BMWs: Gone in 60 keystrokes
Nick Barron, security consultant
The vulnerability of BMWs to ‘no key' theft is a case study in what happens if the lessons of IT security are ignored.
Recently, the BBC's Watchdog reported on a worrying new trend for BMW owners. A spate of thefts, where the supposedly immobilised vehicles were stolen without access to the keys, led to an investigation.
It turned out that equipment was readily available to create new immobiliser keys, requiring only brief access to the car's interior. Many insurance companies had refused to pay out on claims, insisting that the keys must have been left in the car.
But it transpired that the keys could be initialised with just the vehicle ID number, which is available from the on-board diagnostics system (OBD), and a box of electronics. This alone is somewhat foolish, as OBD interfaces must be accessible to third-party garages to allow servicing and repair. To add insult to injury, the OBD port on many early vehicles was in a blindspot for the alarm's sensors, so thieves could smash the window, connect the necessary box of tricks, make a key on the spot and drive off. This issue was first reported way back in 2006, but seems to have only taken off recently.
In other variations of the attack, a frequency jammer is used to stop the remote control from locking the doors, so the unsuspecting owner leaves the car unlocked, allowing the thief access to the OBD port. Reports online suggest the programming devices are available for $30. Most sources list them for more than that, but if you're in the market for stealing £40,000 cars, the price is unlikely to be an obstacle.
BMW's official response is what we have come to expect, playing down the issue and failing to mention anything remiss with the design. However, it should be noted that other manufacturers are likely to have similar vulnerabilities.
Part of the problem is that under US and EU legislation, vehicle makers are obliged to provide access to their diagnostics systems to any legitimate business, and this includes the facilities to reprogram keys (which is perfectly reasonable, as it ensures competition and reduces the cost to the consumer). However, the legislation does not, as some have suggested, require that programming keys be quite so simple. So while it's true, as BMW asserts, that there is no such thing as an unstealable car, you would expect a car costing twice the average annual salary to put up more of a fight.
It's not clear from the EU legislation whether or not the process for creating duplicate keys is in-scope. I did enquire with Thatcham, which sets UK industry standards for anti-theft devices, but it failed to respond. So while there are detailed standards for how immobilisers are built and installed, the all-important key generation process seems less well documented.
Interestingly, the root cause of this issue is the use of a ‘soft secret' – the vehicle's ID number – as the prime material for the immobiliser, coupled with the apparent assumption that access to the car's interior is only possible by the legitimate owner.
Similar problems affect many data loss prevention systems, which rely on the USB device ID to white- or blacklist devices. This is hardly foolproof, and at this year's 44Con, Philip Polstra demonstrated a device that would happily fake the device ID to, for example, pretend to be a whitelisted IronKey when in fact it was a plain USB memory stick.
More worrying is the push towards wireless access to car systems, and ‘integrated' vehicle systems where, for example, the car radio is linked to the engine management network. The assumption that only legitimate users could have access, and therefore hook up to the OBD, is mad.
Successfully exploiting car security systems can result in an immediate and high-value payoff, and it seems likely that they will continue to be the target of sustained attack. With this in mind, leaving least privilege at the door and ignoring the lessons learned in the wider computer security arena is incredibly foolish.