New BMW's getting stolen using blank BMW keys

New BMW's getting stolen using blank BMW keys

Author
Discussion

AW10

4,412 posts

248 months

Thursday 22nd May 2014
quotequote all
Just had a thought - as they share a lot of the same electronics are BMW-built Rolls Royce cars susceptible?!

Bungleaio

6,323 posts

201 months

Thursday 22nd May 2014
quotequote all
I should think that any vehicle that doesn't need a physical key putting in a lock and turning are vulnerable to being stolen in this way.

Timbuk2

1,953 posts

154 months

Friday 23rd May 2014
quotequote all
Why don't people who are worried disconnect the OBD port or wire it up to a hidden switch so it can be enabled for servicing? Would that work?

MaxPayne

19 posts

139 months

Saturday 24th May 2014
quotequote all
Timbuk2 said:
Why don't people who are worried disconnect the OBD port or wire it up to a hidden switch so it can be enabled for servicing? Would that work?
My guess is that a lot of people like myself don't want to start pulling apart the interior of their cars for risk of voiding their warranty. Also, most people would not be accomplished enough to start adding switches into the wiring of the car.

There is surely a simple way to resolve this...BMW need to change the software so that unless an existing key is present, the OBD port is completely dead and can't be communicated with.

This would mean that independant dealers would still be able to service BMWs (because the owner would obviously leave the key with them) and undesirable scrotes would at least need a key to access the OBD port.

AW10

4,412 posts

248 months

Saturday 24th May 2014
quotequote all
MaxPayne said:
There is surely a simple way to resolve this...BMW need to change the software so that unless an existing key is present, the OBD port is completely dead and can't be communicated with.
The flip side of this would be that if you lost both of your keys the dealer would need to replace one or more electronics modules before he could provide new keys. But perhaps this is a price worth paying?

MaxPayne

19 posts

139 months

Saturday 24th May 2014
quotequote all
AW10 said:
The flip side of this would be that if you lost both of your keys the dealer would need to replace one or more electronics modules before he could provide new keys. But perhaps this is a price worth paying?
I guess that's true but how many people lose both keys? One key maybe, but I would think very, very rarely would anyone lose both keys.

My spare key never leaves the house and so there's almost 0% chance of it getting lost.

RichardM5

1,732 posts

135 months

Saturday 24th May 2014
quotequote all
AW10 said:
MaxPayne said:
There is surely a simple way to resolve this...BMW need to change the software so that unless an existing key is present, the OBD port is completely dead and can't be communicated with.
The flip side of this would be that if you lost both of your keys the dealer would need to replace one or more electronics modules before he could provide new keys. But perhaps this is a price worth paying?
I might be wrong, but I believe this is the issue due to some piece of EU legislation that requires an independent to be able to replace lost keys.

MaxPayne

19 posts

139 months

Saturday 24th May 2014
quotequote all
RichardM5 said:
I might be wrong, but I believe this is the issue due to some piece of EU legislation that requires an independent to be able to replace lost keys.
I don't know if that is true or not, but it seems to leave a pretty big "black hole" in the security system of a car just for the benefit of independant dealers.

If you own a BMW and lose both keys, then you should have to go back to BMW to have whatever modules replaced so that you can purchase 2 new keys.

Timbuk2

1,953 posts

154 months

Saturday 24th May 2014
quotequote all
MaxPayne said:
Timbuk2 said:
Why don't people who are worried disconnect the OBD port or wire it up to a hidden switch so it can be enabled for servicing? Would that work?
My guess is that a lot of people like myself don't want to start pulling apart the interior of their cars for risk of voiding their warranty. Also, most people would not be accomplished enough to start adding switches into the wiring of the car.

There is surely a simple way to resolve this...BMW need to change the software so that unless an existing key is present, the OBD port is completely dead and can't be communicated with.

This would mean that independant dealers would still be able to service BMWs (because the owner would obviously leave the key with them) and undesirable scrotes would at least need a key to access the OBD port.
Well if I thought my car was in danger of being stolen I would definately have an auto electrics firm disconnect or put a hidden switch to the OBD port so this couldn't happen! Thankfully mine is old enough to have a proper key biggrin

MaxPayne

19 posts

139 months

Saturday 24th May 2014
quotequote all
Timbuk2 said:
Well if I thought my car was in danger of being stolen I would definately have an auto electrics firm disconnect or put a hidden switch to the OBD port so this couldn't happen! Thankfully mine is old enough to have a proper key biggrin
...and if my car was out of warranty, it's something I'd possibly consider, but not something I'm willing to do at the moment.

I don't think car owners should be forced to take such action because of a major flaw in the electronics of the car.

I still think car manufacturers should be able to completely disable the OBD port unless a key is present. Once again, it's barmy ruling from the EU that's caused this situation (in my opinion).


Steffan

10,362 posts

227 months

Saturday 24th May 2014
quotequote all
MaxPayne said:
Timbuk2 said:
Well if I thought my car was in danger of being stolen I would definately have an auto electrics firm disconnect or put a hidden switch to the OBD port so this couldn't happen! Thankfully mine is old enough to have a proper key biggrin
...and if my car was out of warranty, it's something I'd possibly consider, but not something I'm willing to do at the moment.

I don't think car owners should be forced to take such action because of a major flaw in the electronics of the car.

I still think car manufacturers should be able to completely disable the OBD port unless a key is present. Once again, it's barmy ruling from the EU that's caused this situation (in my opinion).
I agree with your sentiments.

The 180 odd pages of this thread suggest to me it would appear that manufacturer, BMW, does not. Therefore there will be no change. Which IMO is a great pity but as the cars are still selling change seems unlikely.

Billyray911

1,072 posts

203 months

Saturday 24th May 2014
quotequote all
You are right.Euro 5 legislation allows third party access to the obd.Unfortunately,no car is safe that uses this technology and that includes new BMWs including F series models.
There are currently on sale,devices for reprogramming keys for this model,new Range Rovers,Audis,Jaguars etc etc-the list is vast.
These are expensive to buy-thousands of pounds,but are available to hire from criminals,to criminals.
If people are worried about moving their obd due to warranty issues-don't.I had mine move and the void filled with a dummy,a couple of years ago.There are no issues with this affecting your warranty.I have an extended OEM warranty and this has caused no issues at all while having warranty work completed.This includes where the obd was in need to be accessed by the dealership.
My advise is to go back to basics and use a combination of new technology-ie Clifford Blackjax,High end alarm(Viper gets good reviews).I would mix this with old tech such as a full disc lock and other methods.
Another good bit of kit that I've seen recently,is an obd lock.The obd is removed from its housing and encased in a steel case that is repositioned and secured elsewhere.This is accessible via a key.
Obd theft is here to stay and at the moment,no car is safe.The tech is moving quicker than efforts to thwart it.
The argument of "why should we-I expect my car to be secure from the factory!" Is now a redundant one.We all have to be pro active and takes steps ourselves.

Timbuk2

1,953 posts

154 months

Saturday 24th May 2014
quotequote all
MaxPayne said:
...and if my car was out of warranty, it's something I'd possibly consider, but not something I'm willing to do at the moment.

I don't think car owners should be forced to take such action because of a major flaw in the electronics of the car.

I still think car manufacturers should be able to completely disable the OBD port unless a key is present. Once again, it's barmy ruling from the EU that's caused this situation (in my opinion).
If it was done well, just one important wire with a well hidden 1/0 switch for example would BMW be able to tell unless they found the switch?


JimmyTheHand

1,001 posts

141 months

Tuesday 27th May 2014
quotequote all
looks like some security researchers think there are security issues in the new i3 Link

Steffan

10,362 posts

227 months

Tuesday 27th May 2014
quotequote all
JimmyTheHand said:
looks like some security researchers think there are security issues in the new i3 Link
Regrettably I find myself asking why does that not surprise me. Probably because I have read all the pages in this thread as they have been posted and learnt from this that the BMW security is weak. Apparently getting weaker. I hope at some point BMW will wake up to how disastrous this could be. Not as yet it would seem.

JimmyTheHand

1,001 posts

141 months

Tuesday 27th May 2014
quotequote all
Steffan said:
Regrettably I find myself asking why does that not surprise me. Probably because I have read all the pages in this thread as they have been posted and learnt from this that the BMW security is weak. Apparently getting weaker. I hope at some point BMW will wake up to how disastrous this could be. Not as yet it would seem.
It isn't just BMW, it seems pretty much every company seems to put security as a low priority and vast majority of coders seem blind to how people can break into their application. I think it will take a major company going bankrupt because of poor security to change this attitude

Steffan

10,362 posts

227 months

Tuesday 27th May 2014
quotequote all
JimmyTheHand said:
Steffan said:
Regrettably I find myself asking why does that not surprise me. Probably because I have read all the pages in this thread as they have been posted and learnt from this that the BMW security is weak. Apparently getting weaker. I hope at some point BMW will wake up to how disastrous this could be. Not as yet it would seem.
It isn't just BMW, it seems pretty much every company seems to put security as a low priority and vast majority of coders seem blind to how people can break into their application. I think it will take a major company going bankrupt because of poor security to change this attitude
Could take a while yet then? BMW will never go bust. But their sales targets may begin to see the consequences. That is the most probable source of change IMO.

SlowDriver

4 posts

138 months

Tuesday 27th May 2014
quotequote all
More security problems for BMW - this time flaws with the i8.
http://www.theregister.co.uk/2014/05/27/bmw_passwo...

When will BMW take their car security seriously. I can see BBC Watchdog getting all over this one.

pingu393

7,645 posts

204 months

Tuesday 27th May 2014
quotequote all
What's the incentive for them to improve security. If a car gets stolen, another new one gets sold. It may not be the same brand, but as all cars are affected, it doesn't matter. Disaffected BMW owner defects to Audi. Disaffected Audi owner defects to Mercedes. Disaffected Mercedes owner defects to BMW.


The car companies only care about the first purchaser. Who are they? They are mostly businesses, hire companies and leasing companies. It's only when the 2nd-hand value of the cars are affected will the car companies react.


Hypothetical Example: A new BMW costs Joe Public £25k, but can be bought for £17k if bought in bulk. Six months and 5k miles later and it will sell at auction for £15k. If the auction sell price fell to £10k, the bottom would fall out of the lease car business model. Lease companies could no longer afford to pay BMW £17k in the first place. BMW would need to react.


As long as people pay what they do, there is no reason for BMW to change its ways, unless there is a public outcry, and that's not very likely.

TheEnd

15,370 posts

187 months

Tuesday 27th May 2014
quotequote all
Has anyone actually managed to read and understand el reg's article?