Your BMW can be stolen by any idiot with a $30 hacking kit

Filed Under: Featured, Law & order, Vulnerability

BMW keyOn-board diagnostics (OBD) security bypass kits, replete with reprogramming modules and blank keys, are reportedly enabling low-intelligence thieves to steal high-end cars such as BMWs in a matter of seconds or minutes.

According to The Register, the $30 bypass tools are being shipped from China and Eastern Europe in kit form to unskilled criminals.

It looks like it's not just BMWs, mind you.

A post on the car enthusiast site Pistonheads suggests that devices similar to those used to steal BMWs are also available for Opel, Renault, Mercedes, Volkswagen, Toyota and Porsche Cayennes.

UK police are also seeing fancy cars whisked away by criminals believed to be using the kits, with the deprived owners still having the keys in their possession.

It's becoming so prevalent, in fact, that Warwickshire police released a press release warning BMW owners to take extra precautions, stating that 154 of the high-end cars have been stolen since January.

BBC WatchdogIn August, London's Metropolitan Police left leaflets under windscreens, warning BMW owners their cars were likely to be targeted, according to a recent BBC Watchdog investigation into the thefts.

The tool was originally designed for garages and car recovery agents to get into different cars after owners had lost their keys. The kits have since been packaged up by criminal hackers, who have picked apart the security weaknesses of the OBD network.

To use the tool, car thieves first need to intercept the transmission between a valid key fob and a car before they can then reprogram the blank key, which they can then use to start or open the car via the OBD network.

The BBC rolled its camera skyward while its news reporters were using the key in its Watchdog investigation, but I found online videos showing how easy it is to use the tool - or, at least, a device that fits the tool's description.

If the video I found is an accurate depiction, even the village idiot could be behind the wheel of a fine ride with a $30 investment and a few minutes.

Still from OBD tool video

(By the way, Naked Security has chosen not to embed the video because it may encourage criminal activity, and we have no wish to promote sales of such tools to unauthorised parties)

BMW last week put out a statement saying it's aware of the new method of car thievery and is looking into how to mitigate it.

One way is to not own a BMW built before September 2011, apparently:

"After extensive research we are clear that none of our latest models - new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series - nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack."

Customers worried about theft of targeted models can call their local BMW dealer.

BMW's offering extra technical measures that it says will keep cars from getting ripped off with the hacking kits, although, it says, "there is no such thing as an unstealable car."

So what are the security holes in OBD?

As pointed out by Rob VandenBrink in a presentation (PDF) delivered at a SANS Technology Institute security conference in July, OBD looks like "a slower, dumber Ethernet (sorta)."

For details on those weaknesses, check out his paper.

Rob VandenBrink's presentation

In summary, VandenBrink says:

"Unfortunately, the On Board Diagnostic (OBD) network in our cars is completely open, completely documented, and is being pushed more and more to open, documented and unauthenticated wireless access."

But wait, there's more. Short of allowing your ride to be stolen, security researchers at the University of Michigan and the University of Washington have shown that OBD shortcomings allow these other automotive WiFi shenanigans:

  • Locking and unlocking doors
  • Honking the horn
  • Wireless attack through tire pressure sensors
  • Trojan delivered via music CD

This stuff isn't new. The CD Trojan piece goes back to 2011.

What's new is how erudite hacker knowledge of OBD's limitations has been commoditized and marketed in these easy-to-use, cheap kits.

Should you shake down your car manufacturer to get better defences?

Unfortunately, it probably won't do you much good if you do, between the need for mechanics to have some type of tool to get into your car and competition laws requiring open standards.

Here's what the Pistonheads post had to say about it:

"The reason this form of theft is currently so rife … - is that European competition rules require diagnostic and security reprogramming devices to be available to non-franchised garages. As we understand it, this effectively means that car companies cannot restrict access to or use of OBD ports."

"Unfortunately it also means that, to a certain extent, the hands of car companies are tied..."

What you can do: contact your car dealer to see if they have mitigation techniques that will help, as BMW promises.

The Warwickshire Police also offer these safety tips, although they are unlikely to be much of a deterrent to a determined ODB hacker who gains access to your vehicle:

  • Try the door handle after using your key to lock your car, to double check that it is actually locked.
  • Take a good look around when leaving the vehicle to see if you can spot anyone waiting nearby or in a vehicle in the vicinity, especially if you check and find the door to still be open.
  • Report anything suspicious to the police: they want to nab these guys.

Ultimately, it's worth remembering - as BMW admits - that there's "no such thing as an unstealable car".

Hat-tip: The Register

, , , , ,

You might like

17 Responses to Your BMW can be stolen by any idiot with a $30 hacking kit

  1. Roger · 742 days ago

    Two other precautions (applicable to all vehicles with electronic key fobs) that may help preclude auto theft:
    1. Do not lock your vehicle using the key fob - - ever/anywhere. This will preclude intercept of a lock command transmission, and its resulting transmitted electronic signature, when you depart your vehicle. This action should be accomplished even when you secure your vehicle at home and even in your garage. Lock your vehicle with the vehicle's internal locking button before closing the door (applicable only, of course, if the vehicle permits this type action). The other precautions, e.g. checking the area before initiating a key fob command, are especially applicable upon opening your vehicle with the key fob. (Note that using the vehicle's bypass key to open the vehicle will normally NOT disarm the alarm system that is normally automatically set when locking the vehicle.
    2. Never turn your keys or key fob over to a parking lot attendant or use any type valet service when parking your vehicle. Use a different parking area where surrender of keys/key fobs is not required.

    • Randy · 741 days ago

      "2. Never turn your keys or key fob over to a parking lot attendant or use any type valet service when parking your vehicle. Use a different parking area where surrender of keys/key fobs is not required."
      There are other dangers to valet services too. Your advice is VERY good.

    • Sootie · 740 days ago

      Good advice except when you realise most new cars you dont even get the key out of your pocket as soon as you walk up to the car its unlocked and when you get out you just hit a button on the door to lock it. there is no way to avoid sending out a signal in this case.

  2. M P · 742 days ago

    1) BMW is rolling out a software update that fix the issuue http://www.e90post.com/forums/showthread.php?t=74... but as it is a software fix, it still has the potential to be hacked.

    2) Since physical access to the OBD II port must be obtained to clone the keys, the easiest way to mitigate this is to disable one of the 2 power ports for the OBD II interface via an inline on/off switch. An OBD kill switch, if you will. http://www.m3post.com/forums/showthread.php?t=714...

  3. theo · 742 days ago

    That device shown on the picture is sold by a Bulgarian company and it's presented on Youtube on a video uploaded by the company in 2009, so what is the fuss all about? Everyone is able to buy it for testing. Big deal, really.

  4. Mtawt · 742 days ago

    @Shabayek جهاز OBD الذي يباع بالصين ب 30$ لسرقة وتشغيل سيارات BMW يوجد منه أنواع لسيارات Opel, Mercedes, Volkswagen, Toyota and Porsche

  5. FoolFromTheHill · 742 days ago

    @Britvolante cheers matey

  6. Britvolante · 742 days ago

    @FoolFromTheHill a bear trap in the footwell should do the trick!

  7. Bob · 741 days ago

    As of Sept. 18, 2012, BMW USA says it is "not aware of the issue." I educated the person I spoke with about the issue when he said that. My local dealership was also clueless about the issue. The BMW USA representative told me that if enough BMW owners call in to ask what BMW is doing about this problem, then BMW would likely take action and may issue a service bulletin on the topic. I recommend that fellow BMW owners in the USA call BMW about this issue. They can be reached at 800-831-1117. Until I am told differently, I don't know why this issue would be limited to the UK.

    • John Q · 729 days ago

      It an issue only in the EU, if you read the article 'is that European competition rules require diagnostic and security reprogramming devices to be available to non-franchised garages' what that means is they are not allowed to lock out the security functions, so all functions are allowed in the EU by anyone with a programmer, were in the US it is not.

      Why panic over something that will not work? It is not possible without an authorized device, which is costly. Watch some of the Towing TV reality shows, one of them tried this trick on several newer BMW cars, and it did not work. His partner had a authorized device and was able to program new keyfob for the cars in minutes. It was funny and made the point very clear.

      Sometimes the devil is in the details and big government is really bad even if they claim they are here to help.

  8. eiyetgshsu46 · 741 days ago

    This product does NOT cost $30. The device shown in the video screenshot costs 8000 EUR and is available at several easy-to-find websites. Get your damn facts straight.

  9. Alex · 741 days ago

    OBD being open is a GOOD thing, not just for independent garages but home mechanics too. This is all scaremongering because the BMWs in question have blind spots in the interior ultrasonic sensor coverage. It just so happens that the OBD port is located in one of these blackspots. If the port were disabled with the ignition off or relocated to a more central position in the car, it wouldn't be an issue!

  10. Shane · 740 days ago

    If open documentation of a system reduces the security of that system, then that systems security is fundamentally broken.

    It can be useful to limit documentation only to people who need it, with the theory that if people don't need to know then there is no value in letting them know, meaning potentially all risk and no benefit. But this should not be relied on!

    If all it takes to break a system is a documentation leak, then build a better system.

    I know of security key fobs which utilize two-way challenge/response systems where there are millions of questions and associated answers that are known to both ends, being the fob and the car alarm/immobilizer in this case.

    The questions and answers are essentially just numbers in a two field lookup table consisting of millions of entries. The fob is pressed to request the car to unlock, the car then asks the fob a "question" randomly chosen from a list of millions and if the fob can find the correct answer in its challenge/response table it replies to the car with it and the car complies.

    This is also rate limited, to prevent brute force attacks.

    A challenge/response system with 1 question/answer pair is susceptible to replay attacks and if this is what the big makers are using, it is unforgivable.

  11. You've shared some important shots about the Your BMW can be stolen by any idiot with a $30 hacking kit as I think. Actually I lost my cars and got much sorrow. It was stolen by someone so your post gonna help me to get more conscious about the car safety as I think. Have a nice day dude....

  12. Kenneth Scott · 442 days ago

    Now-a-days stealing a car is easy. Car can be stolen by a thief through hacking-kit. The tool was originally designed for garages and car recovery agents to get into different cars after owners had lost their keys. The kits have since been packaged up by criminal hackers, who have picked apart the security weaknesses of the OBD network. Car users should be more conscious and alert to avoid such incident.

  13. Mark Taylor · 410 days ago

    Car thieves are very much active these days and they are very smart in their works. They can easily take your car from you and you will not catch them, because you can't be able to find anything regarding them. They are using the latest technology and idea to do such things. They are using their brain so smartly that you will not able to catch them easily.

  14. Sullavan · 383 days ago

    In same when a car owner is naming or decorating then the car comes in to a new look. It is the additional part of car service. The above video clip is good if the process shown in this would less speed then the technique come to our capture and everything clearly visible.

    Now car theft becomes a common crime in our society for why peoples like to do insurance for future safety. For that they paid lots of money in an installment manner, but now it is the time to pay a less amount of money for car insurance. I think it is better for a car owner. I thank to this blog for giving us such wonderful and useful information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.