Feeds

Got a BMW? Thicko thieves can EASILY NICK IT with $30 box

Your flash motor - gone in 180 seconds

SANS - Survey on application security programs

BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less.

On-board diagnostics (OBD) bypass tools are being shipped from China and Eastern Europe in kit form with instructions and blank keys, says a news report linking the release of the tool to a spike in car thefts in Australia, Europe and elsewhere during 2012. Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key, which can then be used to either open the car or start it, via the OBD system.

"Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key," explained Professor David Stupples, of the centre for cyber security sciences, at London's City University.

Weak cryptography combined with a security-through-obscurity approach in the OBD specification allows the tactic to succeed.

Other shortcomings of the OBD specification were detailed by Rob Van den Brink in a presentation (PDF) delivered at at SANS Technology Institute security conference earlier this year. Potential problems involving attacks on the OBD system of cars were first discovered by academics from the University of Washington and University of California-San Diego two years ago (PowerPoint slides here).

Police in the UK have also begun warning about the approach, which was highlighted by a recent BBC Watchdog investigation.

In response, BMW told the BBC that the carjacker/hacker technique was developed after its cars were designed and was limited to "older" BMW models – those built before September 2011. "Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed. This does not mean the car companies have done anything wrong, neither are they legally obliged to take any action," it said.

The German car giant added that the issue was not limited to BMW, and promised to help mitigate the attack, in a statement published last Wednesday.

BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems.

After extensive research we are clear that none of our latest models - new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series - nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack.

We are now in the process of offering, to any concerned customers of targeted models, extra technical measures which will mean that their car cannot be taken using the equipment highlighted in these stories, although of course there is no such thing as an unstealable car.

The OBD pwn method of car theft has been documented over recent months by the Daily Mail and car enthusiast blog Pistonheads, both focusing on the CCTV footage depicting the theft of Steve Wood's BMW 1M coupe from outside his home in Sutton Coldfields, in the West Midlands, as well as a steady stream of reports from much further afield, including a spate of thefts in Queensland, Australia.

A post on Pistonheads suggests that devices similar to those used in BMWs are also available for Opel, Renault, Mercedes, Volkswagen and Toyota cars. The relative exposure of the various car models from these manufacturers to theft via the technique remains unclear.

A spokesman for the Society of Motor Manufacturers and Traders, the UK trade association, said it was aware of the issue but wasn't able to say how many other manufacturers were involved. "BMW [is] updating its systems and it could well be that other manufactures will do something similar," he said, adding that although SMMT was working with UK police forces on the issue it didn't have any information to hand on the scale of the problem.

Extreme Tech notes that basic OBD readers from the likes of CarMD, Innova, or Actron are readily available and are normally used for legitimate purposes. One significant issue in creating the problem in the first place is that OBD data needs to be open so that third-party garages, and not just a closed shop of authorised BMW merchants, for example, can diagnose a faulty spark plug.

Our man at SMMT confirmed that OBD systems need to accessible and programmable to allow access to third parties because of EU rules designed to allow open competition in the car trade. ®

Bootnote

Thanks to Australian Reg reader Ivan J for his pointers to many articles on this prevalent and disturbing crime.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.