Feeds

Got a BMW? Thicko thieves can EASILY NICK IT with $30 box

Your flash motor - gone in 180 seconds

Protecting against web application threats using SSL

BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less.

On-board diagnostics (OBD) bypass tools are being shipped from China and Eastern Europe in kit form with instructions and blank keys, says a news report linking the release of the tool to a spike in car thefts in Australia, Europe and elsewhere during 2012. Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key, which can then be used to either open the car or start it, via the OBD system.

"Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key," explained Professor David Stupples, of the centre for cyber security sciences, at London's City University.

Weak cryptography combined with a security-through-obscurity approach in the OBD specification allows the tactic to succeed.

Other shortcomings of the OBD specification were detailed by Rob Van den Brink in a presentation (PDF) delivered at at SANS Technology Institute security conference earlier this year. Potential problems involving attacks on the OBD system of cars were first discovered by academics from the University of Washington and University of California-San Diego two years ago (PowerPoint slides here).

Police in the UK have also begun warning about the approach, which was highlighted by a recent BBC Watchdog investigation.

In response, BMW told the BBC that the carjacker/hacker technique was developed after its cars were designed and was limited to "older" BMW models – those built before September 2011. "Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed. This does not mean the car companies have done anything wrong, neither are they legally obliged to take any action," it said.

The German car giant added that the issue was not limited to BMW, and promised to help mitigate the attack, in a statement published last Wednesday.

BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems.

After extensive research we are clear that none of our latest models - new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series - nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack.

We are now in the process of offering, to any concerned customers of targeted models, extra technical measures which will mean that their car cannot be taken using the equipment highlighted in these stories, although of course there is no such thing as an unstealable car.

The OBD pwn method of car theft has been documented over recent months by the Daily Mail and car enthusiast blog Pistonheads, both focusing on the CCTV footage depicting the theft of Steve Wood's BMW 1M coupe from outside his home in Sutton Coldfields, in the West Midlands, as well as a steady stream of reports from much further afield, including a spate of thefts in Queensland, Australia.

A post on Pistonheads suggests that devices similar to those used in BMWs are also available for Opel, Renault, Mercedes, Volkswagen and Toyota cars. The relative exposure of the various car models from these manufacturers to theft via the technique remains unclear.

A spokesman for the Society of Motor Manufacturers and Traders, the UK trade association, said it was aware of the issue but wasn't able to say how many other manufacturers were involved. "BMW [is] updating its systems and it could well be that other manufactures will do something similar," he said, adding that although SMMT was working with UK police forces on the issue it didn't have any information to hand on the scale of the problem.

Extreme Tech notes that basic OBD readers from the likes of CarMD, Innova, or Actron are readily available and are normally used for legitimate purposes. One significant issue in creating the problem in the first place is that OBD data needs to be open so that third-party garages, and not just a closed shop of authorised BMW merchants, for example, can diagnose a faulty spark plug.

Our man at SMMT confirmed that OBD systems need to accessible and programmable to allow access to third parties because of EU rules designed to allow open competition in the car trade. ®

Bootnote

Thanks to Australian Reg reader Ivan J for his pointers to many articles on this prevalent and disturbing crime.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.