis. If someone decides to dart into the street a AI car will be able to determine the best course of action and react before the human driver even knows what's happening.

follow instructions of a cop

They can use the same system that emergency vehicles use to change lights to pull automated cars over. Plus there's nothing stopping the human in the car from grabbing the wheel once the rearview mirror lights up.

fault tolerance

I assume you're talking about reacting to a blown tire and things like that. I suspect that the computer would actually be much better at this, many of the common issues would not be hard to detect for a computer (e.g. sudden loss of pressure in a tire) and thus the computer would be able to compensate before the driver woudl eve be aware there was an issue, plus the computer can't panic and will provide appropriate correctios faster than a human as well. Doubtless there are issues that can't be programmed for, but those issues probably won't be easy for a human to handle either.

deadlock resolution

You seriously think computers would be worse at this? Realistically they wouldn't NEED to be good at it since with all automated cars deadlocks would be almost unknown. MOST of the traffic issues that I've see (I drive 90 miles per day for work) are caused by dipshits trying to get ahead of everyone else or assholes who don't know how to drive, neither of which would be a problem with self-driving cars. Even if deadlocks did happen computers would be able to sort things out faster than people and if they failed, well, turn off the auto-pilot and do it yourself.

Self driving cars will make astronomically dumb errors, like deadlocking because a leaf is on the road.

[citation needed]
Highly unlikely, and if they did do something like that, disengage the autopilot and continue

Re:Imagine if this was self-driving car

[tnk1]

Well, paying for off-warranty BMW maintenance, even normal oil changes, is absolutely brutal. I know some kids pull it off, but I assume that they either get ones that are so old that they don't have to do all the fancy stuff they do for the new ones, or they spend quite a bit on keeping them maintained.

Re:Imagine if this was self-driving car

[Sardaukar86]

Agreed, 100%. My 7-series is a gorgeous machine and I am rewarded every time I get in the thing, every time I start the engine, every corner I take...

Running costs are certainly higher with a V8 over a little 4cyl Nissan Bluebird and the car weighs nearly two tonnes so it does eat a bit of fuel. Servicing is also about twice what I used to pay for my old car.

This car valued at $220k new cost me only $30k with 80,000 KMs on the clock and I bought it cash - that's right, I saved up for something I wanted! Not very modern or fashionable of me I know.

If I were wise, I would have bought a house instead of a car, but I reasoned that the age of the V8 is nearly over, I could die tomorrow and I was sick of deferring the rewards of my labour.

Re:Imagine if this was self-driving car

[aus]

Oh I don't know about that. 550i with twin turbos is damn near an M5 as it is, minus the badging. Man, I love my car.

Re:Imagine if this was self-driving car

[DarwinSurvivor]

Not 1 person was ever able to provide any evidence that there was anything wrong with the cars. In the only report I ever saw that listed incidents, a large percentage of the drivers (the report only had about 10 incidents) were elderly, so there's a good chance it was driver error.

Re:Imagine if this was self-driving car

[sumdumass]

neither, he lights a cigar, chugs a beer, and yells "bite my shiny metal ass".

Actually, although very likely ineffective, he could attempt to talk the guy with the explosives into not using them. That would be an action satisfying the inaction part. the law itself doesn't require the action to be effective, just that the robot doesn't stand idle allowing it to happen.

Re:Imagine if this was self-driving car

[sumdumass]

Well, that might be true until some manufacturer tells congress that more babies are killed or harmed every day then if this AI had been driving. Then a few campaign donations later and its a law you can't sue the manufacturer. After all, think of the children.

Re:Imagine if this was self-driving car

[Mygi]

Break a window? So? Some BMW model's alarms don't get triggered if you break the driver side window, or even when you reach down to the ODB port. Besides, it's trivial to block the remote key signal. If you do that, you don't have to break anything, since the owner of the car probably didn't notice that the car isn't locked.

Re:Imagine if this was self-driving car

[gl4ss]

the rules worked differently than intended by the robot builders, that's breaking down, sort of. earthbound citizens are in jeopardy in one story for example, because the robots refuse to believe there's people there.

that's basically the whole scenario behind the I, robot stories. but robots/characters supposedly adhering to 3 rules in positions where they seemingly break out of the pattern and then have some detective figures find out why.

or more extrapolated, they're stories about how life isn't as simple as following some 3 rules, because the world around you will not present itself so that you can follow those rules - even if there's just 3 of them! never mind 10!

and one story about you couldn't please people even if you knew what they were thinking at the moment, because people are kind of dicks.

(most of asimovs robot characters just freeze up if they can't follow their rules. the trick to going against the rules is to figure out how to reason how going against orders will help the human(s))

Re:Imagine if this was self-driving car

[jafiwam]

When I see one of those cars, I think "that guy is obviously over-charging".

Re:Imagine if this was self-driving car

[doccus]

This was modded "funny" , but it really isn't, considering that every day lawmakers make laws according to that "logic"

Re:Imagine if this was self-driving car

[Colourspace]

See GP - 'The ONLY people that drive BMW's' (my emphasis). That's what I'm responding to. Of course there are jerks in BMW's, and as a reply has already said, it does seem to attract a certain type of person, but not all of us are dicks. Or at least I try very hard not to be...

And the question is

[Psicopatico]

FTFA:

Amazingly, the blank keys and the device are both available to buy at a bit of a price on the internet.

And the question is: how many BitCoins does those cost?

Re:And the question is

[richy+freeway]

Buy them on eBay and Alibaba for actual money.

Re:And the question is

[epedersen]

and by a bit of a price they meen less then $100 http://www.ebay.com/itm/New-BMW-KEY-PROGRAMMER-/120946886043?pt=Motors_Car_Truck_Parts_Accessories&hash=item1c28ff059b

Ford Comparison

I know ford around the same era required other valid keys to be present when the new key was programmed. I'm surprised BMW didn't have a similar requirement

Re:Ford Comparison

[TWX]

I'm not surprised.

Essentially no one thinks about security, or more accurately, while one team is thinking about security, another team is thinking about something that totally and completely bypasses that security.

And as for Ford, there was an article in Wired several years ago about the possible failure of immobilizer systems in various Ford/Lincoln vehicles.

In my opinion, if there's a legitimate way to make the vehicle move, there's a way to make the vehicle move. If you don't want the vehicle to move then you need to remove something from it that makes it move, preferably something that a thief wouldn't normally bring with them, like a coil wire on a vehicle with a distributor, or a fuel pump relay or ASD relay, or something like that. Come to think of it, one could probably relocate such a relay to the passenger compartment to allow one to use the relay itself like a key, removing it to immobilize the vehicle.

Either way though, relying on an electronic means from an automaker is foolish.

Re:Ford Comparison

[mlts]

There is that, or use security by obscurity. For example, on Ford PATS systems, one can put a switch in on the circuit of the ignition antenna which reads the key's RFID chip.

Flip the switch, and even if a thief was able to clone a 40 (S) or 80 bit (SA) PATS key, they will still be stuck scratching their head as the ignition still wouldn't start.

Of course, this doesn't mean that the thief will not resort to vandalism, but it will mean the vehicle most likely will remain in the same spot unless towed.

Re:Ford Comparison

[rwise2112]

I remember a while back, you could unlock Fords remotely with a Palm Pilot app.

Re:Ford Comparison

[bobcat7677]

An excellent example of physical security...and how physical security will trump electronic security every time. Just ask the crew of the Battlestar Galactica.

Re:Ford Comparison

[swb]

I've seen this technique used before. A landscaper I knew had a hidden key lock than interrupted the electronics on a Bobcat, and my dad's business had some numeric keypad switches that did the same thing installed in some of the business cars they had.

The keypad would be easy to defeat if you had a shop and could trace the wires, but the keypad itself had a bunch of wires in/out that couldn't just be randomly spliced by a thief. I think there might have been some other module under the hood, too, that made it more complicated.

Re:Ford Comparison

[Joce640k]

I remember opening a friend's Peugeot with my HP200LX and a TV remote control emulator.

The keys used an infra-red system with a receiver above the rear view mirror.

Re:Ford Comparison

[localman57]

I know ford around the same era required other valid keys to be present when the new key was programmed. I'm surprised BMW didn't have a similar requirement

This isn't the same thing. You're talking about a consumer being able to program their own key. Typically, you have to have two valid keys to program a third, so a valet can't do it with one key. But cars typically come with only two keys. If you lose one, you can't program a new one yourself. You have to take it to a dealership who has a backdoor to program more keys through the CAN network. The BMW theives are exploiting this backdoor. Some of these details vary a bit for maker to maker, model to model, but this has been pretty standard for around 15 years.

BTW, if you only have two keys to your car now, do yourself a favor, and get a third one from wal-mart, and program it yourself. This is much cheaper than the $150 or more if you lose a key, and have to have the dealership reprogram one for you.

Re:Ford Comparison

[Lumpy]

Why so complicated? a simple $3.29 switch that interrupts the power to the fuel pump. Works on 99.98765% of all cars and will foil any thief.

Flip switch under seat, and leave the car. Thief tries to start car and it acts like it is out of gas. No thief will look under the seat for a switch they have less than 30 seconds to get in and get the car moving or they risk getting caught, so if they cant do a fast smash and grab they move on.

Re:Ford Comparison

[ajlitt]

I can't, they've been dead for thousands of years.

Re:Ford Comparison

[0123456]

Someone did this in one of my old cars before I bought it. Worked OK until the switch burned out and the car wouldn't start. That left me sitting at the side of the road pulling wires out from under the dashboard, which lead to an interesting conversation with the police when they drove past...

Re:Ford Comparison

[19thNervousBreakdown]

Or security by economy of effort. As it is, it takes 2 minutes to access the port to reprogram keys. If that port and its wires were buried in the engine so that you had to put the car on a lift and take it half apart to access, they'd move on to easier targets.

Being able to create duplicate keys from the car itself is great. The lock doesn't have to be unbreakable, just more trouble to break than it's worth.

Re:Ford Comparison

[0123456]

As it is, it takes 2 minutes to access the port to reprogram keys. If that port and its wires were buried in the engine so that you had to put the car on a lift and take it half apart to access, they'd move on to easier targets.

I really want to have to pay for $500 of labor on top of the $100 for a new key next time my girlfriend loses one.

And I really, really want to have to take half the car apart to find out that the 'check engine' light is on because the fuel cap is loose (yeah, OK, the fuel cap is the first thing I check now when the light comes on).

Re:Ford Comparison

[CanHasDIY]

So put the switch different places in different installs. Under the seat, in the glovebox, and under the dash (above the accelerator) all come to mind. Better yet, repurpose an unused factory switch, or find a factory switch you don't really use, put that elsewhere, and hook the old switch up to the fuel pump. Maybe you have to push the tire pressure monitoring system reset button before the car will start...

This is security by obscurity, but when it's different and non-obvious on each car, it's good stuff.

No, that's not "security through obscurity," it's "security through ridiculously circuitous nonsense."

Most modern cars, i.e. the type to have a tyre pressure monitoring reset button, don't like it when people start hacking up their wiring harnesses. And by "don't like it," I of course mean "will refuse to start until a professional technician fixes all the wiring you fucked up."

Not that a fuel pump cut-off switch is a bad idea, but your suggestions on placement and operation indicate a fundamental lack of knowledge concerning modern automotive systems.

Re:Ford Comparison

[Dayze!Confused]

I had a friend who's car had to have the headlights turned on or else it would honk if you tried to turn the ignition. That was a wacky way to keep people from stealing your car.

Re:Ford Comparison

[19thNervousBreakdown]

I was assuming that the key generator is separate from the general CAN bus, if that's not the case, the only thing I could think is to do the same as Ford, and build in a 4-hour (instead of Ford's 10 minutes) delay from key generation request to delivery. But, if you don't like that solution either, I still have a couple suggestions:

1.) Don't drive a conspicuously expensive car that needs to go to extreme anti-theft measures.
2.) If you anticipate your girlfriend repeatedly losing your car keys, make many duplicates in advance at the same time.

I guess there's nothing you can do about losing the keys even though that's the obvious place to start, but man that's got to be frustrating. In 15 years of driving, I've never lost a single car key (or wallet, or cell phone, although I leave $8 sunglasses everywhere), and I'm not a particularly careful person. I've never even known anyone to lose a car key. I can't even imagine the level of air-headedness required to lose multiples.

Re:Ford Comparison

[jandrese]

You can unlock any car remotely if it has OnStar.

Re:Ford Comparison

[pkinetics]

This would never become mainstream. The average person is just too lazy.

Switch is only as useful as a security alarm. You still have to set it. In the average person's case, the perception of the theft versus the inconvenience of flipping the switch is an annoyance. Therefore, while a nice novelty, will only get done by the person who really cares, aka paranoid.

Loan to your significant other, parents, or friends and they will inevitably not use it.

Re:Ford Comparison

For a fuel pump disable, you need a switch. The actual controls that tell the computers what to do are - can you guess - switches and buttons. A button can be effectively converted to a switch easily enough with the addition of a latching relay, and maybe an LED to show if it's on or off.

My car is actually one of these new-fangled computerized ones. It's a 2008, and generally considered to be one of the trickier ones out there electrically speaking. However, tricks like this still work just fine... I know because I've done plenty.

On my car, foglights from the factory are optional. If you didn't get them, all the wiring is in place, so it should be easy to add them later. Problem is, the car's main computer needs to be told that they exist before it will try to turn them on. There's a code for that to run through the dealership-only diagnostics computer, but the management over in Germany wasn't telling anyone this code (who knows why). The standard fix was to hook the foglight button up to a latching relay, then splice that into the normal wiring. This fix was used by many dealers, and it works perfectly. The car's computer couldn't care less.

My car has electric power steering. It's a light car, and I like heavy steering with lots of feedback, so I just disabled the power steering. You'll never guess how... I simply unplugged the power steering motor. It has its own computer, which communicates with the rest of the car via the CAN-bus, so according to you, this is one of those mods that should play hell with everything. It didn't. The only side effect is that I sometimes get an idiot light telling me my power steering system isn't working.

Another great example is applying an aftermarket turbocharger to a modern car. When you cram more air into the intake, you have to replace a sensor (MAP) with one that has a bigger range, rescale the range of that sensor so that the engine computer doesn't freak out, somehow add more fuel when that sensor goes out of the expected range, the same stuff with the MAF sensor if the car has one, ditch the computer's closed loop fuelling system at high loads (a fundamental aspect of its operation from the factory), and tweak the time at which the spark plugs are fired (on a car without a distributor, remember). Somehow, people regularly pull this off, and cars only take unkindly to this treatment when the mods were tuned by someone who had no clue what he was doing.

Modern cars are fairly complex, but it's not magic. The computers in question are stone age compared to the one you're reading this comment on, and it doesn't take a genius to fool them.

(same AC as before)

Re:Ford Comparison

[mcgrew]

If you don't want the vehicle to move then you need to remove something from it that makes it move, preferably something that a thief wouldn't normally bring with them, like a coil wire on a vehicle with a distributor, or a fuel pump relay or ASD relay, or something like that.

Easily circumvented with a tow truck.

Re:Ford Comparison

[Algae_94]

I can't speak for other cars, but a 2008 Cadillac STS only needs one key for the consumer to program a second. It takes at least half an hour to do, and IIRC, the car honks several times and needs input at various times throughout the half hour. A valet could do it, but they'd have to be at the car for a long period of time.

You can't buy another key at Walmart, so there isn't much way around the $200 for a new one.

Re:Ford Comparison

[couchslug]

Works beautifully, as does removing your fuel pump or other vital fuse, chopping off one blade using a pair of sidecutters, and reinstalling the fuse. Thieves aren't going to probe your fuse box with a test light.

My bud uses the fuse trick on his tow truck. It has had several steering columns ruined by thieves over the years, but he gets those free (nice thing about doing auto salvage) and the hood rats who infest Bluff Road, Columbia, SC (don't live there!) have never managed to steal the truck.

Re:Ford Comparison

[mcgrew]

I know ford around the same era required other valid keys to be present when the new key was programmed.

I lost the key to my 2002 Concorde a few years ago, had to have it towed to the dealership, and they wouldn't make a new key without my showing them the title, even though it was the same dealer that sold me the car!

Re:Ford Comparison

[Obfuscant]

A friend of mine has a van that can be opened up with a magnet held at the lower right corner of the rear window. It's the "magic key" system they installed in his handicapped accessible van that opens the side door. Freaked him out when I pulled a magnet out of my pocket one day and opened his door for him.

Re:Ford Comparison

[Lumpy]

Yes it would.

Make it a latching relay, turn off ignition, it will unlatch. you will then have to push the button after you turn on the ignition to get the car to start. Force it upon them. it auto arms every time the ignition is turned off.

So instead of $3.95 it's not $6.99 for two small relays and a pushbutton.

Re:Ford Comparison

[Ed_1024]

Or security by economy of effort. As it is, it takes 2 minutes to access the port to reprogram keys. If that port and its wires were buried in the engine so that you had to put the car on a lift and take it half apart to access, they'd move on to easier targets.

I think some of these issues have come about in the EU because of a) competition directives and b) enforced standards.

BMW and other manufacturers are forbidden from operating a 'closed shop' for spares, technical details or anything that a 3rd party would need to service/repair their cars. This is generally good for the consumer but in the edge case of car security rather bad, in that a non-OEM agency can demand access to key programmers etc. then sell them on and/or hand them over to criminals.

The diagnostics port in the car has (AFAIK) to be in the passenger compartment and readily accessible, by regulation, so that nixes the idea of siting it somewhere unusual or protected. Some people I know have re-wired their ports to need a custom adapter, so someone trying to attack the car from that direction would fail...

Re:Ford Comparison

[goose-incarnated]

Then you did it wrong - you never wire a large load directly to a switch, you use a relay.

Re:Ford Comparison

[petermgreen]

In my opinion, if there's a legitimate way to make the vehicle move, there's a way to make the vehicle move. If you don't want the vehicle to move then you need to remove something from it that makes it move, preferably something that a thief wouldn't normally bring with them, like a coil wire on a vehicle with a distributor, or a fuel pump relay or ASD relay, or something like that. Come to think of it, one could probably relocate such a relay to the passenger compartment to allow one to use the relay itself like a key, removing it to immobilize the vehicle

Which works fine if it's just the one vehicle but if an automaker started doing that theives would just start carrying relays.

Re:Ford Comparison

[SternisheFan]

Just don't place the switch where a passenger might inadvertantly hit/kick it. Years back I was a passenger in a friend's van, and didn't know he'd put a toggle kill switch under the dash near the firewall. The toe of my sneaker flicked it, flame shot out, a big bang was heard. My friend told me about the kill switch then, I flicked it back, but the damage was done. Killed one of the six pistons for good.

So this means

[wbr1]

No more waiting around for a dog to crap out the 'laser encoded' keys he ate.
Oh, and i know Nick Cage sucks, but thats my girls favorite movie and it always makes her horny. So yeah, I have seen it too many times.

Re:So this means

[wbr1]

Girlfriend, possessive. I was typing on my phone so I shortened it for laziness reasons. Of course and AC would take it to incest. Where is YOUR mind at? And why the fuck am I responding to an AC>

Re:So this means

Oh, and i know Nick Cage sucks, but thats my girls favorite movie and it always makes her horny. So yeah, I have seen it too many times.

By 'girls' I hope you mean your Wife/GF/SO, and not your daughter(s).

This is /. so you can never be certain.

Re:So this means

[AliasMarlowe]

Oh, and i know Nick Cage sucks, but thats my girls favorite movie and it always makes her horny. So yeah, I have seen it too many times.

By 'girls' I hope you mean your Wife/GF/SO, and not your daughter(s).

He meant his fembots. Hand in your geek card at once...

Re:So this means

[mcgrew]

Girlfriend, possessive. I was typing on my phone so I shortened it for laziness reasons

If you had written it as a possessive the AC wouldn't have been able to joke about it. The posessive would have been girl's, not girls.

I took it to mean you're a pimp and were referring to your hookers. See, kids, what happens when you ignore punctuation? You get made fun of!

As to why you're responding to an AC, that's a good question, he'll never see your response. I wouldn't have seen his comment if someone else hadn't quoted it.

Re:So this means

[mug+funky]

oh, come on, mods! have a sense of humour!

Re:So this means

[mug+funky]

to be fair... Murphy's Law states that if it can be done in more than one way, it will be done both ways and you have no control over it. an apostrophe would have prevented all this horror and heartache :)

In other news:

[AtomicDevice]

Highly advanced cyber-thieves discover method to steal cars with a coat hanger and a screw driver! Everyone cower in terror!

Not that this isn't dumb security on BMW's part, but the thing keeping people from stealing your car is their conscience and the police, not your hyper-powerful super-locks. They might keep some dumb teenagers out of your car, but not car thieves who buy blank keys on the black market and learn to reprogram them.

Re:In other news:

[rot26]

PREVENT crime?

You're thinking of some organization other than the police. They're just there to fill out the paperwork afterward.

Re:In other news:

[dywolf]

Why I rarely bother to lock my car. Granted its an older model. Truth is, ya, a determined theif will steal the car about as quickly as I can unlock the door and start it normally with the key. Most people aren't so motivated, and governed by basic morals. As long as the key isnt in the car, and there's nothing worth stealing in the car, and I'm in a reasonably low crime area, the car is gonna be fine in all likelihood. Just as well since hte lock has started acting finicky about 6 months ago. I really need to take it apart and degrime it with some WD or something.

Re:In other news:

[jeffmeden]

Highly advanced cyber-thieves discover method to steal cars with a coat hanger and a screw driver! Everyone cower in terror!

Not that this isn't dumb security on BMW's part, but the thing keeping people from stealing your car is their conscience and the police, not your hyper-powerful super-locks. They might keep some dumb teenagers out of your car, but not car thieves who buy blank keys on the black market and learn to reprogram them.

The seemingly odd thing is that there are other implementations that work the same way (I have seen this done to Honda cars many many times) but don't suffer from this kind of attack, since the car computer purposefully responds very very slowly to the reprogram command. Leave it to those hyper-efficient Germans to think that reducing the time required was a good thing.

Re:In other news:

[54mc]

I stopped locking my car for a similar reason. Nothing in my car is worth more than the cost of a broken window. I will say that I've lost a few jackets I've left in there during the winter, but, as I said, they were a lot cheaper than a new window.

Re:In other news:

[gstoddart]

Why I rarely bother to lock my car. Granted its an older model. Truth is, ya, a determined theif will steal the car about as quickly as I can unlock the door and start it normally with the key.

A truly motivated and resourceful criminal would just show up with a tow truck. Nobody would even look at a tow-truck taking away a car.

But, the locks keep the casual/incompetent ones away.

Though, years ago I used to have a Jeep ... my friend pointed out that locking it was futile because it was basically a tent on wheels. Anybody who knows about how to do the soft-top could just unzip it. Anybody who didn't could simply cut it.

After that, I stopped locking it.

Re:In other news:

[tom17]

Better than having a backseat toilet *and* a broken window...

Re:In other news:

Yes, but do you think the crook would have broken a window to get your coat?

Re:In other news:

[afgam28]

When the car makers all started to introduce engine immobilizers, the rate of car thefts plunged. (An immobilizer is a device that prevents hot wiring)

If your reasoning was true then immobolizers would not have had any effect.

Yes a determined and well equipped theif will always find a way in. Unfortunately, most vehicle thefts are opportunistic crimes, and it is definitely worth trying to prevent that by locking your car.

Re:In other news:

[Yobgod+Ababua]

+1 Tow truck theft

That's how I lost my first car (a VW Beetle that would stall at any stop light unless you gently caressed the gas pedal with your toe while keeping the brake down with your heel). Security guard didn't pay any attention to the seemingly legit tow truck that hauled it away...

Re:In other news:

[dywolf]

mean the little proximity things? never owned one. and the stories of thieves just snatching out of your hand or shoving you into the car and taking off amuse me. but lotta cars still dont have em, like me wifes new (to us) 2009 jeep. still bypassable from all that i ever read about em. after all, shit happens and you gotta be able to start it somehow. and that knowledge spreads. its not some miracle tech.

and define worth it? whats the worth is taking time to stop something that simply isnt going to happen? like said, i got a barely functioning lock, and i dont go places where theft is even an issue. mostly only ever sits at home or in the lot on base. no one's gonna steal it in either place. and theres nothing valuable in the car, and car itself not valuable. sure when i go down to a particular area of town, i lock it. but that's rare, and the blanket statement simply isnt true.

Re:In other news:

[CanHasDIY]

(a VW Beetle that would stall at any stop light unless you gently caressed the gas pedal with your toe while keeping the brake down with your heel).

Yea, that was a common issue on the first-gen "New" Beetles, V-Dub put out a TSB on that one but I can't quite remember what the fix was... of course, I'm guessing you no longer own that particular kraut-burner, so TL:DR, right?

Re:In other news:

[localman57]

What difference does it make? It's not like you're going to roll up the windows if there's a hobo pile in the back seat.

Re:In other news:

[NJRoadfan]

It mostly eliminated those crimes of opportunity. Most of the people breaking and entering parked vehicles were taking them on joyrides or committing other crimes and then dumping them. Immobilizers didn't stop the professional car thieves, namely the ones exporting to Eastern Europe or stripping for parts. They resort to the low tech method of a flatbed.

Re:In other news:

[SleazyRidr]

I used to leave my car unlocked, but apparently I was parking in a part of town with exceptionally stupid criminals, and they'd still break my window to get in...

Re:In other news:

[Darinbob]

Yes, I'm confused about why this is a big issue. People have been stealing autos since they were first invented. A digital key isn't going to stop anyone.

For decades auto makers used to have a small number of different keys. If you went around in a parking lot with a key for a GM car chances are you'd find another GM car of a different brand that it would open. If you ever got locked out you could just call a locksmith and be on your way in a half hour.

Re:In other news:

[Darinbob]

A perfect anti-theft system would mean your car would become absolutely useless and a brick if you lost the key. However no one wants that. They want to be able to get the auto dealer to make a new key or open up the locked door, etc. If the auto dealer can do this then so can a criminal.

Re:In other news:

[afgam28]

Yeah exactly. So there are three kinds of people:

1. people who have basic morals, and wouldn't steal a car (nearly everyone)
2. determined thieves, who are basically unstoppable (a small fraction of thieves)
3. opportunitistic thieves (most thieves)

dywolf seemed to be saying that most people wouldn't steal a car, and determined thieves would always find a way anyway, so there was no point in locking his car. He may be right if his car is a shitbox and it doesn't matter if he loses it (although I think no matter how crappy your car is, it is still inconvenient to be stranded).

However, most thieves are opportunistic ones, and the effect of engine immobilizers on theft statistics proves that. Just because you're not woried about moral people and determine thieves, doesn't mean you can ignore opportunistic thieves.

Re:In other news:

[mug+funky]

true enough. though beemers have a reputation for security, so you're less likely to get done anyway. even with a smash and grab.

i loved my old 89 corolla, but i don't miss the frequent break-ins. when will people learn that a glove-box on a banged-up old toyota probably does not contain Treasure. or even enough valuables for your next hit.

Re:In other news:

[adolf]

My insurance covers auto glass for free*. Haven't had to use it yet for that, but at least the expense of a window doesn't enter the equation when I push the lock button and walk away.

I also double-lock the doors, which is a function available on my somewhat-context-appropriate 1995 BMW. The doors simply won't unlock or open, from either outside or inside, without skilled fuckery, a key, or a good locksmith.

This means that if a thief wants to break a window and get into my car, he's limited to grabbing whatever is within arm's reach, or he'll be forced to crawl through broken glass to get to what he's after.

*: "free" == "covered by the amount of money I'm paying for decent insurance anyway, without an additional line-item expense, or a deductable."

and after the fix all work must be done dealership

[Joe_Dragon]

and after the fix all work must be done dealership

Dupe

[Muros]

http://news.slashdot.org/story/12/07/10/1657203/hackers-steal-keyless-bmw-in-under-3-minutes

Re:Dupe

[54mc]

But that was two entire months ago!

Re:Dupe

[Rogerborg]

We'll stop talking about it when they fix their bloody cars. They're still in "LA LA, can't hear you" mode.

Security and lifetime of your typical car

[sinij]

Cars are expected to last at least 10 years, many last much longer, well into mid 20s.

Such timescales are 'forever' in the sense of IT security. Just look at 'recent' examples - WEP was rolled out around 2000 and is now broken in just a couple minutes. Most cars made in 2000 are still on the road.

I'd go as far as saying that it is impossible to secure your car for its expected useful life without the use of physical security.

Re:Security and lifetime of your typical car

[0123456]

PGP is over twenty years old, and I'm not aware of it being broken other than by rubber hoses or brute force on short keys.

You don't need physical security, you just need security developers of clue.

Re:Security and lifetime of your typical car

[Richy_T]

It's impossible, barring extreme methods, period. All you can do is make the next car along look like a better prospect.

Re:Security and lifetime of your typical car

[Joce640k]

WEP was rolled out around 2000 and is now broken in just a couple minutes

WEP was broken before it was ever rolled out. It was designed by people with very little clue.

Hackers don't usually 'break' things, they find holes in designs.

Re:Security and lifetime of your typical car

[tilante]

Tell that to my brother, whose vintage '65 Mustang that my father had restored was stolen -- in 1992.

Re:Security and lifetime of your typical car

[kaatochacha]

I can do that one better.
Our 65 mustang was stolen, chopped, then the thieves purposely returned in the middle of the night to DROP OFF THE CARCASS in front of the house.

Re:Security and lifetime of your typical car

[iluvcapra]

Note that PGP has changed its encryption and hashing algos several times. A PGP encrypted message today is safe from prying eyes today; a PGP message sent twenty years ago, with the original BassOmatic cypher, is quite vulnerable given modern hardware.

Re:Security and lifetime of your typical car

[Sardaukar86]

That's fucking nasty, I really feel for you.

What sort of upbringing does one need to take pleasure in causing such utterly unnecessary pain? They got what they wanted and they've already fucked you over, so why take special effort to really rub your nose in it like that?

Very saddening.

Its a key recovery problem...

[nweaver]

(Since its a duplicate post, I'm going to include my reply from the last time it was posted)

The basic design flaw is how key duplication/recovery is handled.

On my motorcycle (a Concours 14 with keyless ignition), to program a new key you need an existing key, to tell the computer "hey, this is the new key to use". The disadvantage is, naturally, if you lose all your keys, you need to replace the computer!

But its better than the alternative. On the BMW, all you need to do is plug into the OOBDII port and tell the computer "Here is the new key". This means if you lose all your keys, you don't have to buy a new computer... But it also means that anyone who can break into the car can create a key and drive off.

Re:Its a key recovery problem...

[mlts]

Ford is similar to the Concours -- to add a new key, you need two existing keys to the system.

Of course, if one loses a key, one can get a programmer for a Ford. However what the vehicle does to slow down a thief who has two cut keys is force a 10 minute wait cycle until security functions are accessible. Then keys can be added and removed.

The wait time isn't perfect -- someone's car that is tucked away somewhere remote can be accessed, but compared to having to replace the computer [1], it is a decent compromise.

There has to be a balance somewhere between "crap, lost all keys, time to replace ECM/TCM/audio system/etc." versus "plug device in, hotwire vehicle, drive off."

[1]: Mercedes systems from what I've seen are pretty secure, but if has to delete more then eight keys over the vehicle's lifetime, a good chunk of the car computer will need replaced.

Re:Its a key recovery problem...

[Lumpy]

Whoever told you that lied. You can get new keyfobs programmed at the dealer if you have no keys.

Re:Its a key recovery problem...

[plover]

The 10 minute wait is an interesting compromise. Most security measures work by slowing down a determined attacker, not by absolutely preventing the loss, so that's a good idea. But in the CCTV footage I saw where a couple guys stole a BMW in minutes, they were a bit jumpy but didn't seem to mind that it took that long.

The balance might come in a combination of time and physical effort. Perhaps the lost key compromise could require lifting the car, then using a specialized, bulky tool (which is functionally not much different than a master lock and key) to access something from beneath the center of the car, combined with a 10 or 30 minute wait. Or perhaps the suspension has travel limit sensors that could be used - all four wheels have to be off the ground for 10 minutes. Or maybe something else that requires a tremendous amount of energy - compressing a large spring to trigger a contained switch. Make it require a set of things that are too difficult for the average thief to carry - a jack and jack stands, a long specialized tool, at least something more than a guy can carry in his pocket.

If it's going to remain purely digital, have it use digital certificates and require on-line network access to reset it. The BMW factory would then be the gatekeepers of who would be authorized to access the "blank key reset service". The on-board computer would log all key reset activities on a ROM, which they could provide access logs to police for investigations. A crooked dealer would quickly be identified, and immediately revoked by the service.

It still won't stop a tow truck or a mobile garage, but they're not stopped today.

Re:Its a key recovery problem...

[SleazyRidr]

My girlfriend's chevy had a similar system, but you had to leave the key in the ignition for 30 minutes for it to recognise it. I always assumed it was a safety thing to at least keep the thief in the car for a while. (Not that it would help if the come while you're at a movie for 2 hours, but still...)

Re:Its a key recovery problem...

[couchslug]

Both have one thing in common:

A thief with a tow truck can drag them off without unlocking anything.

Repos are fun. If you need to remove a vehicle from property, you can back a wheel-lift wrecker under it, lift, and drag it down the street with brakes locked and tires smoking. Deal with security measures down the road, or dolly or rollback the vehicle for unlocking later. Been there, done that.

No one seems to care, contrary to fucktarded TV series. :)

Re:Its a key recovery problem...

[drinkypoo]

No one seems to care, contrary to fucktarded TV series. :)

If someone were towing my paid for car from my home I would come out with my pistol because that's theft and I will use any necessary force to stop it and repo people may well be armed themselves. But if I bought a car on credit (I don't) and it were getting repo'd I would open a beer and sigh sadly because that's not theft.

Pricey cars!

[cupantae]

They cost between 17,000 and more than 100,000 thousand pounds.

£100,000,000 is too much for any car, let alone one that allows anyone to steal it.

Re:Pricey cars!

[Provocateur]

That better come with the 2 booth babes from the car show. As upgradable parts, too.

Buy vintage BMWs!

[avm]

....like my personal favorite, the 2002. Sure, it can still be stolen using much less sophisticated equipment, but its arguably cooler than many of the modern iterations and a lot easier on your checkbook.

Re:Buy vintage BMWs!

[sinij]

Love 2002, much better than 1 and 3 series cars offered today.

I own multiple classic cars, but for your typical "must start every morning" commute use they are not practical. Plus, you have to be technically inclined or filthy rich to keep them on the road.

If you are kind of person that never changed their own oil - classic/vintage cars are not for you.

Re:Buy vintage BMWs!

[Pope]

Hell, the old R series motorcycles from the late 60s/early 70s had ONE key for every model! Want someone else's R60? Just use your key and start 'er up.

Re:Buy vintage BMWs!

[characterZer0]

If it must start every morning, just get a non-M E30.

Re:Buy vintage BMWs!

[cvtan]

Love my '72 2002tii touring!

Re:Buy vintage BMWs!

[dave562]

My 72 Datsun 510 will drive circles around your 2002. ;)

Re:Buy vintage BMWs!

[dsgrntlxmply]

My '73 2002 was great fun (on good days at least), but by 1988 it had become difficult to obtain certain parts (like the original air cleaner) needed to pass California emissions visual inspection, much less functional tests.

Finally, it developed mysterious electrical problems that made it stop running at inopportune moments. Despite the fact that the car was dead simple by comparison with anything modern, I never was able to diagnose the problem, and ended up giving that car up in favor of a Honda.

That 1988 Honda now has mysterious electrical problems that make it stop running at inopportune moments. Some of these clearly are due to deterioration of wiring insulation and electrical connectors on the maze of emissions and fuel injection components. Connectors for e.g. thermal sensors onto the wiring harness, are arcane proprietary things that eventually fail and are not available as separate replacement parts. This necessitates improvised reconstruction.

Re:Buy vintage BMWs!

[mdielmann]

So what you're saying is, nothing has really changed in 40 years. Reminds me of a line I heard someone use about the Canadian Navy: Over a century of tradition, unimpeded by progress.

No, it's worse

[dutchwhizzman]

All you have to do in the BMW is to tell te computer "This is a blank key, please put one of the legible, unencrypted 10 passwords you have in you on the blank key". The other keys already issued would still work and you could even program keys with them as well, just not using the car itself.

Ultimate Theft Method

[RobertLTux]

Push comes to Shove all you need to steal a car is a FlatBed Wrecker with an optional Crane.

Now this is STUPID since it enables you to not need to get to extreme methods to steal a very pricey car.

This is /. not /b/

[SmallFurryCreature]

On /b/ you can be certain, he is talking about his kids.

On /. you can be certain, whenever someone is talking about sex, he is lying.

Re:This is /. not /b/

[Pope]

"A guy came up to me after one of my shows, and said 'I'd like you to meet my wife and sister,' and there was only ONE woman standing there!"

Stolen in 3 minutes?

[PPH]

All you need to stop this is a car alarm and a .357 magnum.

Re:Stolen in 3 minutes?

[Lluc]

All you need to stop this is a car alarm and a .357 magnum.

You really just need the .357 magnum -- if you shoot the car enough times in the correct place, I guarantee a thief will not be able to drive it away.

Re:Stolen in 3 minutes?

[notdotcom.com]

I have both.

However it is not legal or justified to kill a car theif for taking your car (even if it is an expensive BMW). It is just property, and killing over it will give you 1) a huge lawyer bill that far exceeds your insurance deductible, and 2) about 15-30 years to think quietly about what you've done (in prison).

The only exception would be something like a carjacking, when your life and safety are physically threatened, and you're in immediate and grave danger (maybe the guy is going to kill you as soon as you get out - even if you "give" him the car - so you're justified in neutralizing the threat.)

This is for the US, and more specifically for states that I have lived in. Ymmv. Of course everyone reading about guns is thinking "yeah, that's "Murika" for ya..."

Re:Stolen in 3 minutes?

[0123456]

Or you could drive a ten year old Italian car, then you wouldn't even have to shoot it.

Re:Stolen in 3 minutes?

Most "red" states have castle doctrines enshrined as law now. If someone is threatening your life or property, you can use deadly force.

Originally this was to allow farmers to protect livestock from thieves. Now, you can just cap people for walking on any non-public/secure areas of your property. (So, not the front lawn. But if they're inside a locked fence, they're fair game.) And by "property", the law means any property, not just real estate. A car's passenger cabin is a "secure" location on the car owner's property.

I live in Missouri. This is the law here. If the Europeans thought the "liberal" Americans were conservative gun-nuts, wait 'til they meet actual conservatives!

(And yes, I'm aware of the "corn and cotton and democrats" thing. It doesn't apply anymore. This is far-right crazy-land now.)

Re:Stolen in 3 minutes?

[SleazyRidr]

Legal varies from place to place. As for justified... well, we don't really need all that many car thieves in the world.

Re:Stolen in 3 minutes?

[HungWeiLo]

Or own a stick shift in N. America.

http://www.newschannel9.com/news/top-stories/stories/deputies-carjackers-busted-couldnt-drive-stick-shift-2202.shtml

Re:Stolen in 3 minutes?

[PPH]

Most "red" states have castle doctrines enshrined as law now. If someone is threatening your life or property, you can use deadly force.

I think that was the result of a federal court decision. While that hasn't been codified into law where I live (WA state), prosecutors tread lightly in instances of property defense. Where there is nothing else wrong with the shooting, they tend to drop the case. If there are issues, like illegal firearm possession, reckless endangerment, etc. they usually add one of these charges. And then they negotiate a lowered or suspended sentence which they can jack back up should the defendant raise the issue of the right of defense. So most people just plead and shut up.

Charging someone for a homicide or attempted homicide in the defense of their property alone would invite an NRA-funded defense and establish a court precedent here just like in TX.

Re:Stolen in 3 minutes?

[PPH]

My car has a device which renders it almost undrivable (unstartable) to most Americans.

A knob on the dashboard labeled 'Choke'.

Re:Stolen in 3 minutes?

[adolf]

I have an automatic choke with a Quadrajet on a temperamental Pontiac 301: The uninitiated will either fail to start it due to fuel starvation, or fail to start it due to flooding. (The trick is to press the loud pedal all the way to the floor, exactly twice, before starting. One won't do it, three begins the flood. Pumping makes the flood far worse.)

Re:Stolen in 3 minutes?

[SternisheFan]

Not exactly correct. There are situations where you can legally shoot somebody trying to steal your car beyond a carjacking. Most police departments are not going to be too concerned about your average citizen shooting someone trying to steal their car and few juries would convict someone protecting their property. Make it nighttime, with the car parked in your driveway and it's even better...

I believe that just because you CAN do something doesn't always mean you should. Taking human life over a hunk of metal and plastic may be legal where you are at, it would be morally f-ed up to do. If the thief is coming at you (or someone) in order to harm you, that'd be different. But to kill a human being over a theft of property? In many ways you might regret your choice right after, or fifty years after that free-wheeling decision of yours. I've heard somewhere that if you really want to 'piss off' God, murder another one of his creations. And what you posted doing would be murder when you could've just walked away and let the police handle it. A good, moral man knows that there are times to stand and fight like a man, and there are times to walk away like one, no harm, no foul on your part.

Re:LOL

[postbigbang]

Yeah. And if you can get to the ODB2 jack, you can pwn not only BMWs, but Minis, Mercedes, and a bunch of other tasty cars. You download the key, and using the magick of eBay programmers, reset a "blank" key into a new one. Drive away. Try to look dapper.

All 2 ton freestanding objects can be stolen

[ZokelX]

Lets be honest, the easiest of stealing cars is that you get in and drive away. If smart electronics, big mechanical bars, armored doors and breaks are preventing you from this you can always and quite easily use a truck with winch or towbar. Sound alarms might work on your drive way but not on a busy parking when a professional looking tow truck is having its go at your car. GPS antenna's are easily jammed/cut or covered. Besides the 'hacking' of electronics there are many ways to drill holes for cable clipping, fuse pulling or apply voltage to powered windows and/or locks . High value objects that are out there will always be of interest to people that have low moral values.

Re:LOL

Dapper?? does that mean wearing a top hat and tails while stealing one?

Re:this works great though

[characterZer0]

If you're too much of a lazy fat ass to crank-start your engine and you need to turn a metal key, you deserve to get your car stolen.

Re:LOL

[CanHasDIY]

Dapper?? does that mean wearing a top hat and tails while stealing one?

Some of us prefer fedoras and wingtips, but yea, that's the idea.

This screams of RECALL to me

[realsilly]

If this is such a big vulnerability, and BMW was amply aware of it and the customers weren't then this screams of Recall to me. I understand buyer beware, but you're paying a lot of money for a high end car with security that the consumer has been told (I'm guessing) is very secure. Here it's being proven that it is indeed not very secure at all. Furthermore, this sounds to me like owners who were unaware of this who may fall victim to theft may decide that a Class Action lawsuit would be a course of action.

BMW has put on a great Security Theater performance, but the magic trick has been exposed and it's not such great theater any more.

I hope BMW owners have some options to improve security of their vehicles.

Passive alarm system.

[SternisheFan]

True story. Some years back in N.Y.C. thieves stole a restored vintage car, not knowing the owner had installed his own homemade anti-theft deterrent system. As they're tooling around in Manhattan, the thief who's driving sees a large unlabled red button mounted all by itself in the dash. The guy says to his buddy, "Hey,I wonder what this does...", and presses it. In the middle of a block the engine shuts down, the horn blares, and the car's lights keep flashing on and off. Unable to restart it, the thieves abandon the car, and that owner was laughing when he got it back, unscathed, the same day. So this story shows how you don't always need an expensive complicated alarm system to get the job done.

Bricking the car

[Animats]

It's certainly possible to build an anti-theft system that can't be bypassed without replacing major components. But if it's too good, owners who lose the keys will have bricked their car. There's a tradeoff between repairability and security.

Re:Where can I get one?

[SternisheFan]

And does it work on SAAB cars? I was quoted $1500 to get a new key programmed.

The guy was a handy do-it-yourselfer type, had restored the car and rigged up the kill-switch/horn-blarer/light flashing system on his own. I remember he said it cost him about $60 in parts. It shouldn't be too hard to do. Google car kill switch or something and get some 'do it yourself' sites. Or pay a handy mechanic or car alarm guy to do it for you. Can't do this to a leased car or one the bank owns. The guy knew if he made the button low-key but obvious, if it ever got stolen, curiosity would finally get the better of the thief. Smart guy.

Re:this works great though

[Algae_94]

Push to start is spreading to more and more car makes and models. It won't be long now before the majority of new cars are all push button start.

Re:Where can I get one?

[HornWumpus]

Your car is totaled if you lose the key?

News Flash!

[LinuxFreakus]

All cars can be stolen in a matter of seconds. The key programming things are just a way for the dealers to rip people off charging $500+ for a new key which actually costs only a few dollars. There are reverse engineered or sometimes even authentic programming devices available for pretty much all but the newest cars (just wait a year or two and those will be available too).

Re:this works great though

[slashmydots]

That's stupid on so many levels it barely merits a reply. Anyone could walk off with a car if you can crank start it. Later models involved the use of a key regardless. You're clearly just a selfish idiot who wants to push a pretty button and feel all special and high tech. A laser-cut, 2-axis metal key with no chip is more than sufficient to stop digital theft (obviously) and costs about $2.75. As soon as your car starts with 0's and 1's, it's gone.

BMW living up to their own high standards

[Snorbert+Xangox]

Part of BMW's response FTFA:
"A vital point to acknowledge here is that there is no such thing as the ‘unstealable’ car, as Ron Cliff knows well. If a criminal decides they want your car, they will find a way to take it. Our job is to make it as difficult as possible."

Apparently, that means making it take three minutes, instead of, say, two and a half. Dare we dream one day of the car that can resist theft for... four minutes?

Re:BMW living up to their own high standards

[SternisheFan]

Part of BMW's response FTFA: "A vital point to acknowledge here is that there is no such thing as the ‘unstealable’ car, as Ron Cliff knows well. If a criminal decides they want your car, they will find a way to take it. Our job is to make it as difficult as possible."

Apparently, that means making it take three minutes, instead of, say, two and a half. Dare we dream one day of the car that can resist theft for... four minutes?

Repo guys use a flatbed truck that has forklift type blades that slip under the tires. Lifts the car out of any tight space without damage, in just a couple of minutes it's secured on the flatbed, being driven away, no key needed. Sophisticated car theft rings use this method.

/. has failed us.

[wuzzerd]

No one has posted a car analogy... Oh wait.

Woo!

[ctnp]

Glad mine's an '05!

Re:this works great though

[adolf]

Anyone could walk off with a car if you can crank start it.

But if by "anyone" you include today's uninitiated, then they've got a very good chance at "walking away" with a broken wrist and/or hand. That's good enough penance in my book: I'll let 'em drive the car until they can't, and refuse to press charges.

What's the benefit

[Compaqt]

OK. And now the next question is: So what?

I mean, what practical effect exactly do the fine tolerances have? That you can get from one stoplight to the next faster?

Well, you can't get there faster than the speed limit, so, again, so what?

Or, if it has no practical benefit, but rather it's more a matter of "I can afford it", that's fine, too, please state that. In that case, it would fall into the same category as fine china vs. normal dishware, silver vs. steel utensils, expensive wooden doors, "rich Corinthian leather" vs. fabric seats.

Re:What's the benefit

[Sicily1918]

Try driving one... not for a block or two, I mean really drive one, and you'll see why they're so freaking awesome. Very few cars come close to being as responsive and communicative -- I bought mine 10 years ago and it still keeps impressing me. This is coming from a *driver* point of view... badge-whores need not apply.

First, kill all the lawyers

[Compaqt]

The answer to the financial liability question is to have the self-driving cars mow down all the lawyers!

PKI

[Compaqt]

Would a PKI-based system not work? The way it works now, I imagine, is that all the dealers in the world share a single password for the backdoor.

Instead, why not store dealers' public keys in the cars, and also 50,000 more for new dealer expansion?

EU law

[bboros]

Does everyone really think that a company as large and professional as BMW made its cars vulnerable simply due to an oversight?

Here in the EU it is illegal for a car manufacturer to encrypt the comms between the diagnostics port and anything connected to it -- so that local garage mechanics can compete for the servicing of cars along with the manufacturer's service centres. Unfortunately it is this diagnostic port that is used to reprogram keys. Admittedly it doesn't help that the port is in the footwell.

BMW effectively have their hands tied by EU bureaucrats and I'd be surprised if other manufacturers aren't affected by the same rules.