Ducati Diavel - power, speed, looks, and a vulnerability lesson for Friday afternoon

Filed Under: Data loss, Featured, Law & order, Vulnerability

Naked Security reader Sean, who has an eye (and an ear and a nose) for wacky security holes - especially those which make for amusing reading on a Friday afternoon - recently pointed me at a vulnerability disclosure headlined Ducati Diavel Motorcycle Default Ignition Password.

The vulnerability disclosure, which appeared back in April, was based on a story published by a security blogger who was recounting his recent test ride of the nutty-but-you-know-you-secretly-want-one Ducati Diavel motorcycle.

The Diavel is, by Ducati standards, something of a lump, tipping the scales at 210kg. The top-of-the-range Ducati sports racer, the 1198SP, is just 168kg.

But the Diavel is only 8bhp and 3Nm shy of the superbike in power and torque, pumping out a handy 162bhp and 128Nm. That is, in a word or so, quite a lot.

Enough, if Ducati is to be believed, to get you and the Diavel's lardy 210kg up to a metric ton (100km/hr, aka 62mph) in just 2.6 seconds. You'd need a Bugatti Veyron to do better than that on four street-legal wheels.

The bad news, according to the unnamed blogger, is that the Diavel has a digital ignition switch with a PIN that is the same as the last four digits of the bike's VIN (Vehicle Identification Number).

Since the VIN is indelibly - and visibly, and by law - engraved into the bike's frame, this vulnerability is easily abused. Stop to admire the bike's curves. Read off the PIN from the VIN. Start her up.

And there you have it: a drive-away exploit!

Except that the story appears to be a load of old rope. According to Martin Rees, the Managing Director of Ducati Glasgow, this is a simple case of drawing a conclusion from a study with an insufficient sample size.

The bike lent to the unnamed blogger happened to have its digital ignition enabled, and had a PIN that had been set by the dealer to match the VIN.

That says nothing about all the other Diavels in the world - and, apparently, Ducati did the right thing from a computer security perspective: the Diavel's digital ignition system is off by default, and doesn't have a default PIN in any case.

The moral of the story is simple: don't make inferences from a sample size of one.

Oh, and perhaps the unnamed dealer in the unnamed blogger's story should take some advice on how to choose a proper password :-)


, , , , , , ,

You might like

4 Responses to Ducati Diavel - power, speed, looks, and a vulnerability lesson for Friday afternoon

  1. Rayza · 1443 days ago

    I'm pretty sure that the PIN was set that way so that the test rider didn't have to remember an arbitrary number. So you can hardly blame the dealer for setting the PIN that way. I'm sure the PIN is able to be reset after the test rider has returned the bike.

  2. chris nickerson · 1443 days ago

    since i'm the one that wrote the blog post...... i can agree.... no idea why it was what it was... but had 3 other reports of this.... prolly a bad practice by dealers. The sample size was 3.... and there were reports of 2 others that i could not confirm... So.... please do SOME fact checking before ya call anyone out..FYI. I never in any way said it is like that on all.. just a recount of MY experience.

    I am kinda sad that for an "intelligent" AV company.... you couldn't see the "NICKERSON" as the author and all the creds that say who wrote it.

    Chris Nickerson....<- that's the name of the person who write this response<-

    have any further questions about it.. id be happy to answer... I still bought one and i am working on some firmware hacks to make dual factor auth.... but yea..... thanks...

  3. urmom · 1443 days ago

    Pretty sure the "unknown blogger" (you know very well who it was) had multiple test bikes, and knew of many other people with the bikes showing the same problem... but really, GREAT journalism here... as always.. *sigh*

    • Paul Ducklin · 1442 days ago

      Did you actually _read_ the article I linked to? Obviously not. *Sigh* :-)

      The unnamed blogger (the article just says "Posted by Nickerson") wrote that he had a single test ride from a single dealership, and that it was the dealer who told him that the bikes arrived from the factory with the ignition PIN set. He didn't have "multiple test rides" and he didn't know of "many other people with... he same problem".

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog