Ducati Diavel – power, speed, looks, and a vulnerability lesson for Friday afternoon

Naked Security reader Sean, who has an eye (and an ear and a nose) for wacky security holes – especially those which make for amusing reading on a Friday afternoon – recently pointed me at a vulnerability disclosure headlined Ducati Diavel Motorcycle Default Ignition Password.

The vulnerability disclosure, which appeared back in April, was based on a story published by a security blogger who was recounting his recent test ride of the nutty-but-you-know-you-secretly-want-one Ducati Diavel motorcycle.

The Diavel is, by Ducati standards, something of a lump, tipping the scales at 210kg. The top-of-the-range Ducati sports racer, the 1198SP, is just 168kg.

But the Diavel is only 8bhp and 3Nm shy of the superbike in power and torque, pumping out a handy 162bhp and 128Nm. That is, in a word or so, quite a lot.

Enough, if Ducati is to be believed, to get you and the Diavel’s lardy 210kg up to a metric ton (100km/hr, aka 62mph) in just 2.6 seconds. You’d need a Bugatti Veyron to do better than that on four street-legal wheels.

The bad news, according to the unnamed blogger, is that the Diavel has a digital ignition switch with a PIN that is the same as the last four digits of the bike’s VIN (Vehicle Identification Number).

Since the VIN is indelibly – and visibly, and by law – engraved into the bike’s frame, this vulnerability is easily abused. Stop to admire the bike’s curves. Read off the PIN from the VIN. Start her up.

And there you have it: a drive-away exploit!

Except that the story appears to be a load of old rope. According to Martin Rees, the Managing Director of Ducati Glasgow, this is a simple case of drawing a conclusion from a study with an insufficient sample size.

The bike lent to the unnamed blogger happened to have its digital ignition enabled, and had a PIN that had been set by the dealer to match the VIN.

That says nothing about all the other Diavels in the world – and, apparently, Ducati did the right thing from a computer security perspective: the Diavel’s digital ignition system is off by default, and doesn’t have a default PIN in any case.

The moral of the story is simple: don’t make inferences from a sample size of one.

Oh, and perhaps the unnamed dealer in the unnamed blogger’s story should take some advice on how to choose a proper password 🙂