M3 stolen with OBD key cloning :(

[White person]

Look like the same thing what happened with the 1M in china

[BPMSport]

Quote:

Originally Posted by Dackelone

Noop! The way I understand it... all BMW's can "learn" up to TEN key fobs from the factory. IF you loose a key fob... your dealer just add's another new key fob into the car's "directory".

What I was told is that the dealer or a knowledgeable "car coder" can "lock" the DME to just the current two key fobs. Then IF someone tries to clone a new key fob into the car's DME the car will not except the new fob - and the car can not be stolen that way.

As far as I know... BMW's SW update "patch" is ONLY for UK cars. I hope they roll it out to every bmw market though.

DME has nothing to do with the key's.

DME controls the motor only, and verifies a special code with CAS before fuel injection is activated. If key is wrong, CAS will not pass the correct code to the DME and therefore car will not start. If key is wrong, CAS will not authenticate and ignition will not turn on.

You can have a bunch of keys, and even when disabling keys 3-10, if the thief has a tool to sync another key they can steal the car. With the right tool it's not hard on a car with software before 47.1.

BMW's 47.1 update is for all cars, although this issue seems most prominent in the UK, and BMW haven't said anything here in the US probably to avoid panic. I have updated quite a few cars here with the security update.

[BPMSport]

Quote:

Originally Posted by kardboard

This is exactly what I was told when I bought my 2010 135i by my sales rep. He told me, if I remember correctly, that the two keys I received were the only two keys that would start the car. If I happened to lose both keys, they would have to replace the ECU (I assume) and would cost an arm and a leg.

Any truth to this? I bought my car new in January of 2010 from a BMW dealership.

100% wrong.

You can lose both keys and buy two new keys and have them synced to the car.

The CAS unit never has to be replaced unless there is a problem with it, which happens but is very rare (older versions of Program are known to cause module damage during update).

[conradb]

You lost faith in BMW now because some thieves exploited a security vulnerability in some software? You may as well just stop using computers all together if that if your stance.

I'm sorry your car got stolen, but just saying "I've lost faith in BMW" is pretty short-sighted and ignorant. Cars get stolen all the time. Do people blame the mfg that the locking mechanism wasn't thief-proof?

Hint: There's no such thing as fool-proof security. Everything is breakable/hackable. It's the central tenet of security.

Further, you're all pissy because a company doesn't want to refund 6-mo left on your lease? If you bought a nice diamond ring on a loan, and a thief stole it, are you honestly going to ask the jeweler/bank to refund your money because someone stole it? The logic here is astounding...

[StevenY.]

Wow, must have been hard for you to watch this. Sorry for your lost man..

[BPMSport]

One thing I wanted to add - the CAS module is one of the only ones that almost RELIGIOUSLY has an update every time BMW releases a new software "package".

It was changed in 45, 46.1, 46.3, and now 47+

[meyergru]

Quote:

Originally Posted by conradb

You lost faith in BMW now because some thieves exploited a security vulnerability in some software? You may as well just stop using computers all together if that if your stance.

I'm sorry your car got stolen, but just saying "I've lost faith in BMW" is pretty short-sighted and ignorant. Cars get stolen all the time. Do people blame the mfg that the locking mechanism wasn't thief-proof?

Hint: There's no such thing as fool-proof security. Everything is breakable/hackable. It's the central tenet of security.

Not so fast...

What becomes painfully obvious here, IMHO, is that this specific function (namely pairing a new key to the car) is protected worse than some other "software" functions, like:

- Navigation maps
- Modifying the ECU software
- Navigation functionality in the CIC
- Speech recognition
- VMax un-limiting (M Driver's Package)

All of those are protected using cryptographic functions and are very hard to break (as far as I know, only the first two have been done as of now).

That is how BMW protects things they are interested in, because these features generate revenue - unlike if they protect you car from being stolen, where the opposite is true.


Honi soit qui mal y pense.

[WingZeroX5]

a few of us should meet up and park our cars in various places under CCTV. then "steal" each others cars and rendezvous somewhere else and grab a beer. Submit the recording and get news coverage such as myfoxny's shame shame shame on BMW NA

[info@trinityautosport]

very sorry to hear about this. good luck with finding the replacement AMG.

[kardboard]

Quote:

Originally Posted by Mike Benvo

100% wrong.

You can lose both keys and buy two new keys and have them synced to the car.

The CAS unit never has to be replaced unless there is a problem with it, which happens but is very rare (older versions of Program are known to cause module damage during update).

Thank you for the answer. This is not the first time my dealership has lied to me.

[conradb]

Quote:

Originally Posted by meyergru

Not so fast...

What becomes painfully obvious here, IMHO, is that this specific function (namely pairing a new key to the car) is protected worse than some other "software" functions, like:

- Navigation maps
- Modifying the ECU software
- Navigation functionality in the CIC
- Speech recognition
- VMax un-limiting (M Driver's Package)

All of those are protected using cryptographic functions and are very hard to break (as far as I know, only the first two have been done as of now).

That is how BMW protects things they are interested in, because these features generate revenue - unlike if they protect you car from being stolen, where the opposite is true.


Honi soit qui mal y pense.

Oh please. You swear like this wasn't a highly sophisticated attack utilizing hacked key replacement equipment to begin with. Oh yes, this was a bunch of retarded 18 y/o gang bangers that just busted a window and took off in a car. No.

The car is plenty secure, and BMW has already offered a solution. Shit happens.

Furthermore, even HIGHLY cryptographically encoded data, like the HDMI key signing algorithm, are cracked just as well. I don't care what encryption you have, you won't be safe for too long.

[bmellion]

Quote:

Originally Posted by izzyM3

Quote:

waah? My 2012 sedan was creeking too. but not reason alone to trade. M3 was more than reason to trade! I waited 11 months and got my M3 after. . Sorry OP about your car. c63 is great but M3 is just better.

Oh! It was a reason to trade. The thing was annoying and not what u would expect in a $82k car. I went from an M3 to C63 to 550i in 8 months. The 550i is the best of all.

[AcidMal]

C63 coupe is just so much cooler than m3, which looks ancient in comparison.
This will be only until M4 is released.

[3M TAPE]

Quote:

Originally Posted by conradb

You lost faith in BMW now because some thieves exploited a security vulnerability in some software? You may as well just stop using computers all together if that if your stance.

I'm sorry your car got stolen, but just saying "I've lost faith in BMW" is pretty short-sighted and ignorant. Cars get stolen all the time. Do people blame the mfg that the locking mechanism wasn't thief-proof?

Hint: There's no such thing as fool-proof security. Everything is breakable/hackable. It's the central tenet of security.

Further, you're all pissy because a company doesn't want to refund 6-mo left on your lease? If you bought a nice diamond ring on a loan, and a thief stole it, are you honestly going to ask the jeweler/bank to refund your money because someone stole it? The logic here is astounding...

I know I hate to do this but +1
Lost faith in BMW? And going to the C63 is even worse..

[BPMSport]

Quote:

Originally Posted by meyergru

Not so fast...

What becomes painfully obvious here, IMHO, is that this specific function (namely pairing a new key to the car) is protected worse than some other "software" functions, like:

- Navigation maps
- Modifying the ECU software
- Navigation functionality in the CIC
- Speech recognition
- VMax un-limiting (M Driver's Package)

All of those are protected using cryptographic functions and are very hard to break (as far as I know, only the first two have been done as of now).

That is how BMW protects things they are interested in, because these features generate revenue - unlike if they protect you car from being stolen, where the opposite is true.


Honi soit qui mal y pense.

Navigation functionality is easy to get with a CIC as long as you have an emulator. Voice/speech recognition can also be loaded to a CIC that doesn't already have it, and if you have an emulator this is easy as pie. The FSC certificates are encrypted, but cracking the encryption for them is not necessary. Just having the car think that all the VIN's match does the trick.

VMax unlimiting is easy too. You just have to have the right tools. While I have a specialty tool for modifying anything I want in the DME/ECU, these guys have a 'specialty tool' for keys.

All you need is the right tools. There is nothing that is 100% secure. Now BMW did make it difficult for people to tune cars a few years ago. But in all honesty it's pretty easy to get around BMW's 'tunerlock' protection. It's a matter of changing a pointer and moving a header to another location, and then it's bypassed. Only a very small fraction of people know how to do this. Takes about 5 seconds

Where there is a will, there is a way. That's the name of the game.

This mantra of having the car stolen via OBD/Key reprogramming has been around for years and years. It's nothing new, and it will never be 100% circumvented, although measures can be taken to reduce the propensity of such a situation. I don't think less of BMW because of this.

http://vag-info.com/BMW%20Group%20products.htm Also, if you look at this site, it clearly indicates "The device works with the latest BMW software ISTA V45/46/47 for CAS 3". If they are correct that this works on cars with ISTA/P v47+, then all of the cars are still vulnerable anyway, including mine. At a price tag of 8,000 Euro, you'll be dealing with some serious car thieves to begin with, not some knuckle-headed punk kids.

[kmarei]

So a thief will clone you a new key for free
But BMW charges you $400 for a new key

[car_fan]

Quote:

Originally Posted by Dackelone

This stolen 1M thread(back in July) makes for an interesting read!

Video: My BMW 1M Coupe Stolen in 3 Min as Part of Recent UK BMW Theft Spree Using OBD
http://www.1addicts.com/forums/showthread.php?t=712717


And this is how key cloning is done. The thieves push the car down the road so the owner doesn't wake up and hear the car start up!

+1 on this. I remember checking out the stolen 1M thread a while back. It's all too similar to "OP's" video clip. One day their luck will run out..
Best of luck with whichever vehicle you choose.

[VCMpower]

Quote:

Originally Posted by y2_dyc

Unfortunately a few days ago, my M3 got stolen. Looks like the thieves have taken advantage of the security flaw on the OBD Port which allows key cloning on the spot. It's scary to see how quick it was for them to take my car.

I believe BMW has a firmware update [details here] to fix the OBD port when your car is locked. So would advise you to get that booked it asap. Have really lost faith in BMW now, which is such a shame because i loved the M3. To make matters worst, BMW warranty won't even give me a refund for the remainder of the 6 months I had left as I made a claim this year in May. Part of their policy apparently.

Now looking to get a C63 AMG.

Here's some footage from my CCTV.

Part 1 - Cloning my key!

Part 2 - Taking my car!

Dan

Enjoy your C63.

[P1]

Unbelievable. Glad to see more people have CCTV though. In my opinion, everyone should have this with a proper motor parked in their garage or drive.

[meyergru]

Quote:

Originally Posted by Mike Benvo

Navigation functionality is easy to get with a CIC as long as you have an emulator. Voice/speech recognition can also be loaded to a CIC that doesn't already have it, and if you have an emulator this is easy as pie. The FSC certificates are encrypted, but cracking the encryption for them is not necessary. Just having the car think that all the VIN's match does the trick.

VMax unlimiting is easy too. You just have to have the right tools. While I have a specialty tool for modifying anything I want in the DME/ECU, these guys have a 'specialty tool' for keys.

All you need is the right tools. There is nothing that is 100% secure. Now BMW did make it difficult for people to tune cars a few years ago. But in all honesty it's pretty easy to get around BMW's 'tunerlock' protection. It's a matter of changing a pointer and moving a header to another location, and then it's bypassed. Only a very small fraction of people know how to do this. Takes about 5 seconds

Where there is a will, there is a way. That's the name of the game.

This mantra of having the car stolen via OBD/Key reprogramming has been around for years and years. It's nothing new, and it will never be 100% circumvented, although measures can be taken to reduce the propensity of such a situation. I don't think less of BMW because of this.

http://vag-info.com/BMW%20Group%20products.htm Also, if you look at this site, it clearly indicates "The device works with the latest BMW software ISTA V45/46/47 for CAS 3". If they are correct that this works on cars with ISTA/P v47+, then all of the cars are still vulnerable anyway, including mine. At a price tag of 8,000 Euro, you'll be dealing with some serious car thieves to begin with, not some knuckle-headed punk kids.

I know all of that, however:

1. FSC circumvention by a CAN-Bus blocker for the CIC (speech recognition, navigation and to a certain extent, maps) has some problems of its own (e.g. the owner of the car has to order a map FSC with another VIN, so he first has to know which one this is - there is a case of a buyer of such a car in Germany right now, sometimes, not all functions work correctly).

2. Map FSCs and ECU protection are special cases. The first one is not a RSA function and thus could be hacked (in fact it was). As for the ECU: for the M3 it is much easier to hack than with cars that BMW really wanted to protect, like the 335i. Tuning of the N54 was a real threat because it was cheaper but practically equally strong as it was developed as an alternative to the S65 that was ultimately used. So the protection was much stronger than simple checksumming because there was more at stake for BMW. In the beginning, only piggybacks could be used, then, when an early unprotected beta firmware was used as a tuning basis, BMW replaced the MSD80 by the MSD81, making firmware tuning impossible for nearly another year until an israeli company cracked the signature key for that, too.

What this proves, is that with all of my listed assets, BMW has at least tried to prevent access - they did not protect access of the API function to pair a key, it was sitting there waiting to be exploited.
Audi has a similar function and protected it (the diagnostic station has to be online and request a code from the manufacturer).

I call that irresponsible on BMW's part, to say the least. BTW: The device is less than $1000 in China. And is there really a fix out? I have seen the announcement for the UK, nowhere else. You once said that 2.47.1 fixes it (and just told us that the device still works with 2.47), but you did not yet specify if there are additional settings (i.e. coding) is neccessary. I can understand that because you want to make money with the service you offer.

BMW did neither offer a fix outside of the UK nor informs their customers, probably fearing an uproar when they admit that it was their fault not to protect this function, especially in the U.S. I have requested info here in Germany, but did not yet receive an answer.

@conradb:

Of course it takes a "highly-sophisticated" approach - BMWs are expensive cars, savvy? It seems like there is a financial controller that makes sure that the effort employed to protect something is directly proprotional to the amount at stake - and the amount is negative for theft protection because a car stolen = a car sold, unless you get a C63 afterwars. So no dice!

[fusion01]

Quote:

Originally Posted by conradb

You lost faith in BMW now because some thieves exploited a security vulnerability in some software? You may as well just stop using computers all together if that if your stance.

I'm sorry your car got stolen, but just saying "I've lost faith in BMW" is pretty short-sighted and ignorant. Cars get stolen all the time. Do people blame the mfg that the locking mechanism wasn't thief-proof?

Hint: There's no such thing as fool-proof security. Everything is breakable/hackable. It's the central tenet of security.

Further, you're all pissy because a company doesn't want to refund 6-mo left on your lease? If you bought a nice diamond ring on a loan, and a thief stole it, are you honestly going to ask the jeweler/bank to refund your money because someone stole it? The logic here is astounding...

Hell man, BMW should be blamed for this for not coming out and getting in touch immediately with every owner on their records whom could / would be affected. Their failure in this regard is most likely down to the avoidance of bad press. I'd not be surprised if this is rolled out faster in the US as corporations there fear a far greater legal case - it's probably easier to sue than ye' ol' British system (although not too sure on this).

A lot of BMW fanboys providing sympathy to the bloke but little vented at the company responsible.

OP: don't feel too bad. Here in South Africa if they want your car they just put a gun to your head and relieve you of it. No jokes. This sort of key programming is way over the head of the common thief prowling our sunny shores.

[SenorFunkyPants]

AIUI this vulnerability was created by an EU law that was introduced to ensure that cars could be fully serviced outside a dealer network. Essentially the functions of the OBD port has to be made available to all third party dealers to conduct diagnostics etc.