back to article DUDE, WHERE'S MY CAR? New leccy BMWs have flimsy password security – researcher

New BMW cars have security shortcomings that could allow thieves to pop open a victim's flash motor from a smartphone. Ken Munro, a partner at Pen Test Partners, uncovered security issues in the systems that pair the latest generation of beamers with owners' mobiles. By stringing together the flaws, a crook could open doors, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    This is a total non-issue.

    If somebody wants to steal stuff from inside your car they won't waste time dicking about with apps and passwords. They'll just put a hammer through the front window, grab what they want and run.

    1. jake Silver badge

      @AC "in the last few minutes" (Whatever that means, ElReg).

      Not a hammer. A sparkplug. Toss a sparkplug at any side window, and the window will do it's job ... disappear into thousands of bits of glass that are unlikely to even scratch the perp reaching in.

      Security & safety & automobiles ... Pick two. The trifecta doesn't exist.

      1. Anonymous Coward
        Anonymous Coward

        Re: @AC "in the last few minutes" (Whatever that means, ElReg).

        Skill #124. Grand Theft Auto*

        *The old fashioned sort

      2. Anonymous Coward
        Anonymous Coward

        Re: @AC "in the last few minutes" (Whatever that means, ElReg).

        Not a sparkplug but a small bit of ceramic broken off a sparkplug. A sparkplug itself is just a throwable object.

        Unless, knowing jake of course, you spent the last thirty years as a sparkplug technician while doing part time glass compound analysis, in which case I'll bow to your obvious superiority.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC "in the last few minutes" (Whatever that means, ElReg).

          I shattered one with my hand, once. I was riding a motorbike and about to overtake a car - uphill, so not really fast - when it suddenly decided to go back the way it came. I could see my head was going to the rear side window so I stuck my hand out to try to reduce the damage I was expecting my handsome mug to sustain. I was pleasantly surprised when the window shattered as per jake's description. It didn't even hurt. I ended up half in the motor looking up at the occupants. I forget what I called them though.

        2. jake Silver badge

          Re: @AC "in the last few minutes" (Whatever that means, ElReg).

          "Not a sparkplug but a small bit of ceramic broken off a sparkplug. A sparkplug itself is just a throwable object."

          No. A sparkplug. Not a tiny bit of ceramic.

          The place: Junkyard in East Palo Alto.

          The time: Mid 1970s.

          The car: 1970 Datsun 510 2-door.

          The destination: Uncracked dashpad and factory "full gauge-pack" dash.

          The problem: No keys to get into the car.

          The owner of the yard casually picked up a discarded sparkplug and flung it at the passenger-side door glass. It shattered nicely. Seems that the mass and shape of a sparkplug ensures that it'll (almost) always hit with a point, and enough energy to break the window.

          @other AC (would ElReg please bring back proper time-stamps?):

          I've never stolen anything in my entire life. Doesn't mean I don't know how to get away with it, mind, but I have a rather well developed sense of ethics and ethos. Can't train animals (including children and commentards!) if you are trying to lie to them.

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC "in the last few minutes" (Whatever that means, ElReg).

            "ensures that it'll (almost) always"

            Sure jake, scientific survey of 1 occasion, really qualifies an "(almost) always" analysis. Not the brightest spark(plug) are you?

            1. jake Silver badge

              Re: @AC "in the last few minutes" (Whatever that means, ElReg).

              Throw a sparkplug at your driver's side door window, AC. I double-dog dare you. (Or, more likely, your father's car's driver side window). And then repeat the experiment on all the other side glass. Make careful notes as to how many times the sparkplug bounced without damaging the glass.

              Come back & report. And admit that you are an idiot.

              Honestly, the mind boggles.

    2. durandal

      In the meantime, organised gangs have been trawling London and exploiting CANBUS security flaws and making off with hundreds of BMWs and Range Rovers without needing to bother with pesky things like keys.

      The reported flaw is probably nothing, but it highlights that vehicle manufacturers are failing to get to grips with the fact that the in-car IT is vulnerable and can be exploited, and this is just a symptom of the issue.

    3. Anonymous Coward
      Anonymous Coward

      BMWs have special glass which has a layer of plastic film between the layers of glass. This stops such a hammer attack working without some extra cutting tools.

      1. Solmyr ibn Wali Barad

        "BMWs have special glass which has a layer of plastic film"

        Otherwise known as triplex, or laminated glass. Everybody, not just BMW, uses it for the windscreens. On the side windows it's very rare. And not a good idea either.

        overlawyered.com/2005/05/laminated-glass-in-car-windows/

      2. messele

        What, you mean the laminated glass that every car on the planet has had for decades?

        Keep telling yourself that BMW's are somehow special. They're far from it.

    4. Anonymous Coward
      Anonymous Coward

      Anyone want to bet a tenner that in ten years plod will be able to apply the brakes in your car remotely?

    5. Jay 11

      Most people would think this yes but it isn't really the case. The car is worth more as parts than what is inside it so the ability to take the whole car is rather useful to a thief with a beavertail.

      People also think thieves don't take time to set things up but they do. Motorcycles for example with alarms, the old trick was to tie a length of fishing line to it at night and tug from a distance setting the alarm off. Owner eventually thinks the alarm is playing up so turns the alarm off and bike is stolen. Might take a few nights of sitting around but to a thief a few nights for a few grand is time well spent.

      Now think of that in relation to a car that can be crated up and out of the country or stripped down in 12 hours and any lapse in security or even merely mistrust of security could net someone a fair few grand for a few nights messing around.

    6. Anonymous Coward
      Anonymous Coward

      It's still fun to pop the trunk on the BMW beside you in traffic! I can also switch their headlights on or off. I haven't tried switching off the ignition - yet

  2. MJI Silver badge

    Need they an app to stop wheels exploding

    Then I would not have had my car written off.

    1. Anonymous Coward
      Anonymous Coward

      Re: Need they an app to stop wheels exploding

      Your fault, your driving in the UK. BMW wheels and pot holes don't mix.

      1. MJI Silver badge

        Re: Need they an app to stop wheels exploding

        Not my fault, but it was bloody scary and I now have anxiety attacks if a BMW drives too close. The front wheel on the BWM literally exploded, then there was the head on in front of me, then I was the sad owner of a slightly bananad Omega.

  3. John Tserkezis

    I hear the hot spare parts market is booming - which would be a lead to stolen cars, even if they don't onsell the *car*, the parts more than make up for it. Heck, they're even doing smash and grabs for airbags on ordinary family cars...

    Still, the BMW thing isn't nearly as bad as some security gaffs some other manufacturers have done.

    1. Terry 6 Silver badge
      FAIL

      "Isn't nearly as bad as some security gaffs some other manufacturers have done"

      Well yes. They don't seem to be good on secure by design. On a number of car makes the electronic door key can be replicated or copied by a device which the police tell me can be bought easily on the interwebs. Which is why my Honda has had its doors opened several times and stuff nicked from the glove compartment. Until I realised it wasn't just me forgetting to lock it, so now I don't leave anything in there. Which is a pain when I suddenly discover that I could really do with using the Satnav that I have left safely at home so that it doesn't go the same way as the previous ones.

    2. Don Jefe

      I'm not sure what area of the world you're located in, but here in the US the insurance industry pretty much killed the market for stolen parts for vehicles still in production. Something like 85% of auto insurance payouts are made directly to the repair shop and not the policy holder.

      It used to be common business for the insurance company to pay the policy holder directly and put disbursement of the funds on the policy holder. The repair shop would buy parts of uncertain provenance at a greatly discounted price without the knowledge of the policy holder who had been sold genuine, new parts.

      Now most insurance companies will have preferred partners in an area who handle all the repairs and are paid directly, the policy holder never has a role in the financial transaction. The insurance companies also have negotiated pricing from parts suppliers and the end result is a big circle of provenance paperwork for every last part the insurance company is paying for.

      Sure, you could get into bent repair shops and such, but those are exceptions anymore. Most of the stolen parts market here is for expensive, out of production cars. Exotic and top shelf cars generally aren't parted out, but disassembled and shipped to a foreign land where they are reassembled. Customs busted three vessels carrying a total of 40+ disassembled cars in just the Port of Baltimore last year.

      Regardless, it's one thing for a warlord to want a Maybach or a Lamborghini, that's fairly understandable. But I'm going to go with my gut and say most of the people who would drive an electric BMW don't fall in the warlord or shady repair shop patron categories :)

  4. Anonymous Coward
    Anonymous Coward

    Case-insensitive passwords?

    Uh-oh, sounds like somebody forgot to hash

    1. Anonymous Coward
      Anonymous Coward

      Re: Case-insensitive passwords?

      > Uh-oh, sounds like somebody forgot to hash

      Not necessarily. If the thing is meant to be used primarily via mobile devices, it might have been a deliberate design decision, which sacrifices *some* security (lower entropy) for the sake of usability.

      INSERT INTO credentials (username, secret) VALUES (:user, SHA1(STRTOUPPER(:password));

  5. big_D Silver badge

    My name

    I understand why it isn't good practice to use your own name as an account name, but it should be! I was given my name, I use my name all the time so why shouldn't I be able to use it for online services? Well, apart from it not being unique.

    Likewise, people tend to liek having one name they take with them. When I sign up for different services, I have my first choice, second choice, third choice and then random. Why? Because I want to have a common name across different services, so that people can recognise me, when we have some shared services in common.

    It should be up to the service to ensure that using a "known" name isn't an issue for the customer.

    1. John Tserkezis

      Re: My name

      "I understand why it isn't good practice to use your own name as an account name, but it should be! I was given my name, I use my name all the time so why shouldn't I be able to use it for online services? Well, apart from it not being unique."

      Being able to use "any" username, and "any" password, effectively gives you two factor authentication. Perhaps it wasn't intended that way, but the point "Pen Test Partners" makes is, if you can, then you should take advantage. If the username is forced to be in a particular format, you're effectively making it single factor authentication - which is inherently less secure.

      That doesn't make it a bad thing, it just means you need a more securely designed password. And I'm not confident the drivers are smart enough to do that(*).

      (*)The owners are probably smart and sensible people, it takes brains to make that class of money that buys this class of vehicle. However, around these parts, I've seen spouses who *drive* the cars on a day to day basis who are - dare I say it - not quite as smart and sensible. To them "4321" would be the pinnacle of secure.

      1. DaLo

        Re: My name

        "Being able to use "any" username, and "any" password, effectively gives you two factor authentication"

        Not quite it is two step verification but it is single factor (it is equivalent to a single password that is the combined length of the username+password but sometimes worse if the system individually lets you know if the username is wrong regardless of password).

        Two factor could be available if the mobile phone, for instance, had to be verified and unique so that only a verified mobile phone could be used along with a (username/)password

      2. Nuke
        Holmes

        @John Tserkezis - Re: My name

        Wrote :- "[BMW] owners are probably smart and sensible people, it takes brains to make that class of money that buys this class of vehicle."

        Wow, this is turning into a BMW admiration forum? There are many idiots who get big money purely by luck. The obvious example is lottery winners, but people also get money by inheritance by default from distant wealthy childless aunts for example. It is precisely at such moments that some people are likely to splash out on an expensive car, the less brains the more likely in fact.

        I was in a motorway traffic jam recently, the sort where the delay is so long that people get out and start chatting. I was struck by the lack of correlation between the type person they seemed to be and the the type of car they were driving. FWIW I could go straight out and buy the top-of-the-range BMW, but I drive a car that is 20 years old. Call me tight if you like.

        1. hapticz

          Re: @John Tserkezis - My name

          depends on whos calling whom who. 'prudent' is a far more charitable description for yourself, as long as it's a 20 year old Bentley? ;-))

      3. Irongut

        Re: it takes brains to make that class of money that buys this class of vehicle.

        "it takes stupidity to make that class of gullible fool that buys this class of vehicle."

        Fixed that for you. The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership. (or any other brand of overly expensive car)

        1. Don Jefe

          Re: it takes brains to make that class of money that buys this class of vehicle.

          Big money has never been a requirement for owning any production line automobile. Gone are the days of (many) ethnically targeted colloquialisms but 'trailer park Cadillac', 'car poor' and 'all hat, no cattle' work just as well. All that's required is that a person prioritize their car over all else. Some people are perfectly happy to live in a house with wheels on it as long as they can make the payments on a car that let's them feel important.

          They completely miss the point in having those sorts of vehicles, but what can you do: It's their choice. The reverse is true as well. Plenty of people here in Northern Virginia buy homes far outside the realm of reason and eat Ramen noodles for dinner everyday because the electric bill is 25% of their monthly income. They too miss the point.

          Fancy cars in their 'proper' environment don't impress anyone because everybody has a fancy car too. Same with houses. Everybody's got a fancy one and no matter how great you think it is, somebody there is always going to have one that's bigger, better, faster and more expensive. Competing with others and attempting to impress with things that come off a production line is just as stupid for poor people as it is for extremely wealthy people.

        2. John Tserkezis

          Re: it takes brains to make that class of money that buys this class of vehicle.

          "The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership."

          I've seen this in some (primarily European) countries, but it doesn't apply here in Australia. You either need a bucketload of money to buy one, or, if it's a shitbox, you're paying a bucketload of money to keep it on the road. Either way, you're not getting away with it on the cheap. I'm thinking it's the import fees that try to encourage the purchase of Australian-Built cars (even though that industry is nearly dead now anyway), plus the local perception that a beemer = money.

        3. Anonymous Coward
          Anonymous Coward

          Re: it takes brains to make that class of money that buys this class of vehicle.

          The number of big BMWs I see in less affluent areas proves that earning big money is not required for BMW ownership. (or any other brand of overly expensive car)

          In London, BMW stands for "Black Man's Wagon"

    2. Pascal Monett Silver badge

      Re: I use my name all the time so why shouldn't I be able to use it for online services

      Maybe because when you give your name to someone in Real Life (TM), you don't expect them to be going through the roof of your house in the next ten minutes to check out all your stuff, mosey in the cellar and leave a turd in the fish bowl.

      Because on the Internet, they can do that and more, if they are determined.

    3. hapticz

      Re: My name

      as long as your name isn't one of those long used generic standards like smith, brown, chin, wu or other, you're fine. like people having the same birthday week in the same room, as production numbers increase the opportunity for 'identity intercept' also increases.

  6. Anonymous Coward
    Anonymous Coward

    Only needs to be as secure as your keys

    There's not really much point in making an uber-secure unlocking app when alternative methods of gaining entry (and driving off the car) are so much simpler. Once it's at least as hard to crack as breaking into the owner's house and stealing the keys, or even threatening the owner to make them hand over the keys, then it's really good enough.

  7. Anonymous Coward
    Anonymous Coward

    Ahem!

    > If you allow users to choose their own username that weakens security,

    The username is supposed to be publicly disclosable, after all that's how you identify a user (cf. email). Good security should not rely on attempting to hide usernames (which users will end up writing down anyway). What Professor Whathisface is advocating is security through obscurity.

    > which is why banks don't allow it.

    The hell they don't.

    1. Steve Knox
      Boffin

      Re: Ahem!

      Actually, what he's advocating is security bolstered by obscurity. Security through obscurity relies on obscurity as the primary defense (e.g, a proprietary encryption algorithm, or even a hidden private key).

      He's not saying that they should use obscure usernames and that's all, he's saying if they can use obscure usernames on top of a good password/encryption scheme, that adds an increased level of security. He's not saying rely on obscure usernames, but take advantage of the opportunity.

      Furthermore, one's e-mail address need not have anything to do with one's login name, even within the e-mail system itself, beyond an association in some database.

  8. A Non e-mouse Silver badge

    Security Vs Usability

    The trade-off between security and usability is never easy. From what the article says, it seems BMW have made a fair attempt at trying to make the system secure, but easy to use by non-nerds.

    Is it perfect? No. (But is any security system perfect?)

    Is it hideously broken? No.

    1. Don Jefe

      Re: Security Vs Usability

      The appropriateness of that trade off is a reflection of how well a company understands its customers. At least 2/3 of the people I know who own BMW autos (not motorcycles :) are the same sort of people who return a box of screws because it contained 199 instead of 200. The same sort who write Amazon reviews blasting a $75 waterproof phone case and its manufacturer because they took it scuba diving in 60' of water. The same sort who sue because they stabbed themselves in the dick with a knife and blame it on the lack of a 'do not stab self in dick' illustration and warning callout on the package.

      Based on the comments, I feel safe assuming a fair portion of BMW owners in Europe and the UK are the same as we've got here. That being the case, I think BMW has a pretty good handle on the security/usability tradeoffs :) It's not designed to be secure, it's deigned so Twonk1 can show off the app to Twonk2 without it hindering his presentation with boring passwords and stuff.

  9. Wilseus

    Beamer?

    It's "bimmer" for a BMW car. A beamer or beemer is a BMW motorcycle.

    Just saying ;)

    1. Gerhard den Hollander

      Re: Beamer?

      And it's a bummer when it gets stolen

    2. Anonymous Coward
      Anonymous Coward

      Re: Beamer?

      It's "bimmer" for a BMW car. A beamer or beemer is a BMW motorcycle.

      Never, ever heard of bimmer. Most be a local thing for local people.

      1. Don Jefe

        Re: Beamer?

        In the US the 'Binner/Beemer' was traditionally directed at the 3-Series vehicles popular with some of of our least desirable citizenry. It's exceedingly rare to see anything less than a 3-Series here, I've never seen a new one on a lot. It used to be fairly rare to see the 5 and 7-Series cars as well, but they seem to become more popular in direct proportion to the growth in the organized displacement of labor.

        Ha! Holy Shit! That needs to become a standardized measure in economics; the BMW factor. The correlation between the level of finished goods produced in a country compared to the number of 5 and 7-Series BMW's in that country. I would like to propose that measurement be formally developed and added to the El Reg system of weights and measures!

        1. Anonymous Coward
          Anonymous Coward

          Re: Beamer?

          > It's exceedingly rare to see anything less than a 3-Series here

          Not in the US itself, but the 1-series seems to be fairly popular amongst Merkins stationed in Germany, I'm led to believe.

          I agree about the 3-series being essentially a chavmobile.

          Same goes for the 5-series really. While I like the smoothness of the eight-gear automatic transmission, thanks to rear wheel drive they're fucking annoying to drive, especially in the winter if you live in a cold, icy place. It's also telling of what their intended audience is if you read on the manual (3- and 5-series) the bit explaining the presence of a "traditional" handbrake (which is unusual in higher-range cars: it's electric and mostly automatic on Audis, and pedal-based on Mercedes): the more or less explicit rationale is so that you can do handbrake turns. :-/

          With that said, one should not generalise too much: the 3-series is a relatively good car for a relatively affordable price and station wagons make for decent middle-class family vehicles. Especially if they like handbrake turns.

  10. theOtherJT Silver badge

    This is why I like my old BMW.

    It comes with this thing called a "Key" which I keep on my person at all times. The car is remarkably hard to open or start without it.

    1. Anonymous Coward
      Unhappy

      Re: This is why I like my old BMW.

      Yup, that's why YOU are the easiest way of gaining access. Lot harder to disable an immobiliser than the owner.

    2. John Tserkezis

      Re: This is why I like my old BMW.

      "It comes with this thing called a "Key" which I keep on my person at all times. The car is remarkably hard to open or start without it."

      Not really. If you're willing to limit the type of vehicle you wish to aquire, a half brick and a screwdriver will do nicely.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why I like my old BMW.

        Actually, either of them applied correctly to the keyholder will get you access to AND full control privileges over more or less any car :)

    3. Anonymous Coward
      Anonymous Coward

      Re: This is why I like my old BMW.

      > The car is remarkably hard to open

      Have you heard of clay-based Improvised Entry Devices, otherwise known as bricks?.

  11. Anonymous Coward
    Anonymous Coward

    Selling the Car

    What happens when the original owner sells the car? How can the new owner be sure the seller has deleted all installed apps on all his phones, thus has no more access to the car? Can you disable individual phones from the dashboard/display?

    Does the new owner need to phone the call centre to create an account and register the car? What's to stop anyone doing that - current means for stealing some up-market cars is go to a delaer in a foreign country and request a new key. Sounds like something similar mayb be possible here. Mind you, why a new key works without being programmed into the car is something of a security oversight.

    1. John Tserkezis

      Re: Selling the Car

      "What happens when the original owner sells the car?"

      The previous owner would need to reliquish the old password, then it would be smart if the new owner changed it.

      However, if past experience is anything to go by, that's not going to happen. (as per the anti-theft four digit car radio code that disables the radio when removing the battery).

      The new owner will have to go to a dealer, who then takes a form with suitable identification and VIN number, which then gets passed on to the factory who uses a lookup table for that radio's code, then passes that back to the dealer who gets in touch with the owner. Six years later, the ower has sold it to someone else and doesn't care anymore because he pulled out the factory radio and replaced it since then anyway.

      This is the same, except the remote functionality is never used, and the car operates much in the same way as any other car. And this bit I learned the hard way: If you're sold a car, that is claimed it drives like any other car, the manufacturer is under no obligation to fix any other special features - because they don't stop it from being a "car".

    2. DaLo

      Re: Selling the Car

      "Can you disable individual phones from the dashboard/display?"

      That would make this system a lot more secure, if an individual mobile had to be verified and activate from the car with the ignition turned on. You wouldn't be able to load the app onto any other phone then and use it as the mobile would not be verified.

    3. Irongut

      Re: Selling the Car

      You're not supposed to sell the car. You're supposed to scrap it and buy a new one.

      BMW don't make any money from second hand sales so why should they make it secure for a new owner? (their probable opinion, not mine)

      1. Don Jefe

        Re: Selling the Car

        BMW, like all other production car manufacturers generate an enormous portion of their operating revenue and have their highest margin products targeted directly at the used car market.

        Ideally you trade your BMW back in at the dealership where you bought it and BMW will be more than happy to merge your existing negative equity with your new negative equity. But if you're going to be difficult they'll just get you on the genuine BMW parts and fluids most BMW owners demand. There's fuck all money in new car sales. In 2002 BMW surpassed the $2k per car holy grail in new auto manufacturing. Most production manufacturers tend to hover around the $6-700 per car range. Trade ins, financing, service and parts is where the money is. New cars and game consoles have the same business models with the difference being margins on the post sale products.

  12. Jim 59

    Using smart phones to control cars

    No.

    1. Don Jefe

      Re: Using smart phones to control cars

      Is it any different than an RF radio on your keychain? I can actuate the door locks, open or close the windows and sunroof, move the seats to preassigned configurations, start and turn off the engine and mute the radio if I left the volume to high the night before, so as not to disturb the neighbors with my music while the car is warming up. It's nice because it wasn't so long ago that the key fob was just a transmitter and you had to look out the window to verify the car received your commands. Now the fob is a two way radio and provides command verification without anyone having to look out the window.

      Furthermore, the person with the key fob has control of the vehicle. Full stop. No passwords, biometrics, test questions or social engineering required. You are logged in simply by possessing the fob. With the exception of command verification, none of that is new technology. I'm not sure how using that technology via a smartphone instead of 30 year old key fob tech is any different.

  13. Inachu

    A video out already shows 2 young men using brute force wireless hacking to unlock cars.

    I wonder if they have been caught yet.

    Security will get worse before it gets better.

  14. Daniel B.
    Devil

    PINs and Smartphones

    If a user is mad enough not to have a [screen unlock] PIN on their device

    Ah, haven't met many smartphone owners? A lot of them don't have any kind of password/PIN protection, and those who do still use the old 4-digit PIN standard. 10k attempts should be feasible!

This topic is closed for new posts.

Other stories you might like