Slashdot Mirror
BMW Traps A Car Thief By Remotely Locking His Doors (cnet.com)
An anonymous reader quotes CNET:
Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal... Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (November 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," wrote Jonah Spangenthal-Lee [deputy director of communications for the Seattle Police Department].
The suspect found a key fob mistakenly left inside the BMW by a friend who'd borrowed the car from the owner and the alleged crime was on. But technology triumphed. When the owner, who'd just gotten married a day earlier, discovered the theft, the police contacted BMW corporate, who tracked the car to Seattle's Ravenna neighborhood.
The 38-year-old inside was then booked for both auto theft and possession of methamphetamine.
The suspect found a key fob mistakenly left inside the BMW by a friend who'd borrowed the car from the owner and the alleged crime was on. But technology triumphed. When the owner, who'd just gotten married a day earlier, discovered the theft, the police contacted BMW corporate, who tracked the car to Seattle's Ravenna neighborhood.
The 38-year-old inside was then booked for both auto theft and possession of methamphetamine.
Good for the guy who got his car back, and good that they put the would be thief away, but still, can't say I much like the idea that our corporate overlords can track your car (and therefore movements) and remotely lock down your vehicle.
I don't see why this is a story on Slashdot
If it's possible to lock someone inside a car — which is a really terrible feature, by the way — then how long before some car's AI flips out and drives off a bridge — into a river — with passengers inside...and locks the doors shut?
... if there's no mechanical override to open a door from the inside, how long until the first BMW-Owner burns in his own car because the electronics is offline/damaged (or just some moron in bavaria fucked up the security system)...?
I found on documentary called Robocop II.
This incredibly rare set of circumstances is exactly why we should happily and unquestioningly give our freedoms and privacy away to corporations and to the government!
#DeleteChrome
Pulling the door opener lever on the door of a car overrides the locking mechanisms. This is a fire-safety requirement. The guy was probably just still asleep when the cops found the car.
People died while being locked in cars.
Two examples are : car fallen in the water, and people sleeping in a car while owner and friend locked it. The owner came back after a long hot weeken, his friend was dead inside.
Double lock is a dangerous feature.
aaaaaaa
but how does he get locked in if nothing else he could break the window. dont think the thief would care about the property itself persay.
Oh wait, Hastings was locked inside a Mercedes as it crashed. Obviously no relation to this BMW story.
Then again, I'm a bit surprised that they revealed the capability so publicly. It's not like any dictators or powerful authorities would ever abuse such a capability.
(Don't look at me. I've gone completely paranoid now. I even think Snowden is just a sincere pawn and he was never allowed near any of the really dark stuff.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
My car automatically locks the doors when I drive. It unlocks when I pull the interior door handle. I've had the door card off, and there's a mechanical link from the interior door handle to the lock. So is there a separate mechanism that defeats this mechanical link?
I'm glad it was a thief with doors. A doorless thief would have escaped.
But I wonder how did they lock his doors remotely?
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Their R&D center was located on Chappaquiddick Island in Massachusetts. After a tragic accident as a result of Soviet hacking, Oldsmobile closed the center in 1969.
"The average reporter we talk to is 27 years old......They literally know nothing." - Ben Rhodes
I have never seen a "modern" car that doesn't have headrests. Those headrests can be detached and the metal spikes used to break the passenger windows.
I believe this is called man trapping and it's illegal. If nothing else, it's false imprisonment until the thief is actually tried and convicted of the crime.
The "feature" has already caused at least one death.
Last week, a burglar pried apart some security bars at my business and squeezed in. He was able to make off with some stolen goods because once inside, he was easily able to open the locked exit door. Fire codes require that all building exit doors accessible to the public be openable from the inside even when locked. These laws were made after repeated fires with huge death tolls exacerbated by locked exit doors. That's what the bar on the door you press when leaving most restaurants and stores does. Even when the door is locked, pushing the bar from the inside will open the door. That way if a fire breaks out, you're not trapped inside because the only person who has the key was the idiot who started the fire and is dead.
Same thing with refrigerators - both the old stand-up units which latched shut, and walk-in refrigerator/freezers used in restaurants. Too many people (especially kids playing) were dying after being trapped inside, that laws were passed requiring a mechanism which allows someone inside to open the latch on the outside.
I don't see why cars should be any different. Yes easy egress makes thievery easier. But preventing that is just not worth the potential loss of life. Any car designer who thinks this is a good idea should be locked inside one of their cars on a sunny day until they admit it's a terrible idea. Heck, after dozens of kids dying each year after being locked in the trunk of a car while playing, we finally passed a law mandating a release mechanism inside the trunk. And some idiot car designer decides it would be a good idea to make it impossible for someone inside the passenger compartment to exit at will? Shame on BMW for trying to spin this to the press as a "helpful" feature.
Either the owner forgot to lock their car, or BMW have some poor design decisions if a keyfob locked in the car still works.
Much less expensive Mazda keyless locking prevents a key fob left in a locked vehicle from starting the car.
In an emergency, you're supposed to be able to break a car's side windows.
I supposed the "sun-cooked" guy had passed out (alcohol ? heat shock, while he was asleep ?) before realising he should get out of the car.
I'm more surprised that the thief didn't try to break out of the car. But, on the other hand the lock has happened while he was napping inside the car, so he might not have realised what had happened and did not release he should run away as fast as possible before the police arrives.
I would be much more worried about the remote disabling of the car :
- was some form of owner's access required in order to do the disabling ? (i.e.: the owner's second fob is needed in order to validate the instruction to lock and ignore the stolen fob ?)
- or does any sufficiently high executive at BMW have the power to shut down any random car ?
Also : is the remote access limited to very simple instruction (locking doors and revoking fobs - which as mentioned above shouldn't be dangerous except under special circumstances) or can the car be remotely shut down while it is driving ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
i dont understand why the owner didnt just use the app to lock his own car, it would have been quicker even if they started without the app than calling the local police and have them call bmw.
This is why when you're in your car, you should keep a glass shattering hammer for a quick escape whether if you're trying to steal a car or escape from a car quickly getting submerged in water.
he was a copyright infringer.
Probably.
I mean, who would want a kraut kar?
Hold people hostage, not harddisks!
Of course, it's IoT, so we shouldn't question the benefits.
All generalizations are false, including this one. (Mark Twain)
Not that I would in the first place.
Remotely locking someone into a car (assuming that part of the summary is accurate) would be a very severe safety issue. What if you went off the road into a body of water? What if the car was on fire? What if it were an extremely hot/cold day? The capability of the car electronics denying a person the ability to get out of the car creates all kinds of scenarios that put peoples lives in jeopardy. If it could be limited to car thiefs only you might have a point, but with people hacking cars, governments ever expanding their authority & malfunctions that cannot be guaranteed.
Does that make the operator there a police officer legally arresting people just because... he can?
That last thing I'd want is the car back. Think about it, some meth head locked in there pissing, shitting, sweating, and meth heads stink.
You'd have to torch the car to get rid of the smell.
Sorry, but that is Felony kidnapping. A carmaker has no right to confine someone against their will, and Police have no right to make up the Law as they go along and confer that ability on someone who is not an agent of the State charged specifically with that power.
Police do not have the right to waive the kidnapping laws.
"Have you ever tried to punch through a window? I don't think it's as easy as it is on TV. I guess you can use a belt buckle to help, but you still probably injure your hand. Anyone know?"
Well look at the Cobra Kai prick. He was fooled into punching out not one but two different car windows in a parking lot. Despite his prior military service, his bad-ass teaching of mercy is for the week, he is instantly brought to his knees in shock by an Asian midget.
If you're going to steal modern luxury cars, make sure your dealer is trustworthy enough not to swap your meth out for ketamine.
Mythbusters did a segment on this, and maybe a revisit. A pointy object certainly helps. Kicking with both feet can do it, though. The side windows are just tempered glass, not the plastic-laminated safety glass.
On the other hand, tapping the EDGE of the glass, such as when trying to unlock the car with a coat hanger, can easily shatter the window. That happened to be and I didn't hit it hard at all.
Yes, hammers look like stupid overkill. But people die in flash floods, often of underpasses. How? If the car stalls out because the water is deeper than expected, you or weaker family members will not be able to open the doors due to water pressure. If you don't get the windows open (due to hard rain?) before the power to them dies, you will have to break windows or drown. Nasty progressive trap.
And if the car thief had kidnapped some child in the process and the car had caught fire? BMW would be responsible for that. I was thinking about getting a BMW, but not anymore.
Here's one example. I don't know anything about this seller but I bought this exact tool some time ago on Woot.com. You can find somewhat similar tools on Amazon and other websites under the name "life hammer" or "safety hammer".
http://www.dhgate.com/product/...|3634601311
On some cars that have a rollover sensor, a car thief can unlock the door by climbing on the roof and use his/her fist to bang on the roof where the sensor lies, just sayin'.
This is a classic example of how even when you pay for a car, you don't really own it. (kind of like iPhones) Anyone could give any reason for "hijacking" the car. If the OWNER of the car could do this, okay. But this had to be done by BMW CORPORATE. Bit of a difference. Cars today should be scaring us. One has to assume any car with a remote lock can remotely imprison you. It's like that scene in the movie "Minority Report": you can be locked in your own car and "kidnapped" to whereever "big brother" (or smarter hacker using big brothers back doors) says you should be taken and that could create a LOT of havoc. We should seriously be rethinking this. You can say "big win against thieves" this is really a side effect, not the primary purpose. The real purpose, is to keep complete ownership of the vehicles and you in the hands of big brother + corporate. The obvious ability to be abused by government agencies and hackers alike don't matter to the creators or the governments that promote them. I wonder if Russian cars are implementing this feature yet. (Putin would LOVE it I'm sure). It's like that NSA information dragnet;it was never designed to protect the common citizen, just the common interests of those who already have perhaps a bit too much power already.
"Imagination is more important than knowledge" - Einstein
still inside the car?
How did the cops unlock the doors? Does that car have door locks that can't be opened from the inside, but open can from from the outside? Reverse Bavarian Logic?
I've worked in government, where regulations forced specific security requirements. Because the regulations were based on some guy's understanding that was slightly outdated and slightly questionable at time they were written, they were completely outdated and foolish by the time we were following them.
As an example, regulations require the use of MD5, though weaknesses were found in MD5 in 1996 and it was more completely broken in 2004-2007. SHA-1, SHA-2, or SHA-3 would be much more secure, but regulations require MD5.
The federal standards relating to classified information are *better* at confidentiality though they don't account for the most recent threats, but they are wholly inappropriate for many tasks. They're also expensive and restrictive to implement because they require that each module by certified ("validated") which can take two years and several hundred thousand dollars - per module.
If there's anything that can be done on the legal side which can actually work, I think it'll be around liability. If you sell a product or service that gets hacked, you're liable unless you can prove that you followed best practices. A problem there is apparent if you've watched a locksmith unlock a few things. I used to work as a locksmith, and most locks, locks that follow industry standards, take about 30 seconds to open (hack). The highest security locks you'll normally find are made by Medeco. They take many minutes, even an hour or more, to open without a key. IT security isn't completely different, there's no magic that will keep a skilled attacker from abusing a system.
What we *can* do is harden systems against script kiddies and accidents - be sure that our systems don't allow employees to accidentally set our customer database to be directly accessible via the web, and our web site doesn't crash when John O'Reilly registers because he has an SQL "quote" in his name.
I've been doing information security full time for twenty years and before that I studied law. I don't see any clear way that law can improve information security much. Attempts to do so may well just make things more expensive, and possibly no more secure.
This seems like the kind of thing that should have been a chapter in Doctorow's "Car Wars" short story.
Good to see yet another example of the law working out well for those with money.
Something tells me that the police would not have been so determined if it was a hooptie that was stolen...
My eyes reflect the stars and a smile lights up my face.
What is with this obsession with giving every fucking product an umbilical cord to its corporate overlord? Fuck this bullshit. When I buy a product it's mine. It is no longer yours. You have no say in how, when, where, or for what purpose I use it.
Seems obvious but other than being asleep, why not just roll down the windows if they locked the doors? Unless of coarse they disabled the whole car which is even worse/dangerous ability to have remotely.
I know I keep a ball peen hammer in the door of my car in case of a water crash as mentioned by many above. Dad saw a documentary or something and bought it for me. I figure it also might serve for self defense if it ever came to it.
...What we *can* do is harden systems against script kiddies and accidents - be sure that our systems don't allow employees to accidentally set our customer database to be directly accessible via the web, and our web site doesn't crash when John O'Reilly registers because he has an SQL "quote" in his name.
I agree we can do a lot to secure systems, but then we also have to mitigate the risk of insider threat. The more valuable an "inaccessible" resource is, the greater the risk of an insider selling access.
I've been doing information security full time for twenty years and before that I studied law. I don't see any clear way that law can improve information security much. Attempts to do so may well just make things more expensive, and possibly no more secure.
The fact that it may be no more secure after considerable investment is partly the reason companies appear to simply be rolling over, and writing off network breaches and stolen data as the "cost of doing business" rather than actually investing to better Security all-around. Believe me there are days when I struggle as to whether or not InfoSec actually has a viable future, or if it will it merely be converted to another form of insurance to legally cover the inevitable while not really doing anything to prevent it.
BMW Traps A Car Thief By Remotely Locking His Doors
They're not his doors, though, are they?
systemd is Roko's Basilisk.
worse yet, your autonomous Uber will scan your face when you get in and take you directly to the police if you have any outstanding warrants.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
A friend of mine (hey Gabo!) managed to completely shatter a tempered office window at work years ago by throwing a tiny piece of quartz at it. His intention was to get somebody's attention on the other side of it....whoops.
Kim Jong-un or Vladimir Putin, or some unknown nutcase wants to destroy the US. It's December or January. The weather forecast calls for a major blizzard to hit the US east coast in the evening, followed by a massive Arctic outbreak that'll send temperatures plummeting. Everyone expects to be home from work by then, and to have stopped off at the local store for groceries, in case the snowfall is really bad, and it's a snow day tomorrow.
But spies have found car shutdown codes (via blackmail or whatever). It's not necessary to stop every car. You know how badly a couple of accidents can snarl traffic during rush hour. Now imagine several hundred, or a few thousand, cars simultaneously shutting down in a major city during rush hour... absolute gridlock. After 2 or 3 hours, drivers realize that things aren't going to improve, so they start abandoning their cars and walking to safety. At least the ones who aren't locked inside.
Let's say you're within walking distance of a major store or shopping mall or hotel. So you get to survive the night. Then what?
Oh yeah... the blizzard hits, followed by the cold front, as forecast. With all the abandoned vehicles clogging the roads, food and fuel deliveries are impossible. Electrical and gas utility trucks can't get out to do minor repairs, and minor problems escalate into major problems. The hostile foreign power also uses an IOT DDOS attack to knock out electrical power control centres, causing blackouts.
People start dying from starvation and lack of heat. Martial law is declared...
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Had it been put to good use, this comment wouldn't be here.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
We've had the ability to virtually eradicate auto theft since the 1970's. There's only 2 ways to steal a car, drive it or tow it. Locking brake systems immobilize vehicles rendering them immovable, thus virtually unstealable. However, for every vehicle stolen, another is sold. (the replacement), so auto industry lobbyists have fought hard both hide this fact and ensure no laws are enacted. All other electronic gadgets are just distractions.
Good advice. Sadly, car manufacturers should have a manual old school override in all the cars today to let you roll down a window without power. Even if it just on one of the four doors, it'd help.
People are ALWAYS giving up freedom, for security. Bunch of sheep! Way I look at it is if you were dumb enough to loan your car to someone who wasn't responsible enough to take care of it, you deserve what you get. We gave up freedoms (USA) LONG ago...people willingly click accept with every app they download, every computer program they install, shoot, every time they turn on a television, talk on the phone, use a computer, and pretty much BREATHE. Orwell was right in 1984, just a couple decades off, that's all.
I'm looking forward to the day were private car ownership is illegal so anyone going against social norms/laws can quietly and calmly driven to the nearest Soylent Green factory for "re-education" by their fully autonomous Uber ride.
Call me strange but I don't want a car where the manufacturer or anyone else can use it to locate you and/or lock your doors.
So bill collectors could have them locate and lock your car, with you in it, till they are paid.
Some drink at the fountain of knowledge. Others just gargle.
So the thief would not just roll down the windows?
Some drink at the fountain of knowledge. Others just gargle.
> Believe me there are days when I struggle as to whether or not InfoSec actually has a viable future, or if it will it merely be converted to another form of insurance to legally cover the inevitable while not really doing anything to prevent it.
The insurance companies have the best risk management experts in the world, because reducing risks saves them billions. They created Underwriters' Laboratories (UL Listed), the National Fire Protection Association (writes the fire code), etc.
As infosec matures, the involvement of insurance companies, with their pragmatic, data-driven approach to risk management, may be exactly what provides our field with usable professional standards and a degree of job security. Most companies meet the fire code, and the UL standards; that's not considered optional. Something like that could be very good for information security.
Did friend get the guy's attention? I'm guessing probably so!
What was the political persuasion of the BMW's owner. Also what was the race / ethnicity of the would be thief.
If the Owner was a liberal and the thief was a white crackhead (most likely) then this is a great use of corporate omniscience. We need the corporations to look after the valuable property of coastal liberals.
Now on the other hand if the owner was one of those evil republican white people and the thief was a disadvantaged minority, then this is truly a scary view of a dystopian future where the corporations and government are in cahoots to prevent minorities from using the excess transportation potential of greedy republicans to ferry their sick children to the hospital.
> Believe me there are days when I struggle as to whether or not InfoSec actually has a viable future, or if it will it merely be converted to another form of insurance to legally cover the inevitable while not really doing anything to prevent it.
The insurance companies have the best risk management experts in the world, because reducing risks saves them billions. They created Underwriters' Laboratories (UL Listed), the National Fire Protection Association (writes the fire code), etc.
As infosec matures, the involvement of insurance companies, with their pragmatic, data-driven approach to risk management, may be exactly what provides our field with usable professional standards and a degree of job security. Most companies meet the fire code, and the UL standards; that's not considered optional. Something like that could be very good for information security.
Your analysis is correct, but I feel the solution could actually be driven by pressure to comply with already existing industry standards (NIST, ISO 27K, et al), rather than succumb to the Dark Side, propitiated by wealthy risk peddlers looking to get even richer at industry expense.
In other words, it's rather sad and pathetic we would have to resort to mandatory InfoSec insurance in order for improvements to happen when a healthy dose of common sense would do wonders.
> ISO 27K, et al), rather than ... propitiated by wealthy risk peddlers looking to get even richer
ISO 27K started as the policies created and colored by Royal Dutch/Shell Group, the big bad oil company. Then government-sponsored organizations got their hands on it and turned it into something few people will ever read and comprehend, much less follow.
> a healthy dose of common sense would do wonders.
It would help, but remember 99.999% of people don't do infosec for a living. Our best targets are probably developers, whose main priorities right now are the fires they need to put out, then the user stories in this two-week sprint. We'd like them to get (and pay attention to) security training, they legitimately need to spend most of their limited training time learning the new framework they are supposed to be using next year, etc. At the executive level, where they buy and sell entire COMPANIES, the well-informed executives understand what each DEPARTMENT does; they don't know HMAC from HVAC. At that level, everything is a budget item. Security is a budget item, meaning the junior executives, if their good, actually pay attention to the sales pitch from Alert Logic or Fireeye.
It's not that these people aren't doing their job, it's that their job is spinning off a division of the company, not verifying the configuration of a VPN concentrator. If we're lucky, they'll contract with a good, full-service security company who DOES have thousands of security professionals s on staff, such as Alert Logic. Unfortunately that largely depends on the sales people who pitch the executives. You can, in theory, force COMPLIANCE (or at least the illusion of compliance), but of course compliance is only loosely correlated with security.
The next related article is going to be how a car thief caught in the act, has successfully sued BMW for kidnapping and imprisonment.
Damages awarded by jury will be in the $8-10M range.
GUARANTEED
Car locks the doors, closes the garage and starts the engine. Assuming it's not an electric car, that will be the first robot-initiated homicide.
“Common sense is not so common.” — Voltaire
Combine the locked car that you cannot escape from with self-driving, both controlled remotely by someone else, and you have a lot of scary scenarios.
I'm sorry, I refuse to go on a human rights/corporate spying screed on this one.
A criminal got caught doing something stupid. Catching stupid criminals makes me happy. I'd like more of this please.
if he was a user, he wouldn't have been able to sleep in the car.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
It might be illegal to do this on your own. I assume the police were somehow involved.
In my old-timey car from 2007, if you try to use the door handle from inside the car when it is locked, the door will still open (unless you are in the back seat and the child lock is enabled). This is a mechanical mechanism, so it works even if the power has been cut. Also, it has a latch inside the trunk that can be used to open it from within (also mechanical).
Funny how car designers went from being customer-safety focused to being police-state-enabling focused in less than ten years.
Could be they deployed the knock out gas after locking the car and making sure it wasn't moving.