High tech car theft: 3 minutes to steal keyless BMWs

BMW is just one example of cars that utilize a wireless key fob to unlock the doors and start the engine instead of using a physical key. BMWs are highly coveted vehicles, so if you desired you might be able to fool people into thinking you have one by carrying a USB that looks like a BMW key. While some BMW thefts are a direct result of targeted carjackings, if you owned a very expensive BMW for real, how upset would you be to learn your car could be stolen in less than three minutes?

Last year at Black Hat, security consultant Don Bailey presented War Texting: Identifying and Interacting with Devices on the Telephone Network. Bailey explained how it took him only two hours to hack into a car alarm system and then start the car remotely by sending it a text message. In a completely different high tech method, car thieves need only a few minutes to exploit features, turn them into security flaws, clone a BMW smart keyless remote via the on-board diagnostics (OBD) port, and then make off with a sweet ride.

A very unhappy BMW owner wrote on 1Addicts, “My BMW 1M stolen without keys in 3 minutes! This is a video of a ?43,000 BMW 1M Stolen at 3am in 3 minutes. The thieves accomplished this by accessing the BMW OBD port in the footwell by breaking the glass, reaching in and using a device to reprogram a blank key fob. The car was simply then unlocked and pushed off the drive and driven away. BMW doesn’t seem to want to admit they have a problem, even though over 300 cars have been stolen in March 2012 in a single UK county.” There are also several videos of BMW key reprogramming, or cloning the key fob.

In the smash and grab BMW thefts, where the criminals bust out a window, “the thieves seem to be exploiting a gap in the car’s internal ultrasonic sensor system to avoid tripping the alarm.” Jalopnik reported the cars may also be entered “via nearby RF jammers that block the lock signal from the fob from reaching the car.” Pistonheads added that “as long as you can enter the car to access the OBD port you’re on your way.” Technolog noted, “All cars sold in Europe must permit open and unsecured access to OBD codes, so non-franchised mechanics and garages may read the codes.”

Neowin reported, “There appear to be many security flaws in the vehicle that all work in concert to allow the attack. First, the car’s ultrasonic sensor system has a “blind spot” down the column in front of the OBD port, which is why the thieves stay outside of the car until they finish cloning the fob. There is also no glass breakage sensor to lock the car down when someone breaks in. The OBD port is constantly powered, even when the ignition is not on, and there is no security (password, PIN, etc) on the port.” Recombu asked, “Should ODB-II ports be encrypted to discourage thieves gaining almost unrestricted access to our cars? A simpler solution might be to move the ports to a position in the car where access will definitely trigger the motion sensors, or to seclude the ports behind a flap that triggers the alarm.”

BMW told Jalopnik, “We are aware of recent claims that criminal gangs are targeting premium vehicles from a variety of manufacturers. This is an area under investigation.” The BMW Group and the police have a “constant dialogue” in order to “understand any patterns with may emerge.”

On another interesting note, last year researchers at BMW hoped to create the “key of the future” as in one key to rule them all. They added “features” like NFC to a wireless key prototype so it could download and store e-tickets, from train tickets to hotel rooms, for potentially every step of a journey. BMW said the key prototype was “more secure than many mobile devices such as laptops or cell phones because it’s both encrypted and a closed system.” The “electronic money function” in the BMW car key prototype also allowed the user to “settle the bill.” Researchers said it could replace other contactless devices such as office card keys and laptop dongles.