If you think your car is safe once you’ve zapped it with your key fob, then think again. Thieves have developed a sophisticated technique that allows them to drive off with some of the most expensive – and apparently most secure – vehicles available. They are using a hi-tech device which can be bought easily online, to get into the car, without the need to even smash a window. However some now claim that hacking technology is now being used to commit virtually untraceable murders including manipulating the brakes of moving cars that have in-built computer systems.
Automobile enthusiasts are pointing to an unusual spike in the number of BMW thefts in the U.K. this year. Expensive cars being stolen isn’t anything to write home about, but the reason for this new trend definitly is: the cars in question are keyless. Multiple BMW models are being swiped without activating car alarms or immobilizers because the thieves are hacking their way into the vehicles.
On-board diagnostics (OBD) security bypass kits, replete with reprogramming modules and blank keys, are reportedly enabling low-intelligence thieves to steal high-end cars such as BMWs in a matter of seconds or minutes. A research by the team from the Swiss Federal Institute of Technology targeted the weakness in car security; the smart key fobs common on luxury vehicles and spreading to mainstream models that allow a driver to unlock doors and start a vehicle without touching the fob. In their paper (PDF link) the researchers have said the best way to fix the security hole would be smarter software that attempts to verify how close the key fob is to the vehicle. Otherwise, the only secure solution would be the same one that’s been in use for decades: an old-fashioned metal key.
Using radio signals, the fob and vehicle send encrypted signals to each other over short distances, and while other researchers had suggested the fobs could be vulnerable, no one had put the idea to a test. Using ten different borrowed models from eight manufacturers (without the automakers’ input), the Swiss team was able to unlock and start all of their test vehicles, showing that hacking the smart fobs is “feasible and practical.” Their system simply used two antennas; one carried by the hacker trying to get in and start the vehicle, the other in the vicinity of the fob, to amplify the signals between the transmitters and break in.
But wait, there’s more. Short of allowing your ride to be stolen, security researchers at the University of Michigan and the University of Washington have shown that OBD shortcomings allow these other automotive WiFi shenanigans:
- Locking and unlocking doors
- Honking the horn
- Wireless attack through tire pressure sensors
- Trojan delivered via music CD
This stuff isn’t new. The CD Trojan piece goes back to 2011.What’s new is how erudite hacker knowledge of OBD’s limitations has been commoditized and marketed in these easy-to-use, cheap kits.
To use the tool, car thieves first need to intercept the transmission between a valid key fob and a car before they can then reprogram the blank key, which they can then use to start or open the car via the OBD network. According to The Register, a $30 bypass tools is being shipped from China and Eastern Europe in kit form to unskilled criminals.
On the car forum 1Addicts, a one-time poster by the name of “stolen1m” uploaded a video showing how his BMW was stolen in under three minutes. He suspects the thieves used devices that plug into the car’s On-Board Diagnostic (ODB) port to program a new keyfob.
In this particular video, there are a few security flaws that the hackers are exploiting simultaneously: there is no sensor that is triggered when the thieves initially break the window, the internal ultrasonic sensor system has a “blind spot” just in front of the OBD port, the OBD port is constantly powered (even when the car is off), and last but not least, it does not require a password. All of this means the thieves can gain complete access to the car without even entering it. If the video is an accurate depiction, even the village idiot could be behind the wheel of a fine ride with a $30 investment and a few minutes.
BMW has acknowledged that there is a problem, but is downplaying this particular issue by saying the whole industry struggles with thievery. This is unfortunate given that the evidence seems to point towards BMWs being specifically targeted. Whether that’s because they are luxury cars or because they have a security loophole doesn’t matter: the point is BMW needs to do something about it.
“The battle against increasingly sophisticated thieves is a constant challenge for all car makers. Desirable, premium-branded cars, like BMW and its competitors, have always been targeted,” a BMW spokesperson told Jalopnik. “BMW has been at the forefront of vehicle security for many years and is constantly pushing the boundaries of the latest defence systems. We work closely with the authorities and with other manufacturers to achieve this. We are aware of recent claims that criminal gangs are targeting premium vehicles from a variety of manufacturers. This is an area under investigation. We have a constant dialogue with police forces to understand any patterns which may emerge. This data is used to enhance our defence systems accordingly. Currently BMW Group products meet or exceed all global legislative criteria concerning vehicle security.”
Three other YouTube videos also posted in the aforementioned forum:
This is a serious problem. New cars, especially high-end ones, no longer require a physical key to be inserted into the ignition. The previous system evolved into being much more secure because it was two-tiered: metal keys that also have a chip. This new system means stealing cars (mainly BMWs so far) is extremely easy for the sophisticated criminal.
It looks like it’s not just BMWs, mind you. Police are also seeing other fancy cars whisked away by criminals believed to be using the kits, with the deprived owners still having the keys in their possession. A post on the car enthusiast site Pistonheads suggests that devices similar to those used to steal BMWs are also available for Opel, Renault, Mercedes, Volkswagen, Toyota and Porsche Cayennes.
Should you shake down your car manufacturer to get better defenses? Unfortunately, it probably won’t do you much good if you do, between the need for mechanics to have some type of tool to get into your car and competition laws requiring open standards. However if you want to protect yourself from this hack, look into how you can disable the OBD port on your BMW by disconnecting the corresponding wires. If you or your dealer needs it, you can always reenable it. Alternatively, you can try to further secure the port in your own custom way.
However, things get even frightening. There have been claims that intelligence services and terrorists around the world are using hacking technology to commit virtually untraceable murders including manipulating the brakes of moving cars that have in-built computer systems. Two security experts named Charlie Miller & Chris Valasek, conducted a demonstration, showing off a way that computer hackers can control a full sized automobile, but using nothing more than a typical laptop computer. While car-hacking may not be the most obvious form of cyber crime, the mysterious circumstances that surrounded the automobile accident that killed US journalist Michael Hastings in June last year have led some to believe that he was a victim of car-hacking.
At the Def Con hacking conference in Las Vegas, Valasek and Miller described ways that cyberhackers can launch even dangerous attacks. The two have built a device with about US$150 (RM460) in electronics parts, though the real “secret sauce” is a set of computer algorithms that listen to traffic in a car’s network to understand how things are supposed to work. When an attack occurs, the device identifies traffic anomalies and blocks rogue activity, Valasek said.
The duo’s accomplishment, which was funded by a Pentagon research facility called Darpa, was intended strictly to raise awareness of the computer systems that are now dominating the automobile industry. Ultimately, they created a program that would allow them to tap into a car’s “electronic control unit” (ECU), via the on-board diagnostic port of the vehicle. (This is the same port where mechanics can determine where a specific problem is in the car when it’s taken in for repair work, and is also the same port that is used by a popular car insurance company to monitor your driving habits.) Typically, the ECU in a car can control everything from the acceleration and brake pedals, the steering wheel, the horn, any of the digital displays on the car’s dashboard, pretty much anything that has some form of computer control. When talking about the research, Charlie Miller had this to say on the topic:
“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there. We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
The two well-known computer experts decided to pursue the project because they wanted to help automakers identify ways to defend against security vulnerabilities in their products. “I really don’t care if you hack my browser and steal my credit card,” Valasek said. “But crashing a car is life or death. It’s dramatic. We wanted to be part of the solution.”