BMWs and other high-end cars are being stolen by unskilled criminals using a $30 tool developed by hackers to pwn the onboard security systems. The new tool is capable of reprogramming a blank key, and allows non-techie car thieves to steal a vehicle within two or three minutes or less.
On-board diagnostics (OBD) bypass tools are being shipped from China and Eastern Europe in kit form with instructions and blank keys, says a news report linking the release of the tool to a spike in car thefts in Australia, Europe and elsewhere during 2012. Would-be car thieves need to grab the transmission between a valid key fob and a car before reprogramming a blank key, which can then be used to either open the car or start it, via the OBD system.
"Crooks only need to monitor a person using the key or interrogate the key fob to get enough information to decipher the key," explained Professor David Stupples, of the centre for cyber security sciences, at London's City University.
Weak cryptography combined with a security-through-obscurity approach in the OBD specification allows the tactic to succeed.
Other shortcomings of the OBD specification were detailed by Rob Van den Brink in a presentation (PDF) delivered at at SANS Technology Institute security conference earlier this year. Potential problems involving attacks on the OBD system of cars were first discovered by academics from the University of Washington and University of California-San Diego two years ago (PowerPoint slides here).
Police in the UK have also begun warning about the approach, which was highlighted by a recent BBC Watchdog investigation.
In response, BMW told the BBC that the carjacker/hacker technique was developed after its cars were designed and was limited to "older" BMW models – those built before September 2011. "Certain criminal threats, like the one you have highlighted, simply do not exist when cars are designed and developed. This does not mean the car companies have done anything wrong, neither are they legally obliged to take any action," it said.
The German car giant added that the issue was not limited to BMW, and promised to help mitigate the attack, in a statement published last Wednesday.
BMW prides itself on its vehicle security systems and all BMWs meet all UK and global security standards. Our engineers and technicians review all aspects of our vehicles constantly, including security systems.
After extensive research we are clear that none of our latest models - new 1 Series Hatch, 3 Series, 5 Series, 6 Series and 7 Series - nor any other BMW built after September 2011 can be stolen using this method. However, as a responsible manufacturer we are looking at ways of mitigating against this new kind of attack.
We are now in the process of offering, to any concerned customers of targeted models, extra technical measures which will mean that their car cannot be taken using the equipment highlighted in these stories, although of course there is no such thing as an unstealable car.
The OBD pwn method of car theft has been documented over recent months by the Daily Mail and car enthusiast blog Pistonheads, both focusing on the CCTV footage depicting the theft of Steve Wood's BMW 1M coupe from outside his home in Sutton Coldfields, in the West Midlands, as well as a steady stream of reports from much further afield, including a spate of thefts in Queensland, Australia.
A post on Pistonheads suggests that devices similar to those used in BMWs are also available for Opel, Renault, Mercedes, Volkswagen and Toyota cars. The relative exposure of the various car models from these manufacturers to theft via the technique remains unclear.
A spokesman for the Society of Motor Manufacturers and Traders, the UK trade association, said it was aware of the issue but wasn't able to say how many other manufacturers were involved. "BMW [is] updating its systems and it could well be that other manufactures will do something similar," he said, adding that although SMMT was working with UK police forces on the issue it didn't have any information to hand on the scale of the problem.
Extreme Tech notes that basic OBD readers from the likes of CarMD, Innova, or Actron are readily available and are normally used for legitimate purposes. One significant issue in creating the problem in the first place is that OBD data needs to be open so that third-party garages, and not just a closed shop of authorised BMW merchants, for example, can diagnose a faulty spark plug.
Our man at SMMT confirmed that OBD systems need to accessible and programmable to allow access to third parties because of EU rules designed to allow open competition in the car trade. ®
Thanks to Australian Reg reader Ivan J for his pointers to many articles on this prevalent and disturbing crime.