According to PistonHeads, this isn't limited to BMWs alone:
A quick internet trawl reveals it's not just BMWs that are vulnerable. Devices similar to that used on BMWs are also available for Opel, Renault, Mercedes, Volkswagen, Toyota and Petrol-engined Porsche Cayennes.
The reason this form of theft is currently so rife - and admittedly this issue is not limited to BMWs - is that European competition rules require diagnostic and security reprogramming devices to be available to non-franchised garages. As we understand it, this effectively means that car companies cannot restrict access to or use of OBD ports.
It isn't solved for computer networks, this is exactly the same as the current debate about secure boot. Secure boot is an open standard, but we've not agreed about who can hold the keys: http://www.fsf.org/campaigns/secure-boot-vs-restricted-boot
Here, the EU has effectively said that someone with physical access to the car can generate their own keys (since anyone can pretend to be a mechanic, and all mechanics are allowed to generate keys), and the car manufacturers are saying that they should have the root keys, so that only approved dealers can create new ones. Much like Microsoft saying to ARM tablet manufacturers that they have to allow only Microsoft's keys in ARM tablets, blocking end users from installing their self-signed OS.
tl;dr: the problem is not protocols, it is key management.
It isn't solved for computer networks, this is exactly the same as the current debate about secure boot.
I would disagree. To me this sounds like a perfect scenario for asymmetric encryption, which would solve this in a secure fashion.
Obviously someone should have a secure repository for official keys issued, so that duplicates can be made, upon request, upon owners' authorization. It might be bothersome and cumbersome, but the point is it should be a possible process, even for third party mechanical shops.
And for me the car-manufacturer sounds like a natural holder of this repo.
On the other hand, if you have access to the car and the key, it should be open enough to allow you to (re-)program it with your own keys if you like.
As far as I can see, that should satisfy everyone involved, while maintaining a secure architecture.
this sounds like a perfect scenario for asymmetric encryption
I suspect that they are already using asymmetric encryption, with some sort of mechanism to allow third party mechanics (and thieves pretending to be mechanics) to sign new fobs.
the point is it should be a possible process, even for third party mechanical shops.
Yes, agreed. The issue seems to be how much faith you put in the manufacturers to play ball. If they have to incur a cost to manage keys, that might lead to legislation around putting limits on the amount they can charge for access. It seems like a rabbit hole full of problems to leave them in charge. What happens when someone who has lost the keys to their second hand car goes to a third party mechanic to unlock the computer in their car built by a manufacturer who has gone out of business?
it should be open enough to allow you to (re-)program it with your own keys
With this strategy, the solution the the above question is to hope that the user added their own key/certificate to the car in advance. I suspect that the people who would do that would intersect strongly with those who are meticulous with keeping a spare key in a secure place anyway, so it would only help a minority of people.
Some of the other ideas, like time locks or falling back to a physical key to create new fobs, sound like they may do a better job of ensuring user freedom. Those solutions might apply to secure boot too, but it still seems unsolved in practice.
There is a difference, which is that a car is a physical thing.
Imagine that we had the current process. Except that every time a key gets reprogrammed, a record was made of which mechanic's key was used, and we have a mechanism to revoke particular issued keys.
This will not stop my car from being stolen. But we can identify which mechanic's key was used to do it, and I'm able to brick that car remotely.
You've just increased the cost of stealing a car this way, and reduced the cost of having it stolen. That may well be enough to convince thieves to move on to an easier type of target.
>Somehow that is a solved problem with internet and all other open security architecture. Why isn't it solved on these cars?
>I'm sure some engineers objected that "this is fundamentally insecure!" but got turned down from someone doing the budgets.
You're missing a couple of key points here:
1) This is not a network attack, so the internet is largely irrelevant.
2) This is similar to having an attacker sit down at the physical computer they're attacking (a much harder problem).
3) Legislation in Europe forces car manufacturers to use an insecure design.
Anti-competition legislation in Europe dictates that the manufacturer cannot stand in the way of the transfer of secret keys. This means that the entire security communication must occur between the on-board computer and the OBD-II tool. Other than a physical lockout on the OBD-II port, I can't think of a good defense against this attack.
In the US, many car manufacturers take a different approach. The security key is provided by the manufacturer, not the on-board computer, so you can't simply walk up and re-program a key. I don't know if this is true of all manufacturers though.
What's wrong a simple "Okay sir, before you can drive away with your new car you need to pick a password. And before anybody can service the car they'll need your password so please don't forget it, but if you do you can always provide proof of ownership to your nearest dealer and they'll help you reset your password."? That way non-franchise garages can still do repairs, as well.
That's a great idea, but IANAL, so I can't say if it passes muster for EU anti-anti-competition laws. I'm going to go out on a limb and venture two guesses:
1) Any mechanism that requires manufacturer intervention is going to draw the eye of these legislators, which would likely mean some means of resetting that password for third-parties, which significantly diminishes the security utility.
2) If you've ever worked with consumers and "passwords", you know that they don't remember them. I think this bolsters support for regulations that require the reset procedure to be accessible by third-parties.
They'd have to provide the 'password restore' functionality to non-franchise garages as well, I guess. Otherwise they could do this except without the password: 'Okay sir, here's your key. Anybody can service the car, but they'll need the key. If you lose it, provide proof of ownership to nearest dealer and they'll make you a new one'.
> Other than a physical lockout on the OBD-II port, I can't think of a good defense against this attack.
Make the key changing process VERY slow, as in 24h+.
If you really really lost your key you wouldn't mind leaving the car 24h at a mechanic but a thief would have a much harder time hiding a car that long. At least compared to 2mins at a dark parking lot.
> In the US, many car manufacturers take a different approach. The security key is provided by the manufacturer, not the on-board computer, so you can't simply walk up and re-program a key.
And the consequence is that a replacement key costs $150. No joke.
1) This is not a network attack, so the internet is largely irrelevant.
Security protocols that can be used on two points on the Internet can also be used between two pieces of hardware, like a programmer/diagnostic tool and an embedded computer.
I don't disagree with that, but it's still irrelevant in the context of this particular attack, because there's no main-in-the-middle component required. Yes, you must secure the transport, and the same applies for even basic serial communications, but that's not what's happening here at all. This is an exploit of the implementation constraints at a legislate level.
Engineers look at this problem and see the engineering problem, but it's cynical (albeit warranted) to believe that the engineers at BMW didn't see the same problems. I bet they are well aware of this vulnerability, but they're unable to do anything about it.
There's a valuable lesson to be learned. It ties in to the old adage: be careful what you wish for, you might just get it. There's a lot of rumbling about new privacy legislation in the US, but the entire concept makes me really nervous. What are the chances that legislators understand the internet well enough to craft effective legislation? Not good, I'm afraid.
> I don't disagree with that, but it's still irrelevant in the context of this particular attack, because there's no main-in-the-middle component required.
Non-sequitur. If you can interpose the man in the middle, then most protocols are broken.
> What are the chances that legislators understand the internet well enough to craft effective legislation? Not good, I'm afraid.
From what I've seen, the average level of security knowledge in the startup community is woefully inadequate -- with almost everybody believing they are above average.
> Non-sequitur. If you can interpose the man in the middle, then most protocols are broken.
It does follow. There is no basis for the belief that the transport channel isn't secure! For all we know, it's well-encrypted.
Yes, MITM is a concern with all communications that are intended to be secure. Granted. Established. Not an argument. But, it's not relevant to this attack.
Even using the best crypto available won't save you if the client barfs the security keys to unauthenticated clients upon request. The challenges here are in the authentication and authorization layer, not the transport layer. But there are non-technical constraints at play.
Backing up a bit, this even better illustrates the root of the problem. The way the law is written, you can never build a secure system, because the law mandates that the computer in your car trust all clients. Any system that does not secure the channel between an identified client and server is not secure. Hence, when all clients are permitted, the system is not secure by specification.
No, you just get the dealer to plug something into the (possibly proprietary) port that's used by the alarm system.
The assumption that this kind of thing needs to be done via the OBD-II port is wacky from the get-go. It may have been easier for some lazy system integrators at BMW to do it that way, but it certainly wasn't necessary, or apparently advisable.
I'm not seeing how that will deter thieves. Instead of plugging into the ODB port they will just plug into the alarm system's port. Even if it's proprietary, they'll employ/bribe/coerce an official technician to figure out whatever Rube Goldberg sequence of events that are required to re-enable the vehicle.
Presumably there would be more opportunities for secure handshaking with a proprietary port. It doesn't need to involve security by obscurity -- it just needs not to be barkingly stupid.
The best practices in auto security are probably reflected by whatever the leading Japanese brands are doing these days. Traditionally Hondas have been the biggest theft targets, but a glance at the list of most-stolen cars in America ( http://editorial.autos.msn.com/article.aspx?cp-documentid=43... ) suggests that they've more or less solved the problem, as of the mid-1990s. I seriously doubt there's that much need for further innovation.
Yes, secure handshaking via PKI is a well known and already solved problem. However, as mentioned in the post you originally replied to: "Anti-competition legislation in Europe dictates that the manufacturer cannot stand in the way of the transfer of secret keys." Keys, here, referring to the private half of a public/private keypair.
This means that a manufacturer can't be the exclusive source of resetting a key much in the same way that Verisign isn't the exclusive source of SSL certificates. Due to the anti-competition legislation, you should be able to take your vehicle to any local garage and have it fully serviced whether for a tune-up or to get a key reset. And if a local garage can be employed to reset your key because they have access to the private key required to sign the key request, thieves can do it just as easily.
Are you speaking from knowledge of the anti-competition legislation, or just from the summaries we've seen upthread? It strikes me that we're taking a car blog's throwaway description of the law as a presumed engineering constraint.
Every reputable website with details beyond the "scary, scary news" headlines have made mention of the legal aspect. There's a lot of information in this thread over at Bimmerpost.com as well:
Somehow that is a solved problem with internet and all other open security architecture.
Just to play devil's advocate, I'm not sure that's entirely true; would you say that every computer user on the entire planet is 100% secured? The vast malware landscape would very much disagree.
I think that it is harder with cars, if only because they have to have an open gate to the heart of their system. Plug in, turn on laptop, access! Apparently that's enshrined in both EU and US law, so not very easy to overcome in the near future.
I do agree with the heart of your message though: this is the year 2012, and whilst as a non-security bod it's easy for me to say, these things really shouldn't be happening.
This is where it gets dangerous. We've swapped physical keys for electronic keys, but we've mandated that the root electronic keys get kept in the car.
Everyone wants the keys to be kept outside the car.
The future of personal freedom will be decided based on whether our fix is to give the keys to the car owner to keep in their home, so that they can unlock their car if they loose their fob (or allow a mechanic of their choosing to generate a new fob), or whether to give the keys to the car manufacturers, so that only approved dealers (and criminals who hack into the dealers' electronic networks) will be able to generate new fobs.
I remember the good old days, where my key opened the doors of my friends car and his key could not open mine yet it would start my car.
Where my Aunt drove her car to the mall, locked the doors, and when she came out could get in as she had the keys to her husbands car.
Needless to say in both cases there were the same brand, within a year or so. You did not even need to have same major brand (Ford/Mercury were interchangeable)
Kids these days have it easy, cannot wait for the smart phone app for stealing a ride.
My roommate and I both have Toyota trucks. Mine is much more than a decade old, his is almost two decades old, and as a consequence there are parts that are starting to wear down. Like the ignition switch.
There have been many times I've called him up (or vice versa) and said "can you bring my truck to me?" Even though the keys are not compatible, that doesn't matter anymore. His could probably be started with a popsicle stick. Mine can be started with something slightly resembling a Toyota key. The only reason they haven't been stolen is a combination of the fact that they're not worth any money, they have nothing of value inside them, and they're manual transmission (so chances are a US thief wouldn't be able to get away in it).
Thievery comes in many forms. The ones who steal cars that aren't worth anything on the black market aren't really going to be the smartest or most well-connected. Street punks really, and in the US manual transmissions are incredibly uncommon. A hoodlum will only know how to drive stick if he/she has had access to one and someone to teach them. While manuals are more common on cheap cars and street thieves are more likely to drive cheap cars, they're still quite rare.
Basically, if you're a smart thief and you can't drive stick, you have something wrong with you. But then again, if you're smart and also a thief, there's something wrong with you. If you're smart and also a thief and also stealing a rusty, beat up, 5-speed, early-90's Japanese truck, you obviously want it more than I do. I could just buy another one for <$1000.
Wake me up when it lets me drive the car from the smartphone, James Bond-style (IIRC the Bond car that supported this was a BMW, so not entirely off-topic).
The keys are generally just passive RFID chips so it's more like an authorized_keys file.
The problem here isn't that there's no physical key, those are usually laughably easy to circumvent. I think the real trick here is the physical attack they used to break into the vehicle and gain access to the OBD port without setting the alarm off.
There's a number of cheap and obvious tricks BMW could have used to make the RFID portion of this attack a lot harder. Including, making the OBD port more difficult to actually get at without actually sitting in the car and not letting the new key start the car for some reasonably long period of time.
If the alarm system is ultrasonic, I can envision breaking into the car by blasting several watts of power at the same frequency at the car. Loss of receiver dynamic range due to gain compression or transducer saturation == loss of ability to detect changes in the phase of the transmitted signal consistent with someone opening a door and climbing in.
What in the world was wrong with plain old car keys -- especially with an added RFID security chip in the key handle or fob?
Regular car keys are a pain in a lot of ways, and not all that secure, either.
To really do this correctly, you need to have cryptographic challenges between a key and an ECU, and to prevent the ECU from just getting swapped, you probably want to have several processors in various parts of the car, such that replacing them all quickly is too hard. Then you still have the problem of someone driving the car into a faraday cage and driving off to attack at his leisure, but that's hard to defend against (there, you probably have a continuous heartbeat signal and respond on loss of the signal, or just pay someone with a gun to guard your car...)
You should be able to put vehicle ignition control and access control logic inside a tamper-responding processor and secure it, even with all communications over an open bus. If you were going to be super paranoid, your vehicle would have vehicle-specific timing information built into the engine which was difficult to deduce from analyzing it after removing the ECU, so just swapping in a "skeleton key" ECU wouldn't work. No one is likely to do that for a car, but it is basically how the Permissive Action Links on nuclear weapons work (variable length wires for the explosive lenses on the primary; if you don't have the exact timing information to set them off at the right time, the weapon will be subcritical.)
> To really do this correctly, you need to have cryptographic challenges between a key and an ECU,
Nonsense. The problem isn't cloning the key, the problem is that you are reprogramming the lock to accept this new key you happen to have with you. No amount of crypto is going to save you when your verifier is full of holes.
You can't even use signing to only accept approved programming devices since OBD regulations enforce it's openness.
> all communications over an open bus
Now this is an interesting point. The bus that the OBD is connected to controls a whole bunch of devices all over the car. It's possible that no access to the inside of the car was required to execute this attack. Looking at the video it doesn't seem like they really stoop inside the car to grab anything actually so perhaps there's a way to get at the CAN bus via the presumably electronic wing-mirror?
1) The cryptographic challenges are a necessary but not sufficient part of building a secure car access control system. All the active components in a car are horrible from a security perspective, usually huge libraries from third-party manufacturers, and all kind of duct-taped together. So bad that a malformed audio cd in the entertainment system could actually totally pwn the car, including driving controls.
2) There are wireless extensions to OBD-II to run tire pressure monitors. You can do a no-touch OBD-II hack. Presented at USENIX last year.
Tesla is really the only manufacturer who is likely to do better, since they build a lot of stuff in-house vs. buying badly documented components. I would love to audit the Model S (especially if in doing so I got an earlier delivery position).
> You can't even use signing to only accept approved programming devices since OBD regulations enforce it's openness.
I think you could get openness with signing. You have a central, non-profit authority that blesses, records, and publishes all signings in real time. When a car turns up missing, you see if anybody re-keyed it and the police have a discussion with them. You could recoup expenses with a modest charge per re-key.
You might be over-thinking this. It's possible to disable the factory alarm motion sensor by double-pressing the lock button on the key fob. This is a feature for people (like me) who take their car on ferries, and who don't enjoy listening to a cacophony of car alarms while on the ferry (I appear to be in minority here, if recent trips were anything to go by)
Apparently a fair few owners don't know this feature exists (didn't read the manual/didn't have a manual) and were in the habit of "checking it was locked".
So, if you can't remember if you locked a BMW, UNLOCK it first, then LOCK it. Locking twice disables the alarm.
Agreed. I'm going to guess when I hit the lock button a second time, and all the lights in the car went on, that was supposed to indicate the alarm was now off? As opposed to indicating the car was indeed locked?
If the alarm is armed shouldn't it be triggered if something connects to the OBD port? Not actually prevent the port functioning just trigger the alarm.
Alas, BMW buyers often cannot opt out of keyless entry, because for some models BMW includes it in popular bundled packages, such that it's impossible for the consumer to avoid buying it without losing other worthwhile features.
This consumer-unfriendly bundling results in BMW buyers often facing what can only be described as ridiculous choices ("which one do I want: a rear-view camera that reduces the risk of accident, OR non-keyless entry that reduces the risk of theft?").
illamint: the feature is sold as "comfort access keyless entry," and it allows the driver to start the engine without inserting the electronic key. (Without this feature, the default setup for BMWs is that the driver must insert the electronic key before starting the engine -- a form of two-step authentication that isn't susceptible to the attack described in the article.)
FWIW, I know about this firsthand because I bought a new BMW last year and I was adamant about not having the "keyless entry" feature -- for security reasons. The BMW salesperson acted like I was a bit crazy.
Having the comfort access feature, and having a car stolen
many years ago, there's no way I would trade one of my most
enjoyed features for a lower risk of car theft.
The reality is that if someone wants your car they're going
to get it.
Why get rid of an awesome convenience feature for the
risk of something that is a) unlikely and b) won't cost you
anything (absent a small deductible) if it does happen?
Isn't the solution here that only BMW authorized devices should be able to connect to the ODB? Or is that already the case? I guess it just takes one unscrupulous dealer to upload their certificate.
OBD-II is legally required (in the US) to be open to consumers. The idea being that you can get diagnostics about your vehicle without being extorted by the dealer. (Originally for environmental data about emissions, but later expanded.)
Attackers might work for a dealer or otherwise fully decode the system. The only way to build a system like this securely is to have securely-held keys (cryptographic, not physical; physical locks are all easy to break), and ideally published and reviewed code for the security system, same as any other security system.
(I've actually thought about building a secure ignition system for cars, mainly to solve the car bomb problem -- the car responds outside an explosive radius when interrogated to tell you no one has tampered with it since you've left it. Theft is a financial problem, but bombs (or trackers, or whatever) attached to cars is a more serious problem (for a smaller subset of people). I solved this problem by just leaving my car unlocked with a guy with an AK guarding it, though.)
Amusingly enough most of them aren't - OBD access to interesting features (as opposed to a very limited standard set) usually costs a LOT of money. $10K one-off charge plus an update subscription for example.
OBD-II has essentially failed by allowing so-called "extended" PIDs - which all manufacturers define in their own specific ways. See the Torque forum for endless threads of people wanting extended PIDs for specific models to use with the Torque OBD app.
I suspect this is one reason why good OBD scan tools cost a lot more than the parts cost of an ELM chipset and a few sockets - a trivial adapter costs £20, but a Bavarian Tech scan tool for BMW costs £200, presumably to recoup the costs of buying access to the extended PIDs.
Yes, you're right. And thinking about it, I think projectedoptics's solution is just better all-round anyway - why can you connect to the OBD at all while the alarm is armed?
OBD-II is used on loads of vehicles. If the regulation didn't mandate that this was an open protocol in 10 years every $500 beater is going to be a write off as soon as you lose the keys.
Well, if that means an end to keyless / smart fob systems, I'm all for it; they are nothing but trouble in my opinion. Right now, I think the OBD port should be read-only unless a registered key is present, and recoding the ECU to accept a new key should require more than just physical access.
People don't expect to be able to recode their front door to accept a new blank key - why should a car be different?
A skilled locksmith or someone with a serious interest in locks will have no problem [1] to open your front door without any damage using a lock pick tool [2]. If there's no need for said lock to survive, a selection of power tools make it even easier.
[edit] Which is not to say that cars should be easy to pry open of course ...
[1] in most cases, high-end specialized locks can be an
exception.
[2] see http://www.lockpicks.com/ for examples.
That's not the point; I don't expect to be able to walk up to your front door with a random Yale key, jam it in and out a few times and have your lock reconfigured to accept my key instead of yours. That's what's happening here - it's not as sophisticated as a lock pick attack, nor as brute force as smashing the dashboard and shorting the appropriate wires.
It's a blind spot in the system that shouldn't exist if the car was locked. The OBD port simply shouldn't be physically connected if the doors are locked. A relay on the CAN bus pins trigged from the central locking might be a start.
There's no evidence the OBD port was actually used in this attack. The programmer could have been directly connected to an easily accessible CAN connected component such as the wing mirrors.
There has been evidence in the UK that this is how the thieves are doing it (people finding their cars with the drivers window smashed and the OBD cover lying on the floor). See http://www.e90post.com/forums/showthread.php?t=670339 - at least one of the guys posted there is police.
I appreciate that you like to participate on the internet by speaking out loud and typing what you hear yourself say; once you've done that, you can go back and remove the "um" from the start.
BMW has a proprietary diagnostic system called MODIC with it's own connector near the engine under the hood. That provides more utility to the service tech than the OBD port. Those devices are only available to BMW dealers.
The security loophole here seems to be that someone could extract information out of the OBD port to generate a new key. That should only be available from the factory port.
With cars and fault diagnosis increasingly computerised, car makers were in a position to encrypt or obfuscate diagnostic messages so that you could only view and reset 'check engine' codes at official dealers who had costly diagnostic equipment.
The intention of OBD-II is to keep independent mechanics in business (and hence the car repair market operating properly) by preventing car makers from doing this. Sounds like a good idea to me - dealerships are already overpriced, I can't imagine how bad it would be without independent garages exerting downward pressure on prices.
Whether this should extend as far as an open standard for bypassing the keyless ignition without first presenting a valid key is another matter.
Why don't they just build in a delay before the new key starts working? Even a few hours would be enough to prevent most thefts without being too inconvenient on the rare occasion you lose a key.
This is just poor design, even given the EU laws and requirements.
It should also activate a big red sign in the controls that means: "The new key will be usable in 3 hours"; so if you actually didn't changed the keys, something is wrong.
I know the GM Passlock II system works this way - not only do you have to wait, but you have to put the car in 'run' a few times during specific times during the waiting process.
If this is because of OBD regulations, perhaps it can be changed somewhat. Give the owner a small electronic device that will be necessary to generate a new key for the car they purchased. That device can be kept separate from the car but when the key is actually lost, the owner can bring it to the mechanic and generate a new one. The thieves would need to steal the device before stealing the car, which would make their job harder (and admittedly perhaps put the owner at greater danger).
And what if the owner looses that "small electronic device", or forgets to forward it to the new owner.
The whole point of this feature is that you should be able to get the car running if you loose EVERYTHING apart from the car itself. The only way to stop it is to give the manufacturer (or other trusted third party) exclusive right to issue keys but apparently the regulations say no to that.
Nonsense. Why not simply design it so that it's difficult and dangerous to access the "reset button" unless you're a trained mechanic with a Rotary lift? Then it's more difficult to steal than an ordinary car, and you are done.
In light of history, the answer is probably a combination of laziness, inertia, and an attempt to steer customers to authorized BMW service centers. Or perhaps the threat model includes theft by tow truck? (not kidding; perhaps this is common in some places, at least for high-end vehicles?)
Of course you can always make it safer physically, I'm talking about the cryptographic safety.
About towing, look at the video in the article posted. One guy breaks in and releases the parking break while the other 3 push the car. Doesn't show where they push it to though.
I don't understand this. I have an older BMW which developed starting problems with the immobiliser computer. It doesn't have keyless entry but it is based on rfid.
I did extensive research on the system and there were three parts - the key, the immobiliser and the engine management computer. The key physically turned the ignition, but the security was in a rfid chip inside the key, which was physically matched to the immobiliser via an antenna ring that circles the lock. The immobiliser was physically matched to the computer via a VIN-based code. If you lost the key, you had to order a new one from germany after producing the VIN and proof of ownership to a licensed dealer. They keys cost about $500 from memory - don't lose the key. There is an upper limit of 10 keys to be produced per vehicle, with two of those supplied upon purchase.
In order to replace the immobiliser computer, again both the VIN and proof of ownership had to be supplied to the licensed dealer, who then ordered a new one from the factory in Germany. You cannot swap any of the parts between cars - you can't reprogram keys, reprogram the immobiliser or reprogram the computer.
If you do put a new computer or immobiliser in, it had to be taken into a BMW dealership to re-sync and get all the devices to handshake each other and agree that they were all legitimate. Otherwise - no start.
I know all this because I tried to hotwire the car myself to get it working until the new computer arrived (3 week order period). While I could manually activate the fuel supply and manually activate the starter, the computer refused to tell the spark plugs to ignite and refused to tell the injectors to inject.
What I'm curious about is how have they gone backwards from this seemingly impregnable system to one where you can get the car to reprogram a key? Surely it can't all be the fault of the OBD port - I doubt there is anything in the legislation calling for the ability to reprogram keys via the vehicle itself? Or is it just the fact that someone has come up with software that replicates what the factory does?
Somehow it all seems a retrograde step. Given that the older systems worked with rfid, whether or not you put the key in seems a moot point.
Cars aren't secure. Most things aren't. The main thing that stops a theft is putting it in a place that's harder to get to (again, nothing is secure) just so that no one sees it, or has the opportunity to steal it.
I'm at a coffee shop right now, and my BMW motorcycle is parked right outside the window. Me keeping an eye on it is better security than any electronics lock system (as I know I could hotwire this bike in 30 seconds, and surely a criminal could too).
How about the following schema for adding a new key to the list of Authorized Keys when NO AUTHORIZED KEY IS PRESENT:
* the procedure requires a module produced and sold by the manufacturer() to any garage that can verify its identity and satisfy manufacturer's specified security requirements (e.g. owning a safe and having no history with local police);
each such module is unique. It contains unique public/private keys and its public key is singed by the manufacturer;
* the procedure of adding the key to the list of Authorized Keys requires the car (actually, its ECU) to only accept incoming requests signed by such modules whose public keys are signed by the manufacturer. When the key is added, the ECU stores:
the key info;
the module's unique ID (IMPORTANT);
timestamp + lat/long;
* if there are no old authorized keys present (very rare scenario, since most of the time the owners want to replace just one lost/stolen key, but not both), the ECU requires 15 minute grace period with the module attached at all times, during which the car is flashing its hazard lights and honks. It makes a small nuisance in the garage once in a while, but attracts enough attention in the middle of the night if somebody is stealing it.
Now, if the car is stolen and then recovered, the police would dump the list of authorization requests and identify the module used. If this module was stolen or copied, the garage who owned the module becomes responsible for the damage to the car's owner. The ID of the module is placed on the revocation list. The revocation list is broadcasted via Sirius/XM/FM/BMW Assist/OnStar/Intelsat/etc.
This allows independent garages working on the cars, but places enough responsibility on them for keeping the system secure, with the override mechanism in form of revocation lists.
This method would NOT prevent all types of thefts (thugs can put the car on the flatbed and do the swap in the middle of the desert, or they can swap the ECU unit completely, or do some manipulations with the stolen "good" key), but it makes it significantly more difficult to authorize a new key and drive away.
(*) in case the manufacturer ceases to exist, some other company (another car manufacturer, perhaps) inherits the master key and will be responsible for authorizing garages to do key management.
> the procedure requires a module produced and sold by the manufacturer
So now the manufacturer has yet another method of extorting would-be mechanics. You'd have to regulate pricing or aggressively prosecute attempts at anticompetitive tactics.
> in case the manufacturer ceases to exist...
And who goes to jail when the company folds and, in the fire sale, the master key is on a system that gets wiped when being transferred to the new owner? Key escrow sounds like a better idea to me. Perhaps legislation should specify the creation of a public agency, or maybe we could leave it to private competition.
As for the remainder of your points, I believe you're thinking in the right direction.
When do I get encrypted Bluetooth access to my car? I'd bet if we did that, we'd get more tech security hackers involved in making things more secure.
But I guess it all boils down to a single issue: remove the physical token and it's got the same problems as attempting to secure access to your online bank account.
Right now it is not possible (that I'm aware of) to do asynchronous PKI-like encryption without the contact-type SmartCards. Meaning that all of the contactless RFID/(passive) NFC systems are vulnerable to attack and cloning.
In 3 years, do this, but with a smartphone and an active NFC app that can perform async encryption challenges. Without stealing the phone and the PIN, you can't steal the car.
A quick internet trawl reveals it's not just BMWs that are vulnerable. Devices similar to that used on BMWs are also available for Opel, Renault, Mercedes, Volkswagen, Toyota and Petrol-engined Porsche Cayennes.
The reason this form of theft is currently so rife - and admittedly this issue is not limited to BMWs - is that European competition rules require diagnostic and security reprogramming devices to be available to non-franchised garages. As we understand it, this effectively means that car companies cannot restrict access to or use of OBD ports.
http://pistonheads.com/gassing/topic.asp?h=0&f=23&t=...