Schneier on Security
A blog covering security and security technology.
« All-or-Nothing Access Control for Mobile Phones |
| Friday Squid Blogging: Barbecued Squid -- New Summer Favorite »
July 13, 2012
Hacking BMW's Remote Keyless Entry System
It turns out to be surprisingly easy:
The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW's on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car's unique key fob digital ID and reprogram a blank key fob to start the car. It took less than 3 minutes to accomplish the feat. (That said, despite their sophistication, the thieves were, comically, unable to thwart the surveillance cameras, though they tried.)
Jalopnik reports that BMW thieves are likely exploiting a gap in the car's internal ultrasonic sensor system to avoid tripping its alarm when they access the car.
But there's another security flaw in play. The OBD system doesn't require a password to access it and program a key fob. According to Jalopnik, this is a requirement in Europe so that non-franchised mechanics and garages can read the car's digital diagnostic data.
More details here.
Posted on July 13, 2012 at 6:51 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You're using a weird definition of "surprising". The next time someone points out a consumer-grade product that can't be hacked within twenty minutes using 90s-level computing power will be the first.
A lack of password for 3rd party access is deeper - it means that roadside repairman can unlock people's cars if they lose a key etc (ie. if you have keyless entry and have a wallet stolen).
Big issue appears to be the "hole" in the ultrasonic coverage. But I've got to say the whole keyless thing sounds great, but not my idea of secure. There are attacks which allow a repeater to effectively make the car and key appear closer so a key in someone's pocket might unlock a car a distance away.
I can't think of a way of securing a keyless system properly.
Blame it on Euroe .. nah not realy...
The claim that europe's law makers require the OBU to allow Key reprogramming is of course nonsense; they require unencumbered access to diagnostic data so that any car-shop can repair your car, no one requires BMW to omit a re-keying protection. And take a look at the systems for car-sharing (build by bmw ..) thyt know better
Auto insurance > Auto security systems
Autos are some of the most complicated computer systems in the world. IIRC the Volt has over 100 CPUs. How does it makes sense to leave the ODB system wide open?
Does the EU require an open backdoor on all PCs to allow non-franchised Geeks to be able to perform maintenence?
There's no reason an owner couldn't provide an authorized mechanic with their temp password to perform the required work.
If attack modeling techniques have been used by expert analyst, then BMW could predict the sequence of attack like that & improve security/countermeasures.
Disclaimer: I've written code to do this sort of thing for automotive manufacturing plants.
For the keyless entry case, you actually re-program the car to recognize the unique characteristics of the FOB. The OBD port is read/write, you can change aspects of the car via it.
I was not aware that they had begun allowing keyless-starting via FOBs until just now, but I guarantee you that there is no semblance of security on the OBD port whatsoever. The whole thing is designed to be a) standardized and b) open.
I understand (and believe that) OBD should be accessible openly. The question is why all the information necessary to program the fob would be there.
Now they apparently use a not correctly monitored spot to break the glass and access the OBD connector. I wonder if this is probably only working on right-hand-driven models, as on the other side a similar weak spot might not exist. (And the OBD connector will be at the side where the steering wheel is)
Of course I meant models where the driver is on the right side, like in UK where apparently this type of theft is on the rise.
The thieves didn't start the car, see time mark 2:00 - 2:10. They pushed it out using a 4 legged human engine.
So in my opinion there is no evidence for programming a key on site.
The manufacturer doesn't have to set up the car with no password - they could give the owner the password so they can let garages access it.
No, no, no - very sorry about the harm caused by these thefts but do not attempt to position this as a reason to reestablish the stealership monopoly on OBD info.
Ford is using proprietary challenge-response ("incode-outcode") algorithm to protect access to security features through OBDII connector in their vehicles. Judging by number of code-calculation services that show up in google the algorithm is already broken, but initially this was available to Ford only. How does that apply to regulations mentioned?
Actually, I just remembered that Ford was using another protection in early version of their immobilizer system ("PATS"), which was quite clever. To access security features software also needed to request for them, but then there was about 30min delay before any security operations could be performed. Sure, this is not perfectly secure, but this would discourage most thieves from performing such attacks.
I'll take exception to the claim that the thieves "comically" couldn't disable the security cameras. That looks more like anxiety to me with four of them hanging around rather than any serious attempt.
With the clothing and masks they have on the footage is useless for identifying them. They really had no need to disable the cameras directly.
The question this video raised in my mind: where can four people run around in outfits like that and not raise any suspicion. Was there no security guard? Seems to me that one is asking a great deal of the car's security system when the car is sitting there like a wounded duck.
The next version of ODB shall be wireless (for whatever reason is a puzzle to me)... I'm looking forward to manipulated car electronics where the attackers do not even have to touch the car.
I worked at a dealership when they introduced PATS, if I remember correctly, management added an additional 30 minutes labour on every car equiped with it, on the off chance.
I wouldn't wear an outfit like that in Florida
Obviously, that attack does not use a standard method for enrolling a new key (nobody would design such system without authentication) but it exploits a weakness in the system.
I'm quite sure that this weakness was fixed already and what the cars need is a SW update.
This attack vector have been used for years in Sweden to steal premium SUVs like Porsche Cayenne, BMW X5/X6, Audi Q7 and WVs Touareg. Lexus RX series are on the list of hacked and stolen vehicles as well.
The X5 can be stolen and driven away in under 30 seconds police say.
There are already a number of bluetooth solutions to interface with the ODB. I think this could potentially could be a secure choice if built into a car. The range is going to be short, pairing could be limited to when the vehicle is on(accessory position) and allowed to pair, and the pairing code could actually be a random value that is not 1234.
Of course what I would like to see is actual error messages instead of codes. For instance, when a light is out or the oil is low, I see a message telling me this. When a vacuum tube is loose I have to pull out my computer allow it to get the code and translate it to a secondary emission fault. I have a display on my dashboard, it could just tell me what is wrong.
Could that be a pseudonym?
- 20 minute delay in the data response for the fob UID datum
- first 5 minutes of the data response includes the car security alarm sounds
- If the car has the equivalent to OnStar, a call must be made and responded to before the fob datum is delivered
- Give the owner a hardware dongle to decrypt the OBD data
You're using a weird spelling of surprisingly.
@ Onno Kreuzinger:
“The claim that europe's law makers require the OBU to allow Key reprogramming is of course nonsense; they require unencumbered access to diagnostic data so that any car-shop can repair your car, no one requires BMW to omit a re-keying protection.”
Actually, they do. I'm no expert on EU laws, but the guys over at Pistonhead seem to think that as part of that “repair” rule, EU law requires that any independent, unregistered garage must be able to replace a lost key without requiring access to either secret information nor even special tools. They even (apparently) restrict where the OBD port can be placed, to make sure it is quick and easy to find.
Under those conditions it is obviously impossible to completely prevent a thief from making a working key fob. All you can do is exploit the environmental differences between the two scenarios to make things more difficult for the thief. For example, on some models the alarm sounds if the OBD port is accessed whilst the alarm is armed. A nuisance in a garage dealing with a defective alarm, but a major headache for a thief.
You could easily do a lot more than that. You /can't/ disable the port when the alarm is armed, otherwise it would be impossible to get diagnostics for a car with a defective alarm. However you could certainly make it much harder to access if the alarm is armed. Say, something like this:
1. When the alarm is off, you can access the port directly.
2. But if the alarm is armed, you instead need to request an override on the port. This request would cause the horn to sound several times, and then a count-down starts running, with the 4-ways periodically flashing. If during normal business hours, or if the GPS believes itself to be in your normal service agent's garage, then the count-down will be 15 minutes. Otherwise, the count-down will be one hour.
@B. D. Johnson:
“I understand (and believe that) OBD should be accessible openly. The question is why all the information necessary to program the fob would be there.”
For two reasons. Firstly, it actually works the other way around; you program the car to accept the fob. Since the OBD port apparently allows write access to all the configuration data – including the list of accepted fobs – the result follows.
Secondly is the point where EU rules come in. We can easily imagine improvements to this protocol that don't allow this. For example, you could prohibit writing key registration data to the OBD port until a secret authentication key has been provided by a special BMW key programmer. /But that is illegal./ The EU rules are intended to promote competition between garages, and part of the way they do this is to forbid any kind of proprietary restriction on car management interfaces. The basic idea is that it is mandatory that an independent, unregistered business shall be able to issue a replacement key fob. If he can't do that, then the car maker is breaking the law. If he can do that, then so can a thief.
“The thieves didn't start the car, ... no evidence for programming a key on site.”
You are mistaken. The victim's description of the attack makes it clear they started it as soon as it was on the street. They just pushed it off the driveway first to avoid waking him up, so they would have more time to get clear.
Furthermore the attack is not novel but has been occurring on this model of car for at least several months if not longer, and there is plenty of other evidence that this is how they do it. The novelty of this video is that it is the first time they have been filmed doing it. Or rather, the first time the footage has been published.
“The manufacturer ... could give the owner the password so they can let garages access it.”
Unfortunately, experience with security-coded car stereos is that most owners will write the password in the log book they keep in the glove compartment, many will forget it within a month and expect the garage to be able to look it up for them (which defeats the purpose), and the ones who /didn't/ write it in the log-book will forget to pass it along when they sell the car. This is one of the challenges of securing expensive consumer goods: making it usable by even the dumbest legitimate customer, who has years in which to screw up; and yet secure against even the smartest crook, who only needs to outwit you once.
There was no security guard, because this was the driveway of a private house in suburban London, not Johannesburg. This is described in the accompanying text, but can also be seen from the second camera footage at the end of the video. That is also the reason they pushed it off the driveway before starting; to avoid waking the occupants, who were sleeping only a few feet away.
And I believe you are quite wrong about the video footage. If you look closely, and compare the views from the two cameras, it is clear that they tried to cover over the first camera with some sort of bag, but it was semi-transparent! With the bag in place the footage just loses some colour! They clearly didn't even realise the second camera was recording them until too late; one guy notices it and is about to cover it when he is signalled that it is time to go. Furthermore, the footage could be very useful for investigators and possibly for prosecution. The guy wearing the horror mask had his face completely covered, but that won't help him much once his mates are arrested. The rest of them expose enough clear, detailed close-ups of the eyes and nose that they could be identified by someone who knows them. Maybe not good enough for a verdict, but good enough for a warrant. There is also clear, detailed colour footage of their clothing (possibly disposable), footwear (maaaybeee also disposable, but in at least one case it is a distinctive and expensive brand that is probably his own shoes) and also a nice shot of a very distinctive shoulder satchel. Finally, while the horror mask does obscure the face very effectively, it is also pretty distinctive. Certainly not enough to uniquely identify a person, but enough to make someone think “Hmm, Eddie's a bit of a geezer, and he has a mask like that”.
"I worked at a dealership when they introduced PATS, if I remember correctly, management added an additional 30 minutes labour on every car equiped with it, on the off chance."
So management was using customer ignorance to rip people off ... the 30 minute delay doesn't add any labour cost, because there is no need for the mechanic to wait while the delay is running. You trigger the countdown as soon as the car arrives on the lot, go back to whatever else you were doing, and then simply do the (2 or 3 minutes) job on that car shortly after the delay runs down.
“nobody would design such system without authentication) … I'm quite sure that this weakness was fixed already ...”
You're twice mistaken. The system is designed without authentication, and that is the issue that has been mandated by EU rules. And the problem has not yet been fixed. In fact BMW has gone into ostrich mode like Microsoft in the bad old days, even though some insurers are starting to refuse theft coverage.
“...been used for years in Sweden to steal premium ...”
Yes, the OBD vulnerability has existed for years in all modern European cars. What is a bit new here is how in interacts with the BMW's factory fitted alarm system. If you can get physical access to the OBD port, you pwn the car. Hence, access to the port must be made as difficult as possible when the car is locked, and so thieves must first defeat the car security system. However in the case of some late model BMWs the crooks have realised that the security system /does not/ protect the OBD port. So this very expensive car actually has no security at all. The convergence of these two issues results in a £40,000 car that is easier to steal than a bicycle.
You don't understand anything about facial recognition, do you. Those videos are worthless. Eyes and nose tell you nothing. How do you even know if those eyes were real. Colored contacts are cheap and easy to apply. Seeing someone's nose is meaningless by itself.
I understand people want to seem safe with a video camera but they are worthless if the person can use a disguise. Even with a perfect, clear, unmasked view of the face from a CCTV facial recognition is still is at best a 60-70% business.
Covered like that: hopeless.
@Daniel: I agree. A video camera is mostly useless as a security measure if there's nobody to actually watch the footage in real time. The value of the recorded footage for the forensic purposes is often very low.
It may not be necessary to have a human guard watching it all the time - a semi-automatic system that alerts a human when something specific but simple to algorithmically determine is detected (like human-sized moving objects) will do. More sophisticated systems that perform automated behavioural analysis are in the research and early applications already - for better or worse.
Actually, I know a great deal about it. (I've changed jobs now, but used to be a police tech.) You, on the other hand, need to get out to a few more pub quizzes! 
"Eyes and nose tell you nothing"
Sorry, but you could not be more wrong. Eyes and nose are the main features for recognition. Yes, you also get a bit of data from other features (especially mouth and chin), but the nose and eyes, in that order, are the main features for recognition.  This is true both for human observers and for algorithmic matching. Discrimination index jumps rapidly when you get both eyes and nose vs. just one of them, but then each additional feature only adds a couple of percent to the discrimination index.
In practical terms, you would not get a conviction on that alone, but it is a great aid to an investigator (narrow 1,000 suspects down to 50, say); and in court it may be valuable contributory evidence.
Even without the partial faces, the cameras have given some quite useful information: numbers of gang members, height and build for each, clothing (possibly disposed of, but that can be a clue in itself), their equipment, and fairly detailed MO. Even the direction they arrived and departed is information that is very minor in itself, but will increase the efficiency of an investigation. Without the cameras, they would have absolutely nothing and the victim just gets a report number to pass to his insurers. With the cameras, there is a much greater likelihood this one will become an active investigation.
From the point of view of the victim, the cameras have just made it much more likely that he will get a full and immediate payout from his insurers (who will want a copy of the footage and will then immediately contact BMW with some harsh words.) From the point of view of the community, the cameras mean that this issue just made the front page on the biggest on-line motoring magazine in Europe, which has just made it much more likely the BMW will now act to fix their security flaws.
I realise that people are alarmed by the potential for abusing surveillance cameras (and I am too), but when you argue against them with claims like "mostly useless", all you do is disenfranchise yourself; no-one actually involved in physical security will take you seriously.
Because they are not mostly useless. They are the most cost-effective physical security measure ever developed.  That doesn't mean they are magic pixie dust you sprinkle to create security. It's certainly possible to deploy them thoughtlessly , and quite a lot of them are. But just as with crypto: the fact that you can do it wrong doesn't invalidate that it is a powerful tool to have on your belt.
1. Where "recognise the celebrities from just their eyes" is an occasional half-time game, and people get it right a lot more than 60% of the time.
2. Which is why the ridiculous old-style "stocking mask" sort-of worked. You could actually still see the offender's entire face, but the nose was squashed.
3. For the cost of a reasonable mid-range camera system with 4 hi-res colour+IR cameras and digital recording, amortised over its warranty period, you could get a physical guard on-site for about 3 - 4 minutes per week. That would be mostly useless. The camera isn't anything like as effective as a full-time guard, but only big corporations and plutocrats can afford that.
4. As in this case, where the cameras were neither hard to reach nor concealed. Yet they still worked; many a slip 'twixt the cup etc.
I'm surprised that BMW don't use a time-based mechanism to protect the vehicle.
The one I've heard about (can't remember the manufacturer) has two simple parts:
1) When you reprogram the car to recognise a new keyfob, it delays for 300 seconds before it completes programming. During that time, the new keyfob does not need to be near the car, but it doesn't work to start the car yet (only to lock and unlock the doors) - the dealer network apparently advises you to use the time to get the customer to do the paperwork and put the new fob away.
2) When you disable the alarm via OBD instead of via a keyfob, the alarm continues to run for 15 minutes, and you cannot operate any of the OBD accessible functionality while the alarm is running. This makes for a 20 minute wait if you lose your keyfobs, as you have a 15 minute wait while the recovery service switches the alarm off via OBD, and a further 5 minute wait for the new keyfob to work.
This fits the EU regulations - everyone can reprogram the car, it just takes a while - and slows down the thieves (as they have to cope with 15 minutes of alarm, and then 5 minutes standing around by a car that's not theirs).
BMW could give a S/W update that causes a delay of 30 mins which may slightly increase the Service cost but quite trivial compared to losing your car. All the other arguments about EU regs and losing your key are irrelevant. Question is , do BMW really care and then should, when we need to replace our cars, consider a BMW !! I will only use BMW for service and the car belongs to me , not the EU.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.