BMW security flaw allows theft in 180 seconds or less

Many cars no longer require a physical key and instead rely on a wireless key fob to both unlock doors and start the engine. While this may be more convenient and rather cool, it is not as secure as having a physical key with an embedded chip. This is on full display at 1Addicts.com, a site dedicated to the BMW 1 Series. A user posted security camera footage of thieves breaking into his car, cloning the wireless fob, and driving off in only three minutes.

The car has an on-board diagnostics (OBD) port on the driver’s side that allows you to plug in a diagnostic device to obtain data about the car and its potential problems. It is also used to clone new keys if the owner loses theirs, and this is the “feature” that car thieves are exploiting. They break the glass on the driver’s side, connect a diagnostic device to the OBD port, and clone a new key onto a blank key fob. Once complete, the thieves can start the car with the press of a button, just like the owner would.

There appear to be many security flaws in the vehicle that all work in concert to allow the attack. First, the car’s ultrasonic sensor system has a “blind spot” down the column in front of the OBD port, which is why the thieves stay outside of the car until they finish cloning the fob. There is also no glass breakage sensor to lock the car down when someone breaks in. The OBD port is constantly powered, even when the ignition is not on, and there is no security (password, PIN, etc) on the port.

1Addicts.com also has video showing how quick and easy it is to clone a keyfob. It's an interesting look into how easy the attack actually is. This attack can also presumably be used on other vehicle makes and models, although BMW seems to have the biggest problem at this time and it may be due to the “blind spot” in the sensor.

Source: 1Addicts Forum

Report a problem with article
Previous Story

More information on Microsoft's Bing Fund revealed

Next Story

Killing Floor Sideshow event now active

50 Comments

Commenting is disabled on this article.

Meh. I added an extra shock/tamper sensor to my factory alarm in my 335, you as much as bump the car hard enough, it sets the alarm off, let alone break the class. I'd hear my alarm going off..end of theft. Not to mention I've also got lo-jack installed. I pay less for insurance in my 335 then I did driving my Honda Prelude.

I remember an article few years ago about reliability; and most of these expensive type of cars were on the top of the list. Quick Google search shows I'm correct.

"They break the glass on the driver's side"

If you don't have an alarm with glass break sensors in your 1M; you're doing it wrong.

alinz said,
"They break the glass on the driver's side"

If you don't have an alarm with glass break sensors in your 1M; you're doing it wrong.

Pretty sure thats what people are saying to BMW, with the factory fitted alarm systems being the cause of security flaw. You would expect the OEM alarm to at least cover the basics, right?

I bet BMW, Mercedes, Ford, Chrysler and all mfg's of autos that have the "no key" or key fob to start their cars just pat themselves on the back with all of this "high tech", but, should be hiring 15-30 year old HACKERS. Why? Because most people who OBEY the law have the "I never would have thought of that" attitude towards criminal behavior. Criminals have nothing to do 24/7 but think of ways to take something that does not rightfully belong to them. Personally, if I had a car that expensive, I would live some place where you can park it inside, barring that, after I found where the port was, I would find some way to secure it with a lock box, or some way to disable it until it is needed.

citan said,
Doesn't Audi or Mercedes open the same way?

It's possible that a similar attack would work against other cars -- but the double whammy here is that the ultrasonic security sensor in the car doesn't sense when someone reaches in the car near the OBD port... If it did, then this attack would be much less of an issue. Why not put that port in the middle of the car somewhere?

Breach said,
That's why I pay insurance.

Its now why you will be paying a higher insurance premium. Even if you don't own a BMW, if cars are stolen in your area, your premium will increase based on your postcode/geographical location...

But yes, this is one of the reasons we pay insurance.

So where can one buy one of those tools? I'm assuming it isn't 'custom' firmware on one of the commercial readers.

Dashel said,
So where can one buy one of those tools? I'm assuming it isn't 'custom' firmware on one of the commercial readers.

One of the posters on the thread said that you can buy it for 8000 Euros...

Dashel said,
So where can one buy one of those tools? I'm assuming it isn't 'custom' firmware on one of the commercial readers.

You can buy it straight from their site. Unless you have a legitimate use for this tool, or are looking to make some serious cash, you have a high bar for entry. It's a good $9k for the device.

Glad I have a 328ci...Although I am strongly considering a 1 series, the new 3 series are too big to be fun

The 1 is a fantastic car, the 3s are just so bloated now. Sadly there are far too few 1's sold in the US to become a big target. :\ I've only seen a couple 135's and a single 1M near me. Most are the chicky 128 verts.

Dashel said,
The 1 is a fantastic car, the 3s are just so bloated now. Sadly there are far too few 1's sold in the US to become a big target. :\ I've only seen a couple 135's and a single 1M near me. Most are the chicky 128 verts.

Theres a few 1's in my city, not nearly as many as the 3's though...yeah really don't like the direction BMW is going with the 3 series...way too bloated...I would love to get a 1m or 135...Still love me 328 though, I'll never drive another brand of car.

remixedcat said,
some ppl have referred to BMW as Broke My Wallet or Blown My Wallet or Brutal Money Waster

Others refer to it as "Best Made Wheels".

andrewbares said,

Meh, my Mazda RX8 out-performs a BMW on a track


Maybe a specific BMW like the 328i but I seriously doubt it outperforms a M5

zhiVago said,
Any signal sent by a remote-controlled key can be intercepted and hacked/cloned.

not if there is good encryption/authentication involved.

kInG aLeXo said,

not if there is good encryption/authentication involved.

Ever seen wireless WPA2 hacking? Thought not.
ANY wireless signal can be hacked.

zhiVago said,
Any signal sent by a remote-controlled key can be intercepted and hacked/cloned.

Not so easy if the system is properly designed. Imagine, when you press a button on a remote control, it sends a signal to the car requesting to unlock. The car then sends back a random number to the remote control. Inside the remote control it has a secret key (that's also known to the car's system), and the remote control encrypts the random number it received with the secret key and sends it to the car. The car then can decrypt it and check if the random number is the same... if it is, the car will be reasonably sure that the remote control knows the secret key, and unlock the car/start the engine accordingly.

All this is done without the secret key ever being revealed in the radio signal. And intercepting the signal and repeating it later won't work, as the car can simply be designed to reject any signal that does not decrypt to a random number sent out, say, in the past 100ms. As long as the encryption scheme is decent it would be very difficult to derive the secret key from the radio signals.

Cars already use this. I'm not sure if any car manufacturer mentions it, but NXP produces remote keyless entry products that use challenge-response (see http://www.nxp.com/products/au...izers/remote_keyless_entry/). If it was so easy to intercept and clone the signal from a remote, no one would bother to smash the glass as mentioned in the article to program a new key fob. It is precisely that the secret key is not easily sent over the air that the thieves need to smash the glass to access the OBD port, from which I assume the secret key is accessible.

Just of note, this does not apply to equipment like your TV and stereo remote - those don't (usually) do two-way communication. And it's not really a security risk to "clone" a TV remote anyway, so manufacturers don't bother as it adds cost.

Edited by Kai Y, Jul 8 2012, 5:14pm :

Kai Y said,

Not so easy if the system is properly designed. Imagine, when you press a button on a remote control, it sends a signal to the car requesting to unlock. The car then sends back a random number to the remote control. Inside the remote control it has a secret key (that's also known to the car's system), and the remote control encrypts the random number it received with the secret key and sends it to the car. The car then can decrypt it and check if the random number is the same... if it is, the car will be reasonably sure that the remote control knows the secret key, and unlock the car/start the engine accordingly.

All this is done without the secret key ever being revealed in the radio signal. And intercepting the signal and repeating it later won't work, as the car can simply be designed to reject any signal that does not decrypt to a random number sent out, say, in the past 100ms. As long as the encryption scheme is decent it would be very difficult to derive the secret key from the radio signals.

Cars already use this. I'm not sure if any car manufacturer mentions it, but NXP produces remote keyless entry products that use challenge-response (see http://www.nxp.com/products/au...izers/remote_keyless_entry/). If it was so easy to intercept and clone the signal from a remote, no one would bother to smash the glass as mentioned in the article to program a new key fob. It is precisely that the secret key is not easily sent over the air that the thieves need to smash the glass to access the OBD port, from which I assume the secret key is accessible.

Just of note, this does not apply to equipment like your TV and stereo remote - those don't (usually) do two-way communication. And it's not really a security risk to "clone" a TV remote anyway, so manufacturers don't bother as it adds cost.

You are basically talking about transmitting crypto hashes. You would be very surprised how easy it is to either get the key, reverse the key, or never need to know it in the first place in systems such as you describe. In almost every wireless scenario, the key is eventually revealed if enough samples are logged and a few encryption short-cuts are used to narrow down the possibilities, like maybe skipping a keycheck or rebooting with live RAM thats ready to execute an overflow.. theres hundreds of ways, but granted they are very intrinsic. you can't just plug in a device and hit buttons.

I would be VERY surprised if car security was developed around this limited logic. I mean if some jerk tried to unsuccssfully steal your car, and you went back to it - it may not start for 15 or 25 minutes. With most automotive its just looking for the handshake - You can likely keep trying forever and the car will not get mad.

BMW I know are the most expensive cars to own, considering how often they break down and their general upkeep cost compared to competitors. I was unaware of these electronic problems that can be fixed about 4 different ways that BMW is just being ignorant about... Keeps the business up! BMW is now added to that list of companies to avoid.

srbeen said,

You are basically talking about transmitting crypto hashes. You would be very surprised how easy it is to either get the key, reverse the key, or never need to know it in the first place in systems such as you describe. In almost every wireless scenario, the key is eventually revealed if enough samples are logged and a few encryption short-cuts are used to narrow down the possibilities, like maybe skipping a keycheck or rebooting with live RAM thats ready to execute an overflow.. theres hundreds of ways, but granted they are very intrinsic. you can't just plug in a device and hit buttons.

I would be VERY surprised if car security was developed around this limited logic. I mean if some jerk tried to unsuccssfully steal your car, and you went back to it - it may not start for 15 or 25 minutes. With most automotive its just looking for the handshake - You can likely keep trying forever and the car will not get mad.

BMW I know are the most expensive cars to own, considering how often they break down and their general upkeep cost compared to competitors. I was unaware of these electronic problems that can be fixed about 4 different ways that BMW is just being ignorant about... Keeps the business up! BMW is now added to that list of companies to avoid.

Lol BMW break down? Have you ever owned this car?

citan said,

Lol BMW break down? Have you ever owned this car?

It's a pretty well known fact that BMW's are expensive to maintain. Parts are a LOT more than other cars, due to the premium nature. Reliability is NOT as good as Toyota/Honda. When you buy a BMW, you better buy it new or get the extended used warranty

n_K said,

Ever seen wireless WPA2 hacking? Thought not.
ANY wireless signal can be hacked.

It's a question of money and resources available.

My point is that any auto alarm system can be remotely deactivated. The devices cost $25,000-$50,000. Yes, they do break encrypted codes, be it a BMW or a Benz or whatever have you.

zhiVago said,

It's a question of money and resources available.

My point is that any auto alarm system can be remotely deactivated. The devices cost $25,000-$50,000. Yes, they do break encrypted codes, be it a BMW or a Benz or whatever have you.

Link? Have any info on this device? I believe such a device can and does exist but I've never heard or seen them commercially available for purchase, even at the exorbitant prices you've mentioned.

Tim Dawg said,
Link? Have any info on this device? I believe such a device can and does exist but I've never heard or seen them commercially available for purchase, even at the exorbitant prices you've mentioned.

can't link black market stuff, sorry ))

This is an EU FLAW not a BMW flaw. This doesn't work on BMW cars in the USA, because in the USA we did require them to un-crypt the system for 'fairness' allowing this gaping hole. If you ready all the tech details it can happen with almost any car that uses a keyfob, but BMW are the current targets in London at this time.

thejohnnyq said,
This is an EU FLAW not a BMW flaw. This doesn't work on BMW cars in the USA, because in the USA we did require them to un-crypt the system for 'fairness' allowing this gaping hole. If you ready all the tech details it can happen with almost any car that uses a keyfob, but BMW are the current targets in London at this time.

I feel sorry for the BMW owners, but at least they won't be cutting people up on the roads anymore

sagum said,

I feel sorry for the BMW owners, but at least they won't be cutting people up on the roads anymore

I feel sorry for people in the EU that are dealing with this.

Without them wanting you to know, the motor manufacturers have been making easy ways for their cars to be stolen for years. That is the way they get additional sales, on the back of your sky high insurance premium. Ford did the same with many cars in the old days. On the fuse box was a space without a fuse, which when you put a fuse in it powered the ignition bypassing the vehicles built in security system. Why was it there? So that they could up their sales through theft, there is no other reason. Us unsuspecting car buyers should wake up. The only worthwhile security is a home made or after market system. I have my own immobilazation system, a hidden bonnet catch (standard disconnected) with a GSM unit to report to my Cell, as well as my own alarm system with multiple sensors and 360 degree passive on the roof lining.

Biff50 said,
Without them wanting you to know, the motor manufacturers have been making easy ways for their cars to be stolen for years. That is the way they get additional sales, on the back of your sky high insurance premium. Ford did the same with many cars in the old days. On the fuse box was a space without a fuse, which when you put a fuse in it powered the ignition bypassing the vehicles built in security system. Why was it there? So that they could up their sales through theft, there is no other reason. Us unsuspecting car buyers should wake up. The only worthwhile security is a home made or after market system. I have my own immobilazation system, a hidden bonnet catch (standard disconnected) with a GSM unit to report to my Cell, as well as my own alarm system with multiple sensors and 360 degree passive on the roof lining.

That sounds a bit overkill, I hope you are driving around in a $50k+ car with all security. And I highly doubt car companies produce cars that are easy to steal, that's just dumb.

Biff50 said,
Without them wanting you to know, the motor manufacturers have been making easy ways for their cars to be stolen for years. That is the way they get additional sales, on the back of your sky high insurance premium. Ford did the same with many cars in the old days. On the fuse box was a space without a fuse, which when you put a fuse in it powered the ignition bypassing the vehicles built in security system. Why was it there? So that they could up their sales through theft, there is no other reason. Us unsuspecting car buyers should wake up. The only worthwhile security is a home made or after market system. I have my own immobilazation system, a hidden bonnet catch (standard disconnected) with a GSM unit to report to my Cell, as well as my own alarm system with multiple sensors and 360 degree passive on the roof lining.
That's quite the conspiracy theory. I can imagine that if another portion of the system dies, then the extra fuse would be a convenient way for mechanics to test the engine.

I would bet that flaws such as that, and this BMW one are from a poorly thought through design by the car's engineers. The same happens in video games--people don't (didn't?) always think, "how is a cheater going to abuse this." They just made things that were good fun for the normal user. It is a bit perplexing that they chose to leave the OBD port active when the car is not active, but I suppose that would help in a situation where the starter was dead; still, my mother's 3-series BMW from a year or two ago has a keyfob that you actually insert into the dash, so I do wonder why they don't make that a requirement for powering the OBD except too much convenience.

jerzdawg said,

That sounds a bit overkill, I hope you are driving around in a $50k+ car with all security. And I highly doubt car companies produce cars that are easy to steal, that's just dumb.

Why wouldn't they? Maybe they comply with standards, but making cars hard to steal is not in their best interest.

Gee, I wonder how this was discovered...disgruntled repair tech I'm guessing. Wonder if they'll patch it or tell them they're parking it wrong :-P

WP7 said,
That's crap from BMW, would've expected better.

Why would you have better expectations from BMW than any other car maker?

_dandy_ said,

Why would you have better expectations from BMW than any other car maker?

Because you pay $72,000+ dollars for one?

_dandy_ said,

Why would you have better expectations from BMW than any other car maker?

Because they make excellent cars..... IMO way better than Mercedes for example.

Fritzly said,

Because they make excellent cars..... IMO way better than Mercedes for example.

I'll take your excellent car in 180 seconds. How excellent will it be then?

De.Bug said,

I'll take your excellent car in 180 seconds. How excellent will it be then?

Still excellent..... if I can afford a BMW I can also afford an excellent insurance policy.
Besides I never cared for the keyless option so... you are welcome to come and try.......
Seriously speaking do you really think that there is anything unbreakable? Even banks vaults can be accessed....... by the right people.

De.Bug said,

I'll take your excellent car in 180 seconds. How excellent will it be then?


That makes it a stolen excellent car.