Password Security: UK Spike In BMW Thefts Because Of Bad Security Implementation.

Ok, so this has absolutely nothing to do with BYOD or data encryption software but I thought it was interesting that BMWs can be stolen because they don’t have a password.  And when I write that “BMWs can be stolen because of passwords,” I’m not referring to some ultra-secret BMW project to sell laptop and smartphones (although I am aware that BMW sells non-automotive products, such as bicycles.  Note that I said “sells” and not “manufactures”).


I’m talking cars being stolen for the lack of a password.  (Heh heh…does this mean they need drive encryption software from AlertBoot?  My last pun for this blog post.  I promise.)


BMW Kinda Admits to Problem



According to an article at zdnet.com, the BMWs in question are keyless, and they’re being stolen without “activating car alarms or immobilizers because the thieves are hacking their way into the vehicles.”


Hacking?  That’s right.  The procedure for stealing the cars is not a straightforward one and does require technical sophistication; however, based on the description, there’s nothing to stop thieves if they know what they’re doing.  In fact, there’s a video of it.


The video is described by zdnet.com:



In this particular video, there are a few security flaws that the hackers are exploiting simultaneously: there is no sensor that is triggered when the thieves initially break the window, the internal ultrasonic sensor system has a “blind spot” just in front of the OBD port, the OBD port is constantly powered (even when the car is off), and last but not least, it does not require a password. All of this means the thieves can gain complete access to the car without even entering it.


The ODB refers to the On-Board Diagnostic program, and it’s believed that the thieves are using it to create a new key fob.


BMW for its part has partially admitted that there is a problem, per zdnet.com.  Personally, I’d say that BMW has admitted to there being no problem, but I guess it’s a matter of interpretation:



BMW has acknowledged that there is a problem, but is downplaying this particular issue by saying the whole industry struggles with thievery.


Isn’t that just admitting that thieves steal cars?  I don’t see how BMW is admitting a problem.


Jalopnik’s Report Better



The site jalopnik.com has a better description of what’s actually going on.  It includes this particular nugget (my emphasis):



All cars sold in Europe must permit open and unsecured access to OBD codes, so non-franchised mechanics and garages may read the codes. BMW is not the only car company to allow key code access through the OBD port, but the recent rash of BMW thefts, compared to other makes, suggests another factor may be at play, possibly a good supply of blank BMW key fobs.


Therein lies the explanation why passwords are not protecting the OBD port, and why BMWs are being stolen.  The site also notes that BMW “are apparently being stolen in the UK in far greater quantities than would normally occur, and there appears to be a security hole that is being exploited.”


This does not necessarily mean that there is a problem with BMWs.  For example, maybe stolen BMWs are in greater demand, so thieves are targeting BMWs over other luxury cars despite BMW doing a better job, security-wise (not that this is necessarily the case.  I’m just tossing it out there as an explanation).


Is there a solution for this problem?  The only realistic one so far: disabling the OBD port (or “providing extra physical security” although I can’t think of any.  Superglue, maybe?).


When I first heard of the password problem, I immediately thought that this was a case of the car’s designers not thinking about security.  After all, who’d have thought you could steal a car by accessing any kind of on-board diagnostic computer? (Obvious answer: car thieves.)


But, under the circumstances, it looks like it’s the law, attempting to impose laws targeting anti-competitive practices, that’s allowing this unforeseen consequence.



Related Articles and Sites:
http://news.slashdot.org/story/12/07/10/1657203/hackers-steal-keyless-bmw-in-under-3-minutes



Comments (0)


Let us know what you think