Originally Posted by Mike Benvo
Navigation functionality is easy to get with a CIC as long as you have an emulator. Voice/speech recognition can also be loaded to a CIC that doesn't already have it, and if you have an emulator this is easy as pie. The FSC certificates are encrypted, but cracking the encryption for them is not necessary. Just having the car think that all the VIN's match does the trick.
VMax unlimiting is easy too. You just have to have the right tools. While I have a specialty tool for modifying anything I want in the DME/ECU, these guys have a 'specialty tool' for keys.
All you need is the right tools. There is nothing that is 100% secure. Now BMW did make it difficult for people to tune cars a few years ago. But in all honesty it's pretty easy to get around BMW's 'tunerlock' protection. It's a matter of changing a pointer and moving a header to another location, and then it's bypassed. Only a very small fraction of people know how to do this. Takes about 5 seconds
Where there is a will, there is a way. That's the name of the game.
This mantra of having the car stolen via OBD/Key reprogramming has been around for years and years. It's nothing new, and it will never be 100% circumvented, although measures can be taken to reduce the propensity of such a situation. I don't think less of BMW because of this.
Also, if you look at this site, it clearly indicates "The device works with the latest BMW software ISTA V45/46/47 for CAS 3". If they are correct that this works on cars with ISTA/P v47+, then all of the cars are still vulnerable anyway, including mine. At a price tag of 8,000 Euro, you'll be dealing with some serious car thieves to begin with, not some knuckle-headed punk kids.
I know all of that, however:
1. FSC circumvention by a CAN-Bus blocker for the CIC (speech recognition, navigation and to a certain extent, maps) has some problems of its own (e.g. the owner of the car has to order a map FSC with another VIN, so he first has to know which one this is - there is a case of a buyer of such a car in Germany right now, sometimes, not all functions work correctly).
2. Map FSCs and ECU protection are special cases. The first one is not a RSA function and thus could be hacked (in fact it was). As for the ECU: for the M3 it is much easier to hack than with cars that BMW really wanted
to protect, like the 335i. Tuning of the N54 was a real threat because it was cheaper but practically equally strong as it was developed as an alternative to the S65 that was ultimately used. So the protection was much stronger than simple checksumming because there was more at stake for BMW. In the beginning, only piggybacks could be used, then, when an early unprotected beta firmware was used as a tuning basis, BMW replaced the MSD80 by the MSD81, making firmware tuning impossible for nearly another year until an israeli company cracked the signature key for that, too.
What this proves, is that with all of my listed assets, BMW has at least tried
to prevent access - they did not protect access of the API function to pair a key, it was sitting there waiting to be exploited.
Audi has a similar function and protected it (the diagnostic station has to be online and request a code from the manufacturer).
I call that irresponsible on BMW's part, to say the least. BTW: The device is less than $1000 in China. And is there really a fix out? I have seen the announcement for the UK, nowhere else. You once said that 2.47.1 fixes it (and just told us that the device still works with 2.47), but you did not yet specify if there are additional settings (i.e. coding) is neccessary. I can understand that because you want to make money with the service you offer.
BMW did neither offer a fix outside of the UK nor informs their customers, probably fearing an uproar when they admit that it was their fault not to protect this function, especially in the U.S. I have requested info here in Germany, but did not yet receive an answer.
Of course it takes a "highly-sophisticated" approach - BMWs are expensive cars, savvy? It seems like there is a financial controller that makes sure that the effort employed to protect something is directly proprotional to the amount at stake - and the amount is negative for theft protection because a car stolen = a car sold, unless you get a C63 afterwars. So no dice!