Anyone heard of a Universal Chip for Starting BMWs with Push-Start Buttons???

[smiwi]

My daughter's boyfriend bought a 335 a little over a week ago and had it stolen on Monday. They caught the guy and supposedly he had a key fob with a chip that will allow you to start any BMW with a push-start button.

I seems incredible to me that this would be true. If so, this would be a significant security hole that is being exploited by chop shops.

Unfortunately, the car was immediately disassembled and sold to local part shops so there is no recovering the car.

This makes me very concerned that my M3 is at high risk of being stolen. I thought the security on these cars was really good...

Has anyone else heard of this?

[JCtx]

Read a long thread about that issue a while ago but didn't happen in the US... if memory serves me right. Remember it was inconclusive, since nobody saw the car being driven off.

This one is more disturbing for sure, as it happened here in the US, and comes from a member of this board. Are you sure car was driven off and not towed or something?

This is the perfect opportunity to say this one more time: Why in the world we don't get a freaking key like Porsches, and even Ferraris ? It's cheaper and safer. Please keep us posted.

[808MGuy]

Quote:

Originally Posted by elp_jc

Read a long thread about that issue a while ago but didn't happen in the US... if memory serves me right. Remember it was inconclusive, since nobody saw the car being driven off.

This one is more disturbing for sure, as it happened here in the US, and comes from a member of this board. Are you sure car was driven off and not towed or something?

This is the perfect opportunity to say this one more time: Why in the world we don't get a freaking key like Porsches, and even Ferraris ? It's cheaper and safer. Please keep us posted.

I wouldn't exactly say its safer as a key is probably easier to bypass than an electronic security countermeasure.

[Memphis1]

http://news.cnet.com/Gone-in-60-seco...3-6069287.html

[smiwi]

They caught the guy on video - he drove it away...

[bills742]

Very scary if this is possible

[novablackm3]

40 bit security ain't shit!

[Finnegan]

Quote:

Originally Posted by memphis2012

http://news.cnet.com/Gone-in-60-seco...3-6069287.html

Like someone already said, 40 bit encryption is pretty much useless. I had no idea BMW and others were using this. 128 bit is probably minimal these days; 256 even better.

If I'm reading the article above and results from the Czech thief's methods correctly once a car-hacker has several working keys (scanned from fobs) breaking into cars becomes pretty easy. I'm guessing the actual keys aren't that much different car to car and probably have the same basic value (I'm no encryption expert but that stands to reason given this seems to be possible).

So the only "additional protection" offered is to wrap the keyfob in tin foil? "The authors also suggest that car owners wrap their keyless ignition fobs in tin foil when not in use to prevent active scanning attacks...." So I need to put a tinfoil hat on my keyfob--slick!

But if all it takes is just a laptop with a set of "good" keys then keyfob scans wouldn't be needed after reading several and successfully hacking several cars. If that's the case the tin foil isn't going to do a thing.

And the point about limiting the ignition's fob reading range isn't something that's as easy as tinfoil hat on the keyfob isn't going to do a thing.

I hope some of our tech-experts can weigh in on the actual threat level presented and some tips (if any are possible) for improving security. Based on the Hopkins study it looks like this is an issue and will just get worse with time.

[asheesh88]

Hi all,

I wonder if the factory anti-theft option would serve as a second line of defense against this type of attack, or would it simply be disabled by the false signal sent from the clone.

Thanks,

Asheesh

[mkoesel]

It sucks, and is basically a failure on the OEMs. However, until this become a rampant problem, I am not too concerned. Not to sound overly aloof but if this were really a huge issue, then the top stolen cars definitely would not be such common every day cars. They'd be expensive cars that the thieves can break into with this magic key.

[JCtx]

Quote:

Originally Posted by 808MGuy

I wouldn't exactly say its safer as a key is probably easier to bypass than an electronic security countermeasure.

I'm talking a modern key, with a chip inside, which doesn't transmit crap over the air, like a wireless 'key' like ours. And yes, nothing will stop a determined thief with time to spare, but stealing a car with a coded key is definitely harder than a keyless one.

Just to understand this issue, I have 2 questions: First, most modern garage door openers have 'rolling codes', where you can transmit the same frequency with the 2nd remote, but if not 'coded', it won't open the door, making them supposedly 100% safe. Is this what our M3s have? If so, what's the level of encryption on modern garage door openers? And is ours 64bits for sure? Just want to compare it to something we all are familiar with. Thx.

[jrlee53]

I'm getting me one of these, fully armed

[mexicanmike]

The article linked to is almost 3 years old, can BMW really still only be using 40 bit encryption? 40 bit is useless!!! But anyway, kinda scary........However wouldn't a good experiment be to crack the code, then write an iphone app to start your car. Hmm,found a new project.

[kmarei]

doesn't this only apply to cars that have comfort access?
on my car (No CA) the key has to be inserted into the ignition slot for the start button to work

[Fanta]

User key and On board computer are paired. What will happen swapping both device?

[ihyln]

There was a video posted on the M forums of an E92 being stolen. They broke in, popped the hood, replaced the ECU, and drove off. I'd be better off putting a boot on my car instead of an alarm.

[Finnegan]

Quote:

Originally Posted by kmarei

doesn't this only apply to cars that have comfort access?
on my car (No CA) the key has to be inserted into the ignition slot for the start button to work

That would make it more difficult. But thieves could unlock the car and defeat the alarm. I don't see how they could drive it off however. So they'd probably move on to another target. Thieves want fast/easy access.

I've been thinking about this a bit. Aside from the crummy 40 bit encryption, the method of gaining access may provide an answer in beefing up security. Feel free to read on (or not) re: my musings on this topic. Feel free to shoot holes in it as well....I'm just thinking out loud.

The Czech thief as well as the guys in the US study (one of the links above) seemed to have procured access to several [encryption] keys, and since he had a basis to start with he'd just run though a brute force attack (rolling though code after code) until he hit the right one. The stolen "keys" didn't give instant access if I understand correctly; he still had to go through a lot of attempts (albeit quickly) to gain access.

It occurs to me that the system should have a lock-out feature. If you fail to enter the right key sequence several times the system should just shut down for a period, say an hour or so, or stay locked out until the owner calls BWM Assist. This is similar to what happens if you fail on login to most systems secure systems--they don't allow you to keep hacking away. This approach might defeat the brute force attacker who is just rolling through the codes trying to find one that works (it wouldn't work if your fob were "sniffed" though).

Since this doesn't require a change to hardware (fob, reader, etc.) it might be possible to add this feature via programming. Note I say "might" as I have no idea what can/can't be done with our ECU and/or the reader/encryption modules. If this were possible to "fix" with a programming change BWM or an enterprising vendor could come up with a marketable solution...

The "flaw" in this thinking is how to prevent the thing from shutting down inappropriately. The system must reject a fair number of codes given a number of BMW and other fobs on the market in a normal day as folks pass by the car, etc.--it wouldn't be a good idea to shut things down due to these "normal" failed attempts....I'm sure there's a pretty good way to set a threshold though between failed attempts per time period (10 seconds, 15 seconds, etc.) to discern "normal" vs. "attack" status. Another flaw may be that the 40 bit encryption is so weak that it doesn't take much "brute" or "force" to find the next key sequence if you've got a good database of stolen data on hand....

Fire away folks!

[808MGuy]

Quote:

Originally Posted by Finnegan

That would make it more difficult. But thieves could unlock the car and defeat the alarm. I don't see how they could drive it off however. So they'd probably move on to another target. Thieves want fast/easy access.

I've been thinking about this a bit. Aside from the crummy 40 bit encryption, the method of gaining access may provide an answer in beefing up security. Feel free to read on (or not) re: my musings on this topic. Feel free to shoot holes in it as well....I'm just thinking out loud.

The Czech thief as well as the guys in the US study (one of the links above) seemed to have procured access to several [encryption] keys, and since he had a basis to start with he'd just run though a brute force attack (rolling though code after code) until he hit the right one. The stolen "keys" didn't give instant access if I understand correctly; he still had to go through a lot of attempts (albeit quickly) to gain access.

It occurs to me that the system should have a lock-out feature. If you fail to enter the right key sequence several times the system should just shut down for a period, say an hour or so, or stay locked out until the owner calls BWM Assist. This is similar to what happens if you fail on login to most systems secure systems--they don't allow you to keep hacking away. This approach might defeat the brute force attacker who is just rolling through the codes trying to find one that works (it wouldn't work if your fob were "sniffed" though).

Since this doesn't require a change to hardware (fob, reader, etc.) it might be possible to add this feature via programming. Note I say "might" as I have no idea what can/can't be done with our ECU and/or the reader/encryption modules. If this were possible to "fix" with a programming change BWM or an enterprising vendor could come up with a marketable solution...

The "flaw" in this thinking is how to prevent the thing from shutting down inappropriately. The system must reject a fair number of codes given a number of BMW and other fobs on the market in a normal day as folks pass by the car, etc.--it wouldn't be a good idea to shut things down due to these "normal" failed attempts....I'm sure there's a pretty good way to set a threshold though between failed attempts per time period (10 seconds, 15 seconds, etc.) to discern "normal" vs. "attack" status. Another flaw may be that the 40 bit encryption is so weak that it doesn't take much "brute" or "force" to find the next key sequence if you've got a good database of stolen data on hand....

Fire away folks!

Modern aftermarket car alarms and garage door openers use the same type of rolling code technology but I'm not sure what they do to counter a mass of codes thrown at it as an attack. The issue with the rolling code technology is that it uses a pre-determined algorithm for the receiver to calculate what code to expect next and what code the trasmitter will send next. If you press the transmitter while you're out of range from the receiver, the two will be out of sync. But the technology does have the ability to resync based on the code transmitted and the code expected. The algorithm can be confirmed and the transmitter and receiver will then resync to a common code. This is how it works for aftermarket car alarms and garage door openers. Now if the system is constantly transmitting like in the case of the OEM fob, I'm not sure how that works and when the code changes. But lets say somehow the code changes when the transmitter is out of range frrom the receiver, you will have to resync again. There will have to be a way for the receiver to know the difference between a random out of sync code and a full blown attack.

It seems that its not so much the code that needs to be guarded but the method of changing and recognizing the code. Better encryption could help that but encryptions are relatively easy to break unless they are constantly updated. Maybe we should just go to biometrics at this point.

[Finnegan]

Interesting. So thumb print scanner or something along those lines?

Thanks for the details on how this/garage systems work. I learned something today. Cool!

[808MGuy]

Quote:

Originally Posted by Finnegan

Interesting. So thumb print scanner or something along those lines?

Yup. But if you watch Mythbusters, you know that can be broken too!

[driverwannabe]

I put a steering wheel lock on with the tires turned in to the curb - I did this on my mustang vert for years and left the car open. Thieves just pick another car

[MN M3]

From what I have read and learned, there is a lot of misinformation going on here.

The keyless entry system used by BMW is not 40-bit encoded, as stated earlier. It is currently 256-bit, so I've read. And, it does use rolling code technology. You cannot simply sit somewhere with a "scanner," grab the code, program a replacement key, and drive off in the car. What IS happening, especially in Europe, is that someone will break into the car, pop the hood, and replace the ECU with one that is keyed to a set of replacement keys that they already have. This isn't a "Gone in 60 Seconds" kind of theft - it takes time, a lot of computer skill, and a crew to do it. The average thug isn't doing this kind of theft - it is being done by professional crews, mostly on cars left out in the open. I haven't heard of a case here in the US, but it is happening in Europe, probably because replacement parts (like the kind needed to pull this off) are more readily available on the market than they are here. Plus, the M3 is such a low volume car in the US that it isn't very likely to happen. You have a much larger chance of being car jacked than this happening.

Bottom line - if a pro REALLY wants your car, he'll get it. There is nothing that is 100% effective against a theft attempt except for an armed owner blowing the brains out of whomever is making the try.