Feeds

Got a BMW? Thicko thieves can EASILY NICK IT with $30 box

Your flash motor - gone in 180 seconds

High performance access to file storage

BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less.

On-board diagnostics (OBD) bypass tools are being shipped from China and Eastern Europe in kit form with instructions and blank keys, says a news report linking the release of the tool to a spike in car thefts in Australia, Europe and elsewhere during 2012. Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key, which can then be used to either open the car or start it, via the OBD system.

"Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key," explained Professor David Stupples, of the centre for cyber security sciences, at London's City University.

Weak cryptography combined with a security-through-obscurity approach in the OBD specification allows the tactic to succeed.

Other shortcomings of the OBD specification were detailed by Rob Van den Brink in a presentation (PDF) delivered at at SANS Technology Institute security conference earlier this year. Potential problems involving attacks on the OBD system of cars were first discovered by academics from the University of Washington and University of California-San Diego two years ago (PowerPoint slides here).

Police in the UK have also begun warning about the approach, which was highlighted by a recent BBC Watchdog investigation.

In response, BMW told the BBC that the carjacker/hacker technique was developed after its cars were designed and was limited to "older" BMW models – those built before September 2011. "Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed. This does not mean the car companies have done anything wrong, neither are they legally obliged to take any action," it said.

The German car giant added that the issue was not limited to BMW, and promised to help mitigate the attack, in a statement published last Wednesday.

BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems.

After extensive research we are clear that none of our latest models - new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series - nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack.

We are now in the process of offering, to any concerned customers of targeted models, extra technical measures which will mean that their car cannot be taken using the equipment highlighted in these stories, although of course there is no such thing as an unstealable car.

The OBD pwn method of car theft has been documented over recent months by the Daily Mail and car enthusiast blog Pistonheads, both focusing on the CCTV footage depicting the theft of Steve Wood's BMW 1M coupe from outside his home in Sutton Coldfields, in the West Midlands, as well as a steady stream of reports from much further afield, including a spate of thefts in Queensland, Australia.

A post on Pistonheads suggests that devices similar to those used in BMWs are also available for Opel, Renault, Mercedes, Volkswagen and Toyota cars. The relative exposure of the various car models from these manufacturers to theft via the technique remains unclear.

A spokesman for the Society of Motor Manufacturers and Traders, the UK trade association, said it was aware of the issue but wasn't able to say how many other manufacturers were involved. "BMW [is] updating its systems and it could well be that other manufactures will do something similar," he said, adding that although SMMT was working with UK police forces on the issue it didn't have any information to hand on the scale of the problem.

Extreme Tech notes that basic OBD readers from the likes of CarMD, Innova, or Actron are readily available and are normally used for legitimate purposes. One significant issue in creating the problem in the first place is that OBD data needs to be open so that third-party garages, and not just a closed shop of authorised BMW merchants, for example, can diagnose a faulty spark plug.

Our man at SMMT confirmed that OBD systems need to accessible and programmable to allow access to third parties because of EU rules designed to allow open competition in the car trade. ®

Bootnote

Thanks to Australian Reg reader Ivan J for his pointers to many articles on this prevalent and disturbing crime.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.