32 comments

[ 6.7 ms ] story [ 2916 ms ] thread
There have been active exploitation of this bug, basically they have been stealing BMW key less with some kind of hacking tool / laptop like the real version of the movie gone in 60 seconds
There was also this one[1] from a couple of years ago (that you may be referring to?) where with a inexpensive kit, a thief could intercept the drivers key fob transmissions to open the car, and then a ODB programmer to pair the car with a key blank.

[1] https://nakedsecurity.sophos.com/2012/09/18/bmw-stolen-hacki...

I heard of another variant where a jammer was used to stop the car from locking in the first place, whereby goods could be stolen. With the ODB programmer and the key blank the car could then also be stolen.
I have heard that the cars without real ignition keys (in other words, those rfid fobs without a mechanical ignition lock) that it could be possible to authorize a new key by communicating on the OBD2 connector. You do not need access to a working key if this is true, but it is my impression based on some things that I have heard that the private part of some asymmetrical cryptographic material must be known. Whether it varies from car to car, I'm not sure. (This system is called CAS by BMW)

However, in the cars with real ignition locks, the immobilizer is not as easy to defeat as the "nakedsecurity" piece implies.

Since 1994 or so (with the introduction of the EWS2 system) the ignition key contains an RFID tag with a permanent shared secret and a password which is updated every time the key is used. It has always been possible to get close to such a key and read it, then write the information into a new key. Since the password is updated when the key is turned to the 'run' position, as soon as either of the "identical" keys are used, the other will stop working.

To authorize a new key on the EWS2 or EWS3 systems using the diagnosis connector, the new key must contain a shared secret already known by the EWS brain. The factory programmed ten such secrets into each EWS brain during manufacture, and four keys were delivered with the new car when it was sold. When a new key is requested through the parts department, that key is delivered with one of the known shared secrets. Then it can be authorized with a diagnosis request.

To change the shared secret information in the EWS brain to arbitrary information, or to discover the shared secrets known by the EWS brain, it must be removed from the car, physically opened and bootloaded. (It's one of the 68hc11 processors, and there are test points on the board for the mode select pins, manipulating these can place the hc11 in a mode to run a bootloader delivered over the serial line.)

(One difference between the EWS2 and EWS3 systems is that the EWS2 brain sent another, static shared secret to the engine control to signal permission to start - a simple 32 bit word. In EWS3, this communication involves some cryptography.)

It is possible that the database of shared secrets became available when the "Heartbleed" flaw became known. I have heard that their VPN was attacked. If this material were stolen, probably the bitting information required to cut a mechanical key were stolen along with it.

The keyless entry remote of these BMWs is more like the ones used in every car, even though it is part of the same ignition key with RFID tag for immobilizer: the key has a seed and does some transformation every time a remote button is pressed.

Indeed. You can do this using the BMW manufacturer software (which is comically not hard to find), at least for the E9* series of BMW's. Not sure about the newer F3* series, but I wouldn't be surprised.
I think they really did not count on tools like NFS to find their way into the de facto 'public domain.' However when CAS was designed, they knew (or should have known) that somehow all the manufacturing-side tools were getting out. Also some of the regional technical people who support the dealers carry them around on their laptops. A couple of beers can earn you a lot of secrets sometimes.
This is a real problem. Someone took two laptops from the Mercedes of a colleague recently. They just hacked into the car, no physical damage. According to the garage this is a known problem and not much was done about it.

On the one hand, I trust old fashioned locks more. On the other hand, breaking into a car is easy anyhow (just smash a window). At least, there's no physical damage done to the car in this way (which often exceeds the costs of the lost goods). So perhaps it's not so bad. Just never leave valuables in your car.

3D printing will make old locks obsolete.
I lost my apartment keys and picked my way into my apartment for about 7 months. I don't see 3D printing having a lot to do with that.

Even if I had a printer I'd need some fancy scanning equipment to figure out how to make the key.

I believe that by carrying lock picks you were breaking the law right? Unless it is your trade of course.
In the US, the details vary by state but in general you don't need any kind of license to possess or use lockpicks (except in Tennessee): http://toool.us/laws.html
Random tangent: I recently had two copies of a key made, and noticed that the guy at the duplicating machine was able to remove the original after "scanning" it to make the first copy. Seems obvious in retrospect, but I hadn't realized that nowadays those machines had memory like photocopiers, instead of just being purely mechanical.

With that in mind, seems like it should be possible for someone to scan a key, save the pattern, and be able to use it later on to cut new keys on-demand. Does a service like this exist?

That's downright terrifying.
This is possible with the RFID transponders used in ignition keys by most carmakers. However, BMW had the foresight to prevent this.

Maybe the downmarket carmakers have gotten smarter, but for a long time BMW stood out as the one that did not permit simple duplication of the data in the RFID transponders (each transponder has its data changed every time it is used.)

As far as mechanical key bittings go, any locksmith should be able to clone a key with a photograph of it.

TOTP and HOTP have been standards for how long now? (HMAC has been in papers since 1997 or earlier, HOTP since 2005)

We have 2FA devices like the Yubikey (https://www.yubico.com/prodcts/yubikey-hardware/)

that are so incredibly small. Why is this not something you'd implement via RFID challenge/response to stop any attack?

I was puzzled by this too, and surprised at how simple it was. Remember during the 90's we had ISO7816 cards that were a lot more difficult to attack (for instance, payphone cards permuted a challenge from the phone with a shared secret and a secret algorithm, and additionally had some good anti-reading protection, and an irreversible counter)

As far as I know all the technology able to fit in a 7816 card has been put into contactless cards too.

I think that carmakers are lazy, they go to a vendor who designs a system with off the shelf parts and implements it poorly, and we end up with our $30,000 car secured by a PCF7930 or something weaker and if it has security features they are not fully utilized.

I think they also have to design these things within the constraints of being able to service them in the field and not upsetting the customer. Vendor doesn't want to be responsible for a bunch of cars not working if reliability is low, and carmakers wouldn't want the bad press. On the other hand, when criminal activity is involved, it's real easy to blame the criminal.

Yes it is, and you can even do it from just a photo. https://keysduplicated.com/

Although it doesn't really matter if you are talking about common household locks - they are trivial to open with a bump key or lockpick anyway.

(comment deleted)
Depends on where you live. Here in Sweden it is common with doors with locks which are both impossible to bump and hard to pick. Our insurance companies require them.
The mechanical copiers have never been the best way to copy a key.

Each key manufacturer has a fixed set of depths to cut each position on the key at, which you can represent as a single digit. Combined for the whole key and you can talk about the data encoded into the piece of metal as a string of digits.

Telling you my apartment key is a kwikset KW1 with bitting 64265 is enough to cut a new key.

I suppose having a discrete set prevents error propagation also, avoiding copies drifting into unusability.
>Even if I had a printer I'd need some fancy scanning equipment to figure out how to make the key.

Keys have been reproduced from a single photo before. It seems to always involve someone who has experience making keys using the photo to reproduce the key, but in theory software could be able to automate this for the easier cases.

If I have a key or picture of a key, yes. If I have access to just the lock, I can't figure out how to do this without some odd equipment. And if the 3d printer + just the lock can't do something new, then how do 3d printers make traditional locks obsolete?
(comment deleted)
Does anyone know if this is a widespread problem across the industry? Does it affect VWs / Audis too?
Yes it affects many higher end cars but BMW's have suffered for a long time. Their excuse for a "fix" prevents the windows from being wound down by the key.

http://www.bbc.co.uk/news/uk-19562487

That's a pity. That is useful in some circumstances. I once accidentally did that somehow and came out the next morning to find my windows down and completely soaked inside thanks to the torrential rain all night long. Took a while to dry the Golf out....... amazingly nobody had pinched anything from inside it (rubbish CDs I expect).

I am still convinced to this day that it was my cat that pushed the button.

I shouldn't be amazed by this in 2015, but a car that updates its software over the air IS just amazing. I wonder if it can update while driving. Or be on the receiving end of a DDOS attack.
I wonder if they are using key pinning and have mitigated SSLStrip and other SSL attacks. Also, they say that it wasn't vulnerable to attacks on braking and steering. If firmware updates are possible over the air, you could theoretically capture and disassemble one and modify it to suit your purposes.

The device the software runs on most likely sits on the CAN bus with everything else and could be used to feed false data in that could at least confuse other systems on the car. Similar attacks have been done before in experiments. Local (USB drive) system updates look to be cryptographically signed, but who knows about the OTA ones, and even then the key might be extractable.

It's a shame that BMW isn't committed to fixing the key-reprogramming method of theft that affects many of their older cars. The previous "fix" that they issued only prevented the windows being wound down from they key, not the actual reprogramming.

http://www.bbc.co.uk/news/uk-19562487

So, this update enables the use of HTTPS - but since it's delivered OTA, does that mean patches (including this one) were previously delivered over just HTTP, i.e. an unauthenticated, unencrypted channel?