"Two Stage" BMW Theft Attempt

Modern cars have alarm systems that automatically connect to a remote call center. This makes cars harder to steal, since tripping the alarm causes a quick response. This article describes a theft attempt that tried to neutralize that security system. In the first attack, the thieves just disabled the alarm system and then left. If the owner had not immediately repaired the car, the thieves would have returned the next night and -- no longer working under time pressure -- stolen the car.

Posted on August 21, 2018 at 5:58 AM • 32 Comments

Comments

Name (required)August 21, 2018 6:35 AM

This only works as long as law enforcement doesn't know about the trick.
If the trick is known, it's super dangerous for the thieves, because they need to return to a crime scene where police will be waiting for them.

Clive RobinsonAugust 21, 2018 7:56 AM

This two stage attack is not new as such.

Back in the early 1990s when the memory or CPU in a PC was near on a weeks wages certain types of burglars were a little smarter than average.

They worked out ways to set off an office alarm system without leaving any real traces.

They would do this at random points of time until thr key holder got fed up and did not reset the alarm. At which point, in the burglars would go and strip the PCs of CPUs and memory chips.

I heard from someone who was working in a UK Government Dept on the Help Desk side about one set of burglars who had some "brass ones". The office did not have an alarm because a guard did rounds every hour or so and went and checked every room. The burglars went from room to room opening PCs taking the CPUs and memory, then putting the PC back together again. Over a weekend they stole just over six hundred sets of chips. The first anybody new about it was the deluge of help desk calls on monday morning... But the help desk staff could not help as they had no computers to log calls into and find the location of staff etc... A somewhat embarrassing mess for all concerned, but it was the poor security guard who copped the worst of it as they had not spotted any sign of the burglars who left no fingerprints or other traces of themselves. Apparently the police originally thought it was either the security guards or that they were in on it, even though they were not. From what was later said it was a gang who used people doing cleaning jobs who got the gang the required details.

ErikAugust 21, 2018 8:09 AM

This sounds very much like a higher-stakes version of some common car thievery that's been going on for years:

Step one: Steal the battery from a car.
Step two: Owner replaces battery.
Step three: Steal the brand new battery.

Martin DiehlAugust 21, 2018 8:35 AM

"Step one: Steal the battery from a car.
Step two: Owner replaces battery.
Step three: Steal the brand new battery."

LOL!

There was a story I heard ...

The car was parked at the curb and the owner was installing a new battery ...

Another guy drove by, stopped and said, "You can take the battery ... I'll take the radiator"

wumpusAugust 21, 2018 8:50 AM

@name (required)

I suspect most car thefts in the US happen in precincts where the cops could care less about grand theft auto. How many hours do you want to stake out a car, anyway? Would you be willing to hire an off duty cop to stake out your car?

@Erik

Sounds mythical to me. Perhaps a used batter simply won't clean up as nicely as a brand new one, but I can't imagine that a fence will pay differently from one battery to the next. Also batteries are *heavy* and not a great target to steal, let alone from a person who has so recently had a battery lifted.

PS. Suggest alternate title: "Gone in 24 hours"

TimHAugust 21, 2018 9:00 AM

@Erik:
Step one: Steal the battery from a car.
Step two: Owner replaces battery.
Step three: Steal the brand new battery.
Step four: Reinstall the original battery.

Peter GalbavyAugust 21, 2018 9:27 AM

I am told, luckily not being a victim, that there is a similar two-stage scheme for bicycles secured to public bike-parking or lampposts. Prospective thief chains their (cheap, probably also stolen) bike to the location *through* the intended victims bike.

Original owners returns and notices this, gets annoyed but thinks it's a genuine mistake and finds another way home hoping the problem is rectified by the next day. Overnight or over the weekend the thief returns with better equipment and less crowds and removes all locks, chains and off with the bike.

wumpusAugust 21, 2018 11:41 AM

The only takeaway is a similar issue to TSA security theater: there is apparently zero risk at hammering the "security" until you succeed. You'd think there would be enhanced vigilance after the first step, but criminals will quickly learn if there isn't. I'd really have to wonder about most of these tales, as mentioned I felt the battery one was pretty unlikely.

The other point is that while you may get away with jacking a BMW "twice" 9-10 times in a row, in the US there is a significant chance that the owner will be camped out with an AR-15 just waiting for you. In most jurisdictions this will be against the law, but often both prosecutors and juries won't be interested in enforcing it in many places it is (although race of shooter and thief certainly influence this).

The cops probably don't care. Don't be so sure about the owners.

@Peter Galbavey

Sounds like it might happen in Denmark (where bicycle theft is a national sport), but would be too much effort in the US or UK. It also seems to assume that expensive bicycles get left chained to things, while in the US expensive bicycles tend to be used exclusively for either road training or mountain biking (I've heard this is the case for the UK as well): I'm not sure how easy it is to find one of them chained to anything. Once you stole it, presumably you have to know enough to strip the thing down, part it out, and price accordingly in the right locations (presumably trivial for bicyclists, and likely suddenly down on their luck because these are not cheap hobbies. Anybody else would probably start their career as a thief elsewhere).

The easier to locate bikes are probably couriers and DUI types missing licenses, both riding cheap single speed bikes (you'd steal these as the "lock to the target bike", but they might be locked even better). If you want a cheap kid's bike, try driving around the suburbs and looking at front lawns: they tend to be strewn over the front lawn of whichever house "everybody" is at. No locks at all.

andrew duaneAugust 21, 2018 12:56 PM

I don't get something here. Once the alarm has been disabled, there is no more time pressure. You can leisurely work on stealing the car right now. Why take the risk of leaving, then coming back some other day when the owner might have already repaired the alarm and/or be waiting for you with an unpleasant surprise?

BTW, this technique won't work on my BMW. I have implemented Bruce's top suggestion for home security: I have a dog :-)

thoromyrAugust 21, 2018 1:28 PM

once the alarm is disabled you... leave, because the police are on their way. That's why you come back later.

As others have noted, in essence this is an old technique. In this case you disable an alarm, wait for excitement to abate, then commit the crime. In a related technique you trigger alarms until the police no longer care. In a third, you trigger the alarm in one place and commit the crime in another.

Case 1: An ATM makes an attractive target because it has unboobytrapped cash. But they are tough and heavy, making them hard nuts to crack. Some time ago (I forget how many years) there was a spate of ATM robberies around St. Louis where the criminals cut the alarm for the ATM, but at a distance from it. Naturally this engendered a response from law enforcement, but on inspection they could find nothing wrong -- no evidence of tampering. A service call would be put in, but before then the criminals would return and make off with the ATM entire and crack it at their leisure.

It was a reasonably good plan, but with one glaring flaw: it required law enforcement to not understand there was an imminent robbery. The first few times they got away clean, but they didn't know when to quit and were apprehended.

Case 2: Rural law enforcement really don't like to be called out to the rich retiree's home away from home. Being rural no neighbors are all that close and it doesn't take much triggering until law enforcement simply ignores alarms. This is definitely successful (in terms of commission of the crime itself) but requires continued activity in the targeted area which can end up being a problem.

Case 3: Some enterprising criminals decided that the best way to cover up their jewelry heist was to dynamite a bank. With explosives obtained from a construction job they blew the bank and the jewelry store. Unfortunately for them the bank distraction was not effective (there was more than one patrol in town) and even worse it automatically involved the FBI and raised the stakes for the crime. And all explosives are tagged. Case open, closed, go straight to jail, do not pass go.

Source: I used to work for an alarm monitoring company.

ThunderbirdAugust 21, 2018 2:20 PM

The other point is that while you may get away with jacking a BMW "twice" 9-10 times in a row, in the US there is a significant chance that the owner will be camped out with an AR-15 just waiting for you. In most jurisdictions this will be against the law, but often both prosecutors and juries won't be interested in enforcing it in many places it is (although race of shooter and thief certainly influence this).

I doubt there are many (any?) BMW owners in the US who are willing to murder someone to save the deductible on their insurance.

This seems like a pretty clever scheme. The failure mode of repeating until the police know what's going on can be overcome by moving from city to city, and perhaps by altering the timing--no reason you can't wait a month to hit the car again--by then any watchers will have given up.

PleaseAugust 21, 2018 3:23 PM

@Wumpus

Police respond to thefts constantly. Expensive bikes chained up are stolen constantly, everywhere.
No offense but your several assumptions of doubt don't seem to be founded on anything real.

"On average, over 188,500 bicycle thefts are reported stolen each year in the United States, a statistic that in itself is staggering when one also considers the number of bicycle thefts that go unreported."

Jesse ThompsonAugust 21, 2018 4:03 PM

So if the alarm just "calls" for help, what about just jamming RF at the car while you steal it?

If alarm's going to keep trying to call, then just keep jamming RF while traveling out of town into the boonies somewhere and take the time there to disable the alarm and then finally stop jamming and start traveling to somewhere new to lose the trail of anyone who might have started to notice or triangulate the jamming signal.

Ultimately I'm quite frequently surprised how few people use RF jamming to get things done. *shrugs?*

Anon Y. MouseAugust 21, 2018 6:39 PM


@wumpus
Car batteries are indeed a desirable target for theft, as I
discovered decades ago when I was driving older cars without
hood latches and parked in the wrong neighborhoods. They are
quick and easy to steal, even if they're only worth a few
dollars.


All bicycles weigh fifty pounds.

A twenty-pound bicycle needs a thirty-pound chain and lock.
A thirty-pound bicycle needs a twenty-pound chain and lock.
A fifty-pound bicycle needs no chain or lock.

Grand Theft AutoAugust 21, 2018 9:07 PM

Modern cars have alarm systems that automatically connect to a remote call center.

Our "privacy" ends the moment we get behind the wheel or strap on a seatbelt.

This makes cars harder to steal, since tripping the alarm causes a quick response.

Harder to steal? Yeah. The thieves have plan A and plan B etc., so we're just trying to slow them down a little. If it were so easy to steal cars, everybody would do it, now, wouldn't they?

If the owner had not immediately repaired the car, the thieves would have returned the next night and -- no longer working under time pressure -- stolen the car.

The owner repaired the aforementioned anti-theft system? I highly doubt that. After all, they are proprietary, with no user serviceable parts inside.

I think there's a shop somewhere. They don't just give away their codes and secrets for free, do they?

CinimoAugust 22, 2018 4:09 AM

Ross Anderson describes seven ways to steal a painting in chapter 11 of Security Engineering (https://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c11.pdf). This sounds like method number number three.

JAugust 22, 2018 6:22 AM

Seconding Mr. Y. Mouse.
I have had a battery stolen from my car. But it's not trivial change - the 'core charge' for a new battery can be $50 or more. Ask the guy who had to pay it, and then walk home carrying the heavy battery... J.

wumpusAugust 22, 2018 7:57 AM

Note: my main comment was that stealing a "new" battery is unlikely to have any benefit to the thief over stealing an old battery. If they are stealing them for personal use, they are switching from stealing one battery roughly half the life of a car battery to stealing two batteries a full car battery length. If they are fencing the thing, I rather doubt the fence will pay more for the "new" stolen battery.

As far as "nobody will shoot me over a car", that isn't a good thing to bet your life on. Especially if you give the owner clear warning that you are going to steal it.

RichAugust 22, 2018 8:17 AM

Re "the stolen battery"

This story has been around for a long time, I heard it told in my youth, the '60s. This just, maybe, only kind of might have been true before cars and truck went to inside hood releases. I'm not saying it has never happened, just very rarely. Not the highest security concern.

In most vehicles today you have to be inside to pop the hood release which means you'd have to first break a window or pop the door lock. (though the electric hood or truck releases might allow some sort of remote attack).

If the perp is already inside your car why not take the air bags and anything else of value that can be sold quickly. Nobody steals radios anymore, they're too customized to/integrated with the vehicle and come with an electronic serial number.

Grand Theft AutoAugust 22, 2018 9:33 AM

@Please

Re: a shop somewhere

If you break down and read the article, yes he took it in.

Oh, yes. That's how I miraculously fixed my car without getting any dirt under my fingernails. People are funny about that when it comes to cars, aren't they?

"Took it in?" And we don't even use the word shop? Come on. Let's have a little more pride than that in our own work, please.

Re: They don't just give away their codes and secrets for free, do they?

https://www.bestproducts.com/cars/tools-and-DIY/g786/code-readers-scanners/

People hate that proprietary stuff on a computer, but it's just fine on a car?

echoAugust 22, 2018 11:36 AM

@Rich

For the right person with a specific need something mundane or of short value can have a value far in excess of even the full price retail value of the entire vehicle... Car seats can have value either as a replacment for wear on a premium used car or if they are expensive aftermarket seats. Perhaps even the carpet to cover up forensics discovering evidence of a murder, and licence plates have value.

(required)August 22, 2018 1:03 PM

@GTA

"That afternoon, on my way home, I dropped by the BMW dealer." - TFA


"People hate that proprietary stuff on a computer, but it's just fine on a car?"

BMW's are notorious for having specialty tools and codes that only a dealer can get.
I guess that's what you meant but it's distinct from a 'shop' which is 3rd party.
Vote with your wallet in both instances, right?

Although the days of "right to repair" are... pretty much gone. John Deere etc.

Generic "code readers" don't have the full compliment of s/w functions, they can read the fault code but they can't 2-way the sensors or reset the subsystem. It's a generic interface into a proprietary sw/hw amalgam. Especially when it comes to reflashing the ecu or something involved like that, you need the magic dealer dust.

It does help that most of these things fall under warranty (unless you modified...) but 4~ years is just about when you can expect things to start going wrong - and you really don't want to have to go to the dealer when you're out of warranty on a weird ECU/alarm issue like this. You can get deep into pocket chasing gremlins. TFA notes he was pretty lucky they even noticed a wire loom issue on the first visit. Huge understatement really, that's usually visit 2-5 after replacing a series of things.

The only way to win is not to play, get a bicycle.


rascalAugust 22, 2018 1:43 PM

@Grand Theft Auto
These readers are very common. All repair shops, most auto parts stores and anyone interested in diagnosing and fixing their car issues themselves have them. There is no proprietary data shared, The codes tell you things like your O2 sensor is failing or what the oil and coolant temp is. I think most of the codes are actually generic across auto brands.

PeaceHeadAugust 22, 2018 3:37 PM

I'm not sure why some folks are so eager to discount or attempt to undermine other people's anecdotes and explanations of what seems totally plausible. Maybe it's just a "lack of imagination".

Theft happens a lot and of any and all types of items, regardless of momentary market values, regardless of momentary black market values, regardless of functional value, regardless of depreciation, regardless of potential social repercussions or lack thereof.

The types of motivations are many, too many to list really.

But just to add to the list that echo explained so well...

Notice how each item is distinct from the rest:

- theft as a form of vandalism
- theft as a form of sabotage (to prevent some type of functionality)
- theft as a form of protest
- theft as a form of revenge
- theft as a form of intimidation
- theft as a form of harrassment (not all harrassment is intimidating)

- theft as a form of sabotage (to cause some type of bodily harm)
- theft as a form of sabotage (to cause some type of death)

- theft as a form of defense auditing (to discover what the response activity is or could be)

- theft as a form of punishment ("an eye for an eye")
- theft as a form of communication (as a warning, or literally as an unrelated channel)
- theft as a form of comedic mischief (such as moving an item to an odd place to be noticed)

- theft as a mental health sickness (kleptomania, for example)
- theft as pre-emptively borrowing before asking for permission to borrow (damages might be a result of something else by the dunderheaded borrower)

- theft to incite social unrest or to instigate social malaise (this is rather important to think about deeply; it doesn't even all pivot upon police involvement of lack thereof; consider for example chronic theft from a rich property developer designed to lower neighborhood property values, thus paving the way for neighborhood destruction-gentrification-redevelopment; this is very much it's own thing, distinct yet still possible)

- theft to obtain needed resources
- theft to obtain needed services
- theft to obtain wanted resources
- theft to obtain wanted services

- theft to hide evidence
- theft to plant evidence or to obtain items to plant as evidence elsewhere

- theft to access resources to donate (robin hood style or otherwise)
- theft to access services to donate (robin hood style or otherwise)

- theft to acquire materials involved with the temporary satiation of addiction (not necessarily wanted nor needed, nor for any other purpose)* THIS IS ACTUALLY A VERY BIG ISSUE IN SOME US STATES; THE DRUG PROBLEM IS HUGE.

Even when the stolen item(s) can't be resold, nor given, nor traded, that doesn't prevent thieves from taking anyhow. And if the thieves can't think straight due to drug use or other neurobehavioral problems, they may end up doing a lot of strange stuff including different forms of any of the stuff listed above as well as other wierd behaviors.

And last but not least...

- theft as artistic or cultural expression (This is really not my position, but for the criminally-minded it's within the spectrum of possibilities; take for example the current state of U.S. politics and geopolitics and military misadventures: much of the corruption and criminal activity and risk and damage serves no purpose whatsoever and is actually bad for everyone... and yet it continues with great regularity and persistence.

This is where anthropology and forensic psychology have some tracktion. Some people do bad things and are proud of it and/or have zero remorse, it's even been proven in case studies.

This is really important to think about. We are currently living in an era where kleptocrats are openly "expressing themselves" and aggrandizing their cultures of ripping off and trashing everyone and everything else. They just don't give a damn. And yes, they are an existential risk to the rest of us. They might not steal cars, just the personal data of several millions, military technologies to threaten everyone with, people's land and jobs and livelihoods, people's literal health, people's trust, people's votes, people's primary channels of news and communication, and people's innocence.

Etcetera, etcetera.

Any of the above could be none, or partial, or total.
Any of the above could involve multiple parties too.

Also note that breaking and entering doesn't always include theft (as the article and discussion already alluded to). It doesn't even always add up to being a prelude to theft either.

People's responses to actual thefts and attempted thefts vary alot too, but I won't delve into partial delineations of those at this time. But it is also worth considering that sentimental value of anything is just enough justification for most people to have some type of response to theft even if that response is to do nothing at all but feel bad.

Anyways, I suppose my point is clear enough.

Thanks for the article. I think the author is maybe a bit too non-chalant about the implications and nuances, but the posting of the article is yet another nice variety of security concept citing which serves to show more of the bigger picture of what the status quo currently is.

PEACEFUL COEXISTENCE REQUIRES EFFORT AND DELIVERS BOUNTIFUL REWARDS.

JAugust 22, 2018 4:30 PM

@Rich - Mine was taken from a 1976 VW bus, and there was no internal 'hood' (a hatch at the back, actually) release. It could be freely opened from outside. It didn't even have a lock (although after that I seriously thought about adding one).

What I suspect happened was that someone wanted a new battery, but didn't have an old one to 'turn in' as a core. So they swiped mine. Thus saving them $50 or so. It's possible that the reason they didn't have a core to turn in was because someone had swiped theirs first.

Statistically speaking, I have no idea. It only happened once, while living in South Los Angeles. My car(s) were broken into several times (and a few attempts that failed and only succeeded in screwing up the locks) while I was living there (late 1980s, early 1990s) and the battery only stolen once.

I never bothered to report the crime. If you want statistics on that, I suggest you ask tow-truck drivers called out to pick up totally dead cars only to find they have no battery anymore. J.

JAugust 22, 2018 4:35 PM

PS - @ echo
Yep. My friend Hugh came out to find his car license-plate-free one day. His massive old wagon ('63, I think it was) had the old California black'n'gold plates, and someone decided they wanted them, front and back.

@ (required) Tried that. They stole my bicycle, too.

I don't live in South LA anymore. Anyone wondering why? J.

mr.joemAugust 22, 2018 7:30 PM

Step 1: Steal Car battery
Step 2: Leave apology letter and hockey tickets as compensation
Step 3: Clean out the house during the hockey game

TatütataAugust 28, 2018 1:11 PM

They would do this at random points of time until thr key holder got fed up and did not reset the alarm.

At first, I thought this story would involve GPS jammers or cell site simulator, but the MO is much simpler, and sounds familiar, probably as a film plot. It's as if they wanted to give the impression they had been interrupted.

If you're lucky, some other element becomes an ad-hoc alarm.

Thirty years ago people arrived at an office to find many of the computers stacked messily in the lift. The thieves were apparently interrupted and fled.

My reconstruction of the events led me to think that a piece of code I had written was responsible.

The machines were linked by a primitive and unreliable coax ArcNet Network (2.5 Mb/s).

I had written a piece of code which I had installed on several key machines. The crudware was running as a TSR (remember these?), and sent test packets over the LAN (a homebrewed "ping"). When something was amiss, it made a loud warbling sound by bit banging the loudspeaker, which identified which segment of the coax based system needed attendance. It was simple but effective. It sounded a bit like these obnoxious car alarms nobody reacts to...

As the thieves made their was through the offices, they disconnected the machines, until they hit one that was part of the monitoring network.

The downside was that the insurance would probably have paid for an upgrade to PC AT clones (which quickly came down in price), and perhaps even a real 10 Mb/s network...

(How did the thieves get hold of the Assa Abloy special "security" key? Inside job? Janitor complicity?)

Paul KosinskiSeptember 15, 2018 8:32 PM

This is not exactly a security issue, but is more of a safety issue associated with (some) modern cars.

In older cars, you couldn't remove the ignition key until the gearshift lever was in Park (which prevented wheel rotation).

With keyless ignition, you turn off the engine by pressing the Start/Stop button. You can then walk away from the car with the key in your pocket, even though the transmission is not in Park. With a recent model Nissan Altima, the car makes a complaining sound, but it's not very loud (it's a beeper, not the horn).

This happened to us with a rental Altima (we left it in Drive). Good thing it was not on a slight incline, where you might not notice it starting to roll.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.