babypuppi: [5] 99 Bmw 323i In Weekly Picture

Your BMW comes with a $160 key with a computer chip and security code inside to make the car hard to steal. The common thief can’t steal your Bimmer, but in Europe, at least, hacker-thieves apparently have been able to subvert the car’s intrusion alarm in a separate step to break in, then access the car’s OBD (on-board diagnostics) connector, collect unsecured or easily decoded information on the key codes, program a new key, and drive away. If that’s the case, hackers are showing up flaws in car security they way other hackers have done in websites and corporate networks. BMW in the UK issued a vague statement saying smart thieves are a “constant challenge to all car makers.”

Here’s what’s happening, as related by stories coming out of Europe: First, thieves get into the car by decoding and hacking the door lock (more below) or by breaking the window in a way that doesn’t set off the ultrasonic alarm sensor. Then they attach a sophisticated reader to the on-board diagnostics connector. You may have a simple OBD reader yourself, such as CarMD, Innova, or Actron. Repair shops and dealers have multi-thousand-dollar readers. And thieves have single-purpose versions that purportedly can suck out the specific key code for your Bimmer, the one that’s about to become somebody else’s plaything.

How do they get the info? By law, the data accessible by the OBD connector has to be accessible, meaning the automaker can’t encrypt the information, then make the decrypt codes available so the Authorized BMW Center but not Foreign Motor Werkes can quickly figure out that it’s a bad ignition coil on cylinder three. (And also charge you a $100 diagnostics fee in order to sell you a $175 coil that you could find online for $75, but we digress.) Some of the stolen-BMW reports say BMW doesn’t encrypt the car key coding well enough; a less likely scenario (but mentioned by some) is that the law requires all information to be open, and “all” would include the specific code needed to program a blank key. As you can see in the video below, a black box (well, blue) connected to the OBD port that can program a key blank in a few seconds.

If that’s the case, why aren’t other cars being stolen as well? It’s likely they are. There may be more BMW key blanks floating around for whatever reason. BMWs may be targeted because all high-end German cars are in demand by ask-no-questions buyers in eastern Europe. Search the web for info on breaking into BMWs and you’ll see stories as far back as 2004 about electronic frequency scanners that can run through thousands of remote door-unlock codes while the thieves sit in a nearby car or van, as well as $1,000 kits that let you create a BMW key to get in the door once you’ve got it open the first time. That’s the easy-entry part. More recently comes news here alleging a separate hacking tool lets you program the key to start the car and drive away.

Soccer player David Beckham had two BMW X5s stolen when he lived in Madrid in the mid-2000s. One wound up in the hands of the interior minister of the Republic of Macedonia. That was an early use of key-code scanners, via laptop, to unlock the car. At worst, the car could then be towed away.

In the UK, BMW media relations manager Gavin Ward issued this statement:

“The battle against increasingly sophisticated thieves is a constant challenge for all car makers. Desirable, premium-branded cars, like BMW and its competitors, have always been targeted. BMW has been at the forefront of vehicle security for many years and is constantly pushing the boundaries of the latest defence systems. We work closely with the authorities and with other manufacturers to achieve this. We are aware of recent claims that criminal gangs are targeting premium vehicles from a variety of manufacturers. This is an area under investigation. We have a constant dialogue with police forces to understand any patterns which may emerge. This data is used to enhance our defence systems accordingly. Currently BMW Group products meet or exceed all global legislative criteria concerning vehicle security.”

We asked BMW of North America for comment on what, if anything, might be different on the OBD-II connector that would let US owners sleep better at night. We’ll add a comment when BMW responds.

Updated @ 08:50, July 11: This is the response from BMW of North America spokesman Dave Buchko, who says BMW in the US stores key blanks in a handful of secure locations in the US and they’re sent to dealers, one at a time, when a customer needs a replacement. He adds, “This does not seem to be an issue in the US. The key, pardon the pun, to these thefts is access to a blank key or some sort of facsimile. BMW NA is the only source for replacement keys and we have a system in place that can provide a new key within 24 hours. We’re checking but we do not know of any difference in the data being accessed through the OBD port in the UK versus here.”

If there’s a moral to this story, it’s that automotive engineers are smart people, but sometimes they need more devious minds. An engineer figures if there are millions of key codes, nobody would have time to try them all, then along comes a laptop-based tool that can send out thousands inside of an hour, and maybe with insider information on what keycode sequences might be more likely, hit on a match. And if the car doesn’t lock out remote entry after three or a dozen false tries (allowing for the BMW owner two cars over to hit your car with his unlock sequence), the automakers are missing something that’s done with virtually all online logon software: three tries and you’re out.

It would be relatively easy for BMW to implement some kind of public/private key system, too, where the OBD remains inaccessible unless it’s activated by the owner’s private key. When getting your car fixed, you would simply lend the private key to the mechanic. As cars become increasingly computerized and digitized, it would certainly be sensible for automakers to take a leaf out of the Silicon Valley playbook and begin hiring white hat hackers to secure their on-board systems.

OBD is the same connector that’s the source of other future, potential, woes. It’s the link to a data recorder that stores the last moments before a crash and shows the car’s speed, brake application, steering angle, and other information that might be at odds with the story you tell the cops. It can also relay your location, speed, and time of day to an insurance company recorder or transceiver that tells if you’ve been naughty or nice while driving. It can be the only way a bad or bad-luck driver gets any kind of insurance and in the future it might be the norm unless you want to pay an insurance surcharge in order to drive with no one tracking your movements.

Read more about car hacking (unlocking car doors via SMS!)