|
Potatoes
2,285 posts
40 months
|
aeropilot said: Potatoes said: aeropilot said: None of these responses from BMW seem keen on addressing what I consider to be the prime flaw in BMW's security Good, I don't want my insurance company finding out about it Too late for that, as Thatcham have already been contacted from a post here, so whether they downgrade the OEM security rating or not means it will automatically be passed into the insurance system ratings. Bugger
|
|
|
jonjay
59 posts
87 months
|
I have emailed BMW responding to email they sent me earlier.
Dear Customer Services Manager,
First and foremost thank you very much for your reply.
Although I appreciate that BMW products comply with all global and safety security requirements and that BMW are not responsible for the criminals of this world, it does not excuse the fact that there is a serious security flaw in the cars design. For this I do hold BMW accountable, as it is your responsibility to the customer that your security does its best to “to ensure our products remain in the hands of the right owners.”
I do not categorise, creating cloned keys with 3rd party devices and alarm not sounding of as reasonable level of security.
I still have the following questions and I have CC’ed Thatcham into this email as they certified your alarms so may have answers to one of the questions.
1) Why did my car alarm not go off? One assumes that with the car being Thatcham approved that any forced entry into my vehicle should have caused the alarm to sound off.
2) The ODB port should not allow access to cut new keys without some form of two factor authentication and strong encryption requirement taking place. As with any legislation, interpretation through to its implementation and appropriate implications should be considered to protect the vehicle and its owner. I fail to see the need for any key to cut made outside of any BMW garage – please can you point me in the right direction on what part of EU legislation states this?
3) What is the Block Exemption Regulation?
4) What are BMW doing to investigate this flaw? I am concerned you have not requested any further information from me as to my specific case.
As a first time buyer of BMW I am extremely disappointed that the car was stolen without at the very least the alarm being sound. I am also extremely worried not only for my own sake but other BMW owners cars that keys can be copied with such ease.
Not only am I now deprived of a car that I invested a large amount of money into, my insurance premiums will increase dramatically. What can BMW do to restore my faith in your brand? By your response below, you have stated you are aware of these problem(s) so are you suggesting I do not buy another BMW?
I look forward to your response.
Yours sincerely,
JonJay
|
|
|
LooneyTunes
2,507 posts
28 months
|
jonjay said: The On-Board Diagnostics port is a method our engineers use to access the car’s data bank and carry out routine servicing. It has to be in a location that allows for the day to day servicing of a vehicle. The alarm systems of a car are designed to protect the vehicle and alert the owner should there be an intrusion. It is also an EU legislative requirement to have the OBD port accessible in the passenger compartment. Surely not? What possible reason is there for legislation on the location of a diagnostic port??? Oh, hang on, Europe... One does wonder what they're actually going to be able to do about all this any time soon. Still, if the car's going to go, I suppose I'd prefer it to vanish quietly than have folk "requesting" the keys as seemed to be happening with Audi RSx's not too long ago.
|
|
|
D_G
1,423 posts
79 months
|
LooneyTunes said: Surely not? What possible reason is there for legislation on the location of a diagnostic port??? Oh, hang on, Europe...
One does wonder what they're actually going to be able to do about all this any time soon.
Still, if the car's going to go, I suppose I'd prefer it to vanish quietly than have folk "requesting" the keys as seemed to be happening with Audi RSx's not too long ago. TBH the location of the OBD socket is irrelevant, the separation between the hardware connected to it and the security system software is the key factor.
|
|
|
Deva Link
26,934 posts
115 months
|
Slippydiff said: The issue IS affecting Mercedes, Audi, VW AND BMW. It would appear it is a production line function that has been unlocked by some very sophisticated thieves. I currently have a Merc and haven't seen this issue cropping up on Merc forums. What does frequently crop up is people asking if there's any way to get keys other than from MB but apparently they can only be factory programmed. LooneyTunes said: Still, if the car's going to go, I suppose I'd prefer it to vanish quietly than have folk "requesting" the keys as seemed to be happening with Audi RSx's not too long ago. Yep - a mate of mine got rid of his after being mugged a second time for the keys.
|
Advertisement
|
|
|
ITP
450 posts
67 months
|
Why can't the OBD just be set as 'dead' unless the real key is in the ignition? Bit like not being able to turn your radio on without the key for example!
When your car is in for service they have your real key anyway, so all this tosh about dealers needing to access the port for servicing is no excuse, they would just have the massivley time consuming problem of putting the key in first...
|
|
|
c3m
102 posts
21 months
|
ITP said: Why can't the OBD just be set as 'dead' unless the real key is in the ignition? Bit like not being able to turn your radio on without the key for example! I thought of that when reading the thread, basically - why should the OBD port even work if a key is not in the ignition? Problem with that is imagine the scenario where you've lost all of your keys (for whatever reason) - then there would be no way to program new keys via the OBD. But then I have to question the need to be able to program keys via the OBD port at all, this either seems a serious oversight (if it's a feature) or a security flaw. Keys should not be programmable via the OBD port, period. I don't know the security details of how the actual keys work in terms of authentication but public-key cryptography solved this problem of authenticity verification 34 years ago (well, assuming the crooks don't have access to quantum computers). All BMW needs to make sure is that they generate a key pair for each car and securely store the private key (which will be used to generate new physical keys) and store the public key in the car for verification purposes. It seems that this is how the system works from previous replies, so the real flaw seems to be - why and how are new keys programmable via the OBD port?
|
|
|
jonjay
59 posts
87 months
|
c3m said: I thought of that when reading the thread, basically - why should the OBD port even work if a key is not in the ignition? Problem with that is imagine the scenario where you've lost all of your keys (for whatever reason) - then there would be no way to program new keys via the OBD.
But then I have to question the need to be able to program keys via the OBD port at all, this either seems a serious oversight (if it's a feature) or a security flaw. Keys should not be programmable via the OBD port, period. I don't know the security details of how the actual keys work in terms of authentication but public-key cryptography solved this problem of authenticity verification 34 years ago (well, assuming the crooks don't have access to quantum computers). All BMW needs to make sure is that they generate a key pair for each car and securely store the private key (which will be used to generate new physical keys) and store the public key in the car for verification purposes. It seems that this is how the system works from previous replies, so the real flaw seems to be - why and how are new keys programmable via the OBD port? Couldn't agree more with you. You should not be able to program any key via an ODB port. In the event someone loses keys then the car has to go back to BMW and they will order them for you at a cost. As for encryption, I stated this in my email to them (see above). I cannot believe that EU Legislation makes this mandatory? I believe BMW are trying to use it as an excuse for the interim period they find a fix and/or someone catches them out in the media. I am very surprised Watchdog have not picked up on this.
|
|
|
NelsonR32
656 posts
41 months
|
Slippydiff said: The issue IS affecting Mercedes, Audi, VW AND BMW. Absolute rubbish. There have been no reported Audi cases. You must work for BMW or something.
|
|
|
Cheib
6,503 posts
45 months
|
Deva Link said: Slippydiff said: The issue IS affecting Mercedes, Audi, VW AND BMW. It would appear it is a production line function that has been unlocked by some very sophisticated thieves. I currently have a Merc and haven't seen this issue cropping up on Merc forums. What does frequently crop up is people asking if there's any way to get keys other than from MB but apparently they can only be factory programmed. LooneyTunes said: I think that's problem for new physical keys i.e. that also have an actual metal key rather than just programming them.
If you want a new BMW key they are apparently cut at Thorne (i.e. where all the new BMW's in the country are distributed from) and then sent to the dealer where the key is electronically paired with the car. At least that's what I was told when we needed a new key after my two year old dropped ours into the "water feature" in the garden........
|
|
|
LooneyTunes
2,507 posts
28 months
|
What's with that quote ^^^ Cheib?
I've never mentioned anything about Thorne (whatever/wherever that is???) and don't have a water feature....!
|
|
|
billybob69
672 posts
15 months
|
LooneyTunes said: Surely not? What possible reason is there for legislation on the location of a diagnostic port??? Oh, hang on, Europe... it is wrong it is not a correct fact that has been banded about other threads on the net, the requirement OBD- connector is required to be within 2 feet (0.61 m) of the steering wheel. Some of the stuff said on this thread is tripe. one of the youtube videos is from 2009 on how to program a car key with the obd port in the drivers foot well, as it was lhd. it has taken the crooks 3 years to start to steal cars...?
|
|
|
swamp
546 posts
59 months
|
|
|
Sunwest3d
10 posts
14 months
|
swamp said: That was in 2011, my car was built in 2007? The criteria Selection Criteria explain how it works I guess, where is the 3 serie...
|
|
|
Marshy
2,690 posts
154 months
|
c3m said: All BMW needs to make sure is that they generate a key pair for each car and securely store the private key (which will be used to generate new physical keys) and store the public key in the car for verification purposes. It seems that this is how the system works from previous replies, so the real flaw seems to be - why and how are new keys programmable via the OBD port? Just as long as they really do store the private key securely... Can you imagine the scale of cockup resulting from the sort of mistakes the security community suspects a certain three-letter security vendor made a while back? (Sorry for the torturous sentence...) That would - allegedly - be like a hacker getting hold of a database of all the cars' private keys stored against their chassis number...
|
|
|
InternetStalker
2 posts
21 months
|
aeropilot said: Too late for that, as Thatcham have already been contacted from a post here, so whether they downgrade the OEM security rating or not means it will automatically be passed into the insurance system ratings. I can confirm that insurers are aware of the problem.
|
|
|
johnwlondon
3 posts
14 months
|
Just to add to this sorry thread, I had my 2007 BMW 3 series coupe pinched last night (26th April) from the street outside our flat in Hounslow in West London. They got in without taking the keys and no broken glass was found.
|
|
|
c3m
102 posts
21 months
|
Marshy said: Just as long as they really do store the private key securely... Can you imagine the scale of cockup resulting from the sort of mistakes the security community suspects a certain three-letter security vendor made a while back? (Sorry for the torturous sentence...)
That would - allegedly - be like a hacker getting hold of a database of all the cars' private keys stored against their chassis number... There's no such thing as perfect security, I agree. If someone has access to them, private keys can leak. But it's the same with your bank's SSL certificates, root CA certificates etc. If VeriSign's or Thawte's root CA private keys leaked, anyone can masquerade as your bank and you wouldn't be able to tell (your browser will still display the Extended Validation security badge). By using your bank's online services, you're implicitly trusting VeriSign / Thawte / whatever. In the same way, you're implicitly trusting BMW to securely hold the private keys of your car. Is it possible that they will be compromised? Absolutely. But the probability is (or should be) absurdly low if properly secured. But then again thousands of large corporations' security systems are appalling - you hear about large breaches at least a couple of times every year.
|
|
|
Sunwest3d
10 posts
14 months
|
johnwlondon said: Just to add to this sorry thread, I had my 2007 BMW 3 series coupe pinched last night (26th April) from the street outside our flat in Hounslow in West London. They got in without taking the keys and no broken glass was found. Sorry to hear that john, same model than mine, same situation... this is getting out of control... the way they can steal the vehicle is unreal. They might have known how to copy the key since a couple of years but they have perfected the way to get entry to the vehicle without sounding the alarm. They probably have people going round London, checking the model they can target, watch you for a few days to know your pattern and strike. A bit like going car shopping... but without having to sort the finance at the end. Insurance is really getting out of control, they quoted me 1700£ for another 330d 57 plate... and if I want to remap it... 5500 £! I hate those thieves with a passion, they have it so easy now after all, and BMW is just staying out of it claiming the car passed EU safety regulations. If I had a BMW 2-6 years old in the drive or parked in the street I would be very very worried, it does not happen only to other people, and when it strikes you can say good bye to your dream bmw and be 3-5K out of pocket! We need to create a thread to put model, date, location of car stolen in those circunstances... that might help find a pattern as well as have a case for watchdog! B.
|
|
|
Marshy
2,690 posts
154 months
|
c3m said: There's no such thing as perfect security, I agree. If someone has access to them, private keys can leak. But it's the same with your bank's SSL certificates, root CA certificates etc. Oh, I very much understand that. Public key crypto *is* the way to do car security IMHO, but only if it's handled right. The compromise of the three letter security firm that should have known better just proves that it's in no way a given that this will be the case.
|
|
