537 points by rapnie 4 months ago
I used to fix cars for a living. Sometimes it involved “cracking” alarm & immobiliser systems.
My clients all claimed they broke/lost their keys to their car - most of the time they were believable (car stuck in front of their driveway, etc). Sometimes less so, but I’d do it anyway because I needed the money and I had no proof of the contrary (innocent until proven guilty right?), although given the sad conditions of the cars I really doubt anyone would bother stealing them.
Car security is based on obscurity. There is very little cryptography involved (if any), and where there is, the car’s “computers” would happily install new, untrusted firmware through the diagnostics (OBD) port, which means you can do pretty much anything - program new keys, disable the immobiliser or alarm completely (by installing patched firmware) or even rewind the odometer.
I’m frankly surprised it took this long for “high tech” car theft to appear, unless it’s been going on for a while but executed perfectly so nobody would find a trace.
Happy to answer any questions if anyone’s curious.
In Russia and, I guess, similar countries, it's quite rare to encounter a car which isn't protected by an external protection system (not sure how it's called in English, in Russian it's usually called "Сигнализация") which includes shock sensors, alarm system, remote control and car block which protects some vital engine circuits. There are systems with dialog protocol between remote control and car with actual encryption inside, so it might be not so trivial to break it. In practice such cars are either stolen inside trucks or an entire system is by-passed by a separate automobile computer connected directly to necessary engine sensors, ignition coils, etc. Quite clever technique, you don't need to bypass protected electronics if you can bring and connect your own electronics.
In Russia and ex-USSR in general cars are very often stolen disregarding any car alarm installed and whatever GPS trackers are inside, even rental cars with multiple trackers and a live feed to someone monitoring them. The reason - they only need a few hours to get to their base of operations where car is dismantled in to parts and then sold separately, often under protection by local law enforcement. And people can't do much - yes, you can see sudden appearance of your car parts on the used parts market, same color, same tuning etc. but you can't prove anything, and all part numbers would be destroyed during dismantle.
I used to work for an insurance company and I got an entertaining presentation from a 3rd party that showed how ingenious thieves went around car block, special keys, etc, by bringing in the entire front panel of the car (thieves had one for each common model they wanted to steal).
"Casual" thieves are finding it harder though, it's more organized mafia in concert with dismantlers (as mentioned on a sibling comment).
> not sure how it's called in English
"Immobiliser", usually. :)
"Сигнализация" would be more akin to alarm.
Even more modern cars with "protection" (usually against tuning, not theft) use obvious, simple-to-reverse algorithms. For example, the Simos18 ECUs used in modern VWs use flash files encrypted with AES128. Except, they share the same key and IV across all ECUs on the platform, and the key and IV are stored in plaintext in the "upgrade" routines in the flash ROM. So once you've dumped one ECU's flash memory, you own them all.
This wouldn't be that hard for car manufacturers to defeat if they really cared. It's the exact same trusted-boot problem as any mobile phone faces, except (so far) with much more limited attack resources. It's devilishly hard to get perfect (as every iPhone jailbreak proves) but it's easy to get started.
There is actually a big security push in automotive that's sort of been slowly coming to the fore over the last few years. It's not the OEMs that are driving it really either, they are to some degree, but it's the suppliers starting to make security hardware and system protection available, as it really hasn't been for very long. It's still not really entirely there. Basic things like the microcontrollers and CAN hardware / protocol never had security designed in. No one was willing to invest significant engineering time or do expensive security in software when hardware cost is king, or even invest in the engineering cost of bringing in security from suppliers (seriously, there's like 20+ independent computers in your car and it's going to be 50+ on average soon if it isn't already and out of those you'd probably have to harden 10 or so, or introduce entire new ECUs) There's a number of solutions but none of them are cheap. As hardware support becomes widely available, development time for higher tier suppliers drops and they can economically offer secure solutions, and with scares like the Jeep remote control hack in 2015 and with cars getting more connected, OEMs are starting to see the business case for security.
Seems like an easy problem to solve - every ECU generates its own encryption/signing key at first boot and dumps it over the serial port, which then gets recorded somewhere. This is eventually passed down to the car’s owner in the documentation, and the key needs to be presented before any firmware upgrade or configuration change.
This isn’t bulletproof either, but surely more than “hey I’m legit, here’s your new firmware, could you install and run it please?”.
Also I’m surprised they’d go after tuners, considering those are usually the most loyal customers you could dream of.
Yes, like I alluded to it's trivial drawing from any other trusted boot chain implementation.
The even better and less user-intensive way to do it would be with asymmetric encryption - the ECU only trusts flashes signed with the vendor public key and to make things even more secure, you could encrypt each flash file server side with a keypair derived each boot on the ECU and sent over the Internet (many manufacturers require online flashing anyway).
Manufacturers dislike tuners because they make warranty claims for tune damaged parts like blown turbos. VW especially are very, very aggressive about detection and enforcement around this. Long term I think giving a few dishonest tuned customers free turbos is probably fine but they seem to disagree and I assume they have access to the metrics driving this decision (which I don't).
they also dont like tuners because cars engines are often made the same for multiple "trims" so the car with 110 and 160 hp have the same engine but different "map" in the ecu. and only with ecu reflash you can get more power that would cost you x amount of money.
imagine a CPU where 6 and 8 core variants are the same but the 6 core is locked in bios and you can unlock it with some tuning software, its like that.
and manufacturers dont like that
Except that CPU manufacturers DO like that, and will give out special unlocked versions of their CPUs and even sponsor overclockers, to see what people can do with their hardware.
This also happens with car manufacturers, in racing and such. Tuners are more under the radar so they don't like that, as well as the warranty claims that were mentioned.
no, there is no software that i know of where you can as a consumer make your i3 an i5 with just a software unlock, that you can get for like 10 eur.
the difference on the base model mercedes c class between getting a less powerful engine and the one that is one level up is like 3.5-4k eur.
that is a lot of money. if i could unlock the bigger engine with just 400 eur i would buy the base model.
manufacturers don't want that, and is one part of blocking the touching of the ecu. the other is also that the navigation and a lot of other things is just disabled in ecu, and could be easily unlocked with software.
It’s not just more power though. My car has two version 130hp and 155. For the 2 grand I got 25 more horsepower and bigger brakes ,bigger clutch , bigger wheels with wider tyres and an LSD.
The only time I can recall where the engine has been exactly the same inside was the mini one and Mini Cooper where the ecu only allowed for 86% throttle on the lower powered version. Every other engine has had a mechanical difference internally to support more power.
I'm looking into buying an Alfa Romeo Giulia, and engine-wise the difference between the 200bhp and 280bhp version is 100% software.
There are some other differences, the 280bhp is AWS vs RWD for the 200bhp version, and you can get the 200 with smaller wheels. However when going for larger wheels on the 200bhp, you also get the exact same larger brakes...
It's a cool €6000 difference, for a similarly equipped car. I actually don't want AWD and the chassis can clearly handle this much power on the rear-wheels alone, the top-of-the-line 510bhp version is also RWD - so going for the 200bhp version and giving a reputable tuner €700 is a tempting proposition...
Mazda's 2.0 Gasoline Skyactiv is sold as both 120 and 165 HP. Same engine, same brakes, same clutch, different ecu mapping. The only mechanical difference is the gear box's final drive ratio (the 120's has longer gears for better fuel economy). Why would they do this? I assume economy of scale makes it cheaper.
f30 bmw 316d and 318d are exactly the same, 2011 325d and 330d also, 2013 114i and 118i of what i can rembember right now, i dont keep the exact list.
and if i would guess you are talking about mx-5 nd, those are natural aspired engines, where something like this is not really viable.
> imagine a CPU where 6 and 8 core variants are the same but the 6 core is locked in bios and you can unlock it with some tuning software, its like that.
But isn't this already the case (except locking might be in CPU firmware)? AFAIR this is the case with GPUs.
It's not quite analogous:
The line between product binning and market segmentation is sometimes blurry.
Can't think of an example with CPUs, but you could unlock an AMD 6950 to a 6970. Some brands would actually add features to help do this.
Actually, from my personal experience in the field - they only care for X. years under warranty. Then they don't care. I actually don't think they have much legal ground on their own around modifications in EU. At the end of the day you do own the car.
> signed with the vendor public key
That part doesn't sound very secure to me :-)
Why go after tuners? Well, if you are a giant automobile firm that has been lying about their mileage and emissions and covering it up with software that detunes the car just to pass testing- well, then you don't want people figuring out your algos for covering up lying.
So down the line after few years and changing owners you're unable to install any firmware or to install used ECUs, most of the manufacturers are now online-only for diagnostic and flashing of course charging some premium, that destroys independend shops as you need to pay a subscription for every manufacturer, and cars and its parts still get stolen, "high tech thieves" belong to the movies, real ones load your car on a tow and it goes straight to another country.
I'm not so sure. The key has to be stored somewhere on the car. Why not desolder that and examine it?
(If we're going with "Theoretically possible," that is.)
The solution here is a combination of tamper-proof secure enclave and ephemeral keys, just like it is for trusted boot chains. Obviously it's not 100% secure and just like mobile phones (which, again, are the exact same problem space) it's eventually defeated, but the magnitude of difficulty can be multiplied without much effort.
My solution wasn't to protect against that - if you're up for desoldering stuff you may as well just replace the ECU with your own one which is happy to start the car.
This was just an idea to thwart installation of compromised firmware by thieves via the diagnostics port. It's just a little layer of security, not designed to be bulletproof, merely to slow down thieves by forcing them to actually swap the hardware.
if you're up for desoldering stuff you may as well just replace the ECU with your own one which is happy to start the car.
I demand a source that teaches me how to do this. :)
Orrr if you're in Chicago let's go figure it out ourselves!
CESVI in Argentina. Not very close to Chicago though :P , but I'm sure there's an US equivalent.
I remember reading about the people that dismantled cars to find where manufacturers source the parts:
Those guys can probably switch you the ECU :)
This is awesome. Thank you!
In Europe: https://ecu.de/
Witness Intel's unlocked CPUs: people who want access to the low-level stuff get charged a premium.
> program new keys
Yeah. We bought an old Elantra which only came with a single key and no FOB. I bought a cheap gizmo on Amazon that you plug to the OBD port and allows you to program other FOBs.
Modern-ish cars are computers. Once you have physical access, all bets are off.
On the other side, MY2015 Audi A3 8V needs online access for remote re-sync (sometimes the RF part of the key looses sync with the car). So yes, generally older cars are easy to modify, newer not (at least yet).
Also the cheap gismo was cheap because it was a clone, original tools are not that cheap.
You need to connect your car to the internet?
It's likely the car has it's own always-on cellular connection.
Yeah, this is what I meant, but that sounds insane to me.
It is probably retrieving the "SKC" code which is necessary to program keys.
However, this is by no means secure where the car's ECU will happily dump its entire storage (including the SKC code) over the diagnostics port if you ask nicely.
No, not programming keys per se. But re-sync RF part of the already coded key, so you can unlock it with a push of a button.
Also, I have quite a problem with dumping entire storage (EEPROM parts for example, that contain SKC/PIN). Also, my experiance is that getting that info from modern ECUs is not that straightforward/there aren't many (in some cases any) tools to get it.
Look up “VAG Tacho”: http://maltchev.com/kiti/
This tool successfully recovers SKC codes from pretty much any VAG Group’s (Volkswagen, Audi, Seat, Skoda) cars. It can also do other things like edit the odometer and probably more. It’s simply using “undocumented” (although is anything there documented?) commands of the diagnostics protocol to get raw access to the persistent storage.
All bets are off because that's how they were designed. Just look at a modern iPhone, which is designed with security in mind. It's far harder to get the same kind of access.
> unless it’s been going on for a while but executed perfectly so nobody would find a trace
My boss's car was stolen in broad daylight in front of a client's warehouse. This isn't a busy area, but it isn't extremely quiet either. The car had GPS tracking, but it disappeared without a trace.
The police guessed that it was driven into the back of a closed truck and straight away transported to Eastern Europe.
Incredible, was there ctv footage?
Reading things like this makes me realise how easy it is to steal things still. Much like the old days when people could exchange fake cheques at banks for cash... Most of the world is still built on trust.
I asked about it at a later time, but after a certain time, the car ownership officially gets transferred to the insurance company, so any updates from the police would go to them unfortunately. From what I heard, however, police wasn't planning on spending too much time on this, because these types of cases never really result in much. Unless this becomes part of a major investigation into similar cases, it'll be dead in the water.
> makes me realise how easy it is to steal things still
So yeah, you're right about this. Statistics actually seem to show that low impact, organized crime pays in the Netherlands , since police is too busy with high impact cases. High impact often being being defined as burglaries, robberies, rape, etc. that have long-term impact on the victims well-being.
I just found this through Reddit and had to think of your comment:
Heard a similar story except the owner chased the truck while calling police. When they stopped the truck after two hours (not so easy getting police to actually stop a truck on a highway), they found only car parts inside, with destroyed part numbers.
Years ago, I had a car with a sophisticated ignition lock system (not my choice, but not relevant to the story). It was somewhat finicky, and creating a new key was not easy. And of course no chance of starting it without proper key!
That car ended up stolen right from under my nose (I was within 100 feet of it, indoors but would hear if the alarm turned on) and the only thing I found in there when I came back for it was the sophisticated security system. The thieves just ripped it out in no time and with no sound, and drove away.
Since then I'm somewhat skeptical about how much protection such systems really provide.
Have you taken a look at a Tesla car yet? From PR materials I'm led to believe that they treat their car software seriously. I doubt one can install untrusted firmware on a Tesla car; is that so?
I’ve never worked on a Tesla. I’ve left the trade long ago finding my way in software engineering instead.
Tesla is probably the only one I’d trust though. While I don’t expect them to be bulletproof either (at least not at first), I expect them to quickly catch on should this kind of theft appear, and make the necessary fixes. In any case I doubt they’d be stupid enough to accept arbitrary code over a diagnostics port (if they have one even). I mean, even if we forget security, why would they? Teslas update remotely via the Internet.
Teslas have been stolen in Europe, their high value for parts makes them well worth stealing. This is primarily Tesla's fault, as they refuse to sell parts to cars that have been in accidents.
Your Tesla is essentially scrap after a non-minor accident, which is why most US insurers refuse to cover vehicles made by Tesla. Its as bad as rolling coal IMO, Tesla has created a massive eWaste problem. Meanwhile, rebuilding any other manufacturers car is doable, even other EVs.
Relay attacks like those mentioned that Teslas are vulnerable to can also affect most other keyless entry cars. On new Mercedes one can turn off the keyless entry system by double klicking the lock button on the key when locking the car. The car key then will have to have its unlock button physically pushed to unlock the car, and in that state relay attacks won’t work.
One can turn it off on a Tesla Model S/X the same way. On the Model 3 it is a different system so not sure how that works.
I believe Telsas have a minimal OBD-II port (where mandated by law) but mostly use an Ethernet port for debugging/service.
Stripping or modding a Tesla would be the only way I'd get one...and I'd really like to. Very interested in what happens in this thread.
A Motherboard article appeared on HN about a rogue Tesla mechanic. Here is his channel to help you get started: https://m.youtube.com/channel/UCfV0_wbjG8KJADuZT2ct4SA#
That Tesla powered Audi RS5 is an amazing hack! https://www.youtube.com/watch?v=IOYY_AlRWQA
Thanks very much!
Search IAAI and Copart auctions
I just unclip my steering wheel, and pull out my main relay (dash mounted, race car spec). I don't think the car is going very far without those.
It'll go damn far - on a flatbed.
How do they move it onto the flatbed if the hand brake is on?
Who needs a flat bed? Every tow truck has dollies that they can put braked/geared wheels on.
How else would a tow truck tow away a vehicle in gear or with the parking brake on?
Through there are stories of tow trucks towing away vehicles in 1st gear, things seem fine, and then the transmission causes a fire from overheating...
How do they load wrecked cars, small shipping containers, machinery on skids, etc?
The 8-18k winch on a rollback will have no problem dragging your car.
It can be done, you just skull-drag it onto the back of the truck. Not great for the car, of course.
Plastic skates. 14 seconds added to the job.
haha! Yeah, but by the time you're involving a flatbed in your thieving, I don't know if any car security is going to be much good :P
I like to think high tech cars can detect when they're being towed and will activate their tracking system and ping the emergency call center.
Of course, all bets are off when it's loaded into an RF shielded truck. It could have an onboard camera to record the number plate of the truck, but that could be shielded.
Long story short, you're probably better off parking it in a firmly locked / secured garage, and have a wheel clamp or chain attached to something solid.
> I like to think high tech cars can detect when they're being towed and will activate their tracking system and ping the emergency call center.
My GPS tracker does do this in my daily car, but it only sets it off if the rest of the alarm is triggered (i.e. if the door sensor registers it opening while the alarm is set).
With the race car, it generally gets locked up. Although if I'm out in the town or something with it someone could possibly take off with it if they short-circuit the relay, and use something to clamp on the steering column (when the wheel is detached). But honestly, if someone stole the car like that they'd probably be found a few hundred yards up the road wrapped around a tree and on fire, after hitting boost with no steering wheel.
> There is very little cryptography involved
Wha? That may have been true about twenty years ago, but not now. BMW was using 256-bit RSA keys to validate ECU firmware and authenticate privileged access in the early 2000s (they're up to 1024-bit keys now) and write-once memory in their instrument clusters for about as long. Other (Euro) car makers using the same vendors offer similar features.
Once you have physical access all bets are off though. That's why the thieves cut the alarm sensors.
Why the hell does RSA ever get used anymore, esp. in smartcards etc? It's been obsolete for like 10 years thanks to ECC, and ECC is way easier to implement (esp. 127-bit and 521-bit).
RSA has value in encryption which ECC can't do.
Beyond that, RSA is so much easier to understand and implement. Because computing powers of numbers is easier than computing multiples of points on a curve.
Seems like that's all you can ask for if the attacker has physical access to the machine. Would be happy to be corrected though.
Not sure I agree.
It’s one thing if you get physical access, replace the engine control module by a crooked one that will send the proper signals to the ignition and all the other actuators and start the car.
It’s another thing if you talk to the real engine control module (which should already be on alert because the car was broken into) and tell it “trust me, I’m legit, here’s your new firmware” and the computer just runs your code no questions asked.
But on the other hand, on modern cars that is not nearly enough to get the car started. As OP pointed out, Simos18 was quite conveniently hacked, but that's far from the only ecu family. And usually they aren't hacked as easly/quickly.
For example, all that Simos18 "easy" hacking can be done once you have IGN ON, if you have IGN ON it's probably easier to just code a new set of keys, than it is to flash new FW on all related and needed computers.
> I’m frankly surprised it took this long for “high tech” car theft to appear, unless it’s been going on for a while
New, expensive cars are stolen or broken into quite often. When broken into, they'll often rip out the infotainment, with high end cars this can be a five-figure repair.
"Sometimes less so, but I’d do it anyway because I needed the money and I had no proof of the contrary (innocent until proven guilty right?)."
Huh, is it legal to "crack" alarms/immobilizers without proof of ownership, especially if you suspect it might be stolen?
anyone can call a mobile locksmith and ask them to help them get into their locked car stuck in the KFC parking lot with their keys inside. It’s usually up to the locksmith to obtain proof of ownership. otherwise they’re running the risk of committing a break-in. they usually have you sign something beforehand that tries to mitigate their liability. however I’ve used some shady locksmiths who just pulled up in the passenger seat of their friend’s ride and did it without a contract and took cash. at least they didn’t scratch my car.
In my case they always had the keys, it was purely the electronics side that was failing. In fact I explicitly remember one idiot who manually broke the transponder chip inside the key in half (no idea what they were attempting to do - replace the battery?). I can’t tell for sure that all the clients were legit, but those ones were so stupid they had to be legit!
I took cash as well, because I was under 18 and couldn’t legally run a business at that time (but still needed to eat and buy drinks every weekend, and family couldn’t afford it).
Not sure, but given the shitty cars I’ve worked on, I wouldn’t care even if they were stolen - nobody would call the police for such things - if anything they’d be glad someone took them away for free!
I would probably feel differently if I got called to work on a supercar but that didn’t happen.
Reading this article is honestly a bit of a domestic culture shock for me, where does this guy live in The Netherlands?
Here in downtown Amsterdam we called the police because the rear window of someone's car had just been smashed outside our office, and the police's response was "Has anyone been hurt? Nope? Then we're not coming".
Meanwhile, wherever this guy lives they're sending officers because some BMW call center calls the police in the middle of the night telling them that some car reported unspecified distress within some radius, and they sent officers to search the whole neighborhood for the car and locate the owner.
I guess the next time I need police help I'll use a burner phone and tell them a BMW is in distress.
> Here in downtown Amsterdam we called the police because the rear window of someone's car had just been smashed outside our office, and the police's response was "Has anyone been hurt? Nope? Then we're not coming".
Amsterdam currently has a big police shortage, that's why. It's not normal, it's just a problem in Amsterdam.
What? I though they were bored stiff. Every time anything happens - even the most insignificant accident - you’ll see a flock of police offices taping out the scene, parading numerous vehicles and generally making much ado about nothing :)
Well, if you're bored, one of the ways to have fun is to gather up with some friends (other officers) or staying home because you're lazy :P
> It's not normal, it's just a problem in Amsterdam.
Right, the two times we needed police in Limburg (Echt and Maastricht, few years apart) it didn't happen either. It had to be life-threatening and the people didn't literally shout "we'll kill you" so the police wasn't gonna bother.
Meanwhile on TV they're cycling through parks to fine people some 99 euros for not having a well-behaved dog on a leash (could have used discretion there), or fining some poor dude 370 euros for standing literally 2 minutes on a disabled spot to pick someone up.
Poor dude? You don't park in a disabled spot unless you have a right to be there. That should be common sense.
It was wrong and s/he was caught, but that fine is just ridiculous. Sure, someone who stood there for 2 hours in a busy spot where disabled people were indeed turned away, then they definitely chose to risk that fine. But when someone was standing with the car (not even parked) for 2 minutes, I might (as police(wo)man) decide to give a warning instead. That fine is disproportionate. Most people on HN probably earn enough to sustain it easily, but for many people, that's an entire month's worth of food that just went down the drain. Sure, it's a good deterrent, but is it fair and just? Should we just give exorbitant fines on every petty crime just as a deterrent? That's not the kind of country I want to live in.
The police do not make up the height of the fines. It’s a common annoyance that assholes park in places they shouldn’t. This is a way they won’t do it again.
Standing is not partking.
I think his point is that there are much bigger problems that they should be tackling especially since a disabled person can easily give a good old honk to tell the person to move if they came around and actually needed the spot.
The problem with discretion is how do you recognize or punish repeat offenders? How do you know the dog is well behaved? How should they know?
And standing still for two minutes is parking. And someone who is actually disabled cannot park there, and cannot see (and request) for the person to leave.
not just Amsterdam. I had a car accident on Route 128 in Massachusetts during rush hour. I called the state police - they asked if anyone was hurt and when I told them no they said 'just exchange information with the other driver'. The opportunity here is for fraud prevention. Maybe that's what will eventually drive our desire for ubiquitous surveillance.
Why would you need police for an accident? Your insurance companies negotiate liability based on your statements. It's a civil matter, unless want to request criminal charges for reckless driving?
In Germany, a police report is generally recommended in case somebody decides to change their statement. I don't know why you wouldn't call the police. They're also there to settle disputes, or at least establish a protocol for a potential court process.
And if you drive for a company, protocol dictates that you call the police even in the most minor accidents for insurance reasons.
Most rental companies in Europe require a police report for any kind of accident, their insurance won't pay without one.
Depends if there's damage to the road and/or disruption of traffic I would imagine.
> Amsterdam currently has a big police shortage, that's why. It's not normal, it's just a problem in Amsterdam.
Or maybe Amsterdam has an excess of crime.
You would be surprised how much effort businesses put into building a relationship with local police, that is a big part of a security director's job. The more people they have on site, or the higher their inventory value, the more they are willing to spend on the local PD. I've seen areas built on company property that are effectively police sub-stations, giving cops a place to do paperwork and take a break, in order to cheaply keep them nearby. I've seen off duty cops hired for show up jobs, just to guarantee timely incident response. I've seen local PDs negotiate a fee schedule... it ain't a bribe if there is a "fee schedule". No, companies aren't doing this in order to break strikes or otherwise oppress employees - there is just a ton of risk when you concentrate hundreds of people in a small place that you're legally responsible for. I have seen some interesting results come out of it though: one holiday night a copper thief got onto the facility roof to plunder the AC units, one call from the off duty officer resulted in the immediate dispatch of a police helicopter and nearly a dozen cruisers. This is from an American perspective, but I'd be surprised if it was different anywhere else in the world.
It is different.
Where, in the Netherlands? I can't think of a way to say this that doesn't sound rude, so I'll just say it: how informed is your opinion? Roughly how big a company are we talking? Have you managed security, or managed security managers?
I ask because a long time ago I worked at a multinational that had facilities all over Europe. I'd have remembered if we got pushback from local management on this matter, but then I suppose they always could have been lying about their security programs... there isn't really a good way to audit law enforcement outreach - until something goes wrong.
In Sweden. I have worked at two of the largest companies, never seen anything like that.
The message received from the police was:
The message they passed on was that there was either a burglary attempt or that my car was involved in an accident. They gave the police the exact coordinates of my car...
So I would hope that when presented with an automated report that the car was involved in an accident along with the exact coordinates, that they would come investigate to see if the driver was injured in the accident and unable to call for help.
I can believe that if someone witnessed a car break-in, that they'd give that a lower priority and if the thief is no longer there, that they wouldn't come out at all since there's not much they can do about it other than agree "Yup, someone smashed your window, now go clean your glass off the sidewalk".
> So I would hope that when presented with an automated report that the car was involved in an accident along with the exact coordinates, that they would come investigate to see if the driver was injured in the accident and unable to call for help.
Exactly this. Also, I have some family members working for the police in Dutch rural areas, at 3 am they'd happy to head out, because they're usually just waiting for something to happen.
Several years ago someone tried to climb into our apartment window in Amsterdam (with another guy waiting with a motorbike as getaway vehicle on the street). He was standing on the windowsill and tried to break open the window (it was open but we had one of those locks that limits how far the window opens, so he didn't fit through the gap). They fled once we noticed them.
When we tried to report that incident to the police their first question was: Did they manage to get into the apartment? When we said no they told us there's nothing that they can do as the people who tried to break into our apartment weren't doing anything illegal.
Standing on someones windowsill isn't illegal?
Probably trespassing but that's no reason to send officers after the event has occurred.
He was just doing isometric exercise. Nothing illegal about exercise.
You sound frustrated, like you think it’s a bad thing that the police has time to respond to these types of incidents. When you’re not in one of the big cities, it is in fact common that police has time for this type of stuff (I live in Zeist myself and could see this type of thing happening here).
I think this is rather a signal that the police in Amsterdam is underfunded, and/or the types of crimes they deal with are much more severe.
Also keep in mind that it’s not a “search a whole neighborhood” situation, they got the exact GPS coordinates.
I think it's great that they have time to do that. I'm happy that somebody in this country has working public services.
I'm just honestly surprised. I've only lived in Amsterdam inside The Netherlands and wouldn't expect the police to respond to something like that.
> it’s not a “search a whole neighborhood” situation
> They gave the police the exact
> coordinates of my car and it only
> took the surveilling car 5 minutes
> to get to the car
In any case, it doesn't make much difference. I think if someone called the police here in Amsterdam with the exact location of a broken-in car they'd say tough titty and have the owner show up at the closest station and file a police report.
Well the call center said it was a break-in or an accident. I'm sure the Amsterdam police would come if it was an accident and someone could have been injured.
So all I need to do to get Amsterdam police to care about bicycle theft is to install some sort of ribbon that'll get torn off if the lock gets broken, which'll be indistinguishable from the frame getting broken in half ("an accident"). Hook that all up to a GSM modem and a call center and suddenly my local cops will care about crime.
Also known as crying wolf.
Don't you have insurance for theft? Kind mandatory in Amsterdam.
Pushing the problem to insure is blaming the victims, making the pay for crime.
Given that there's hundreds of thousands of bikes stolen a year and the chance of the theft being solved is very, very low, it's very much a "prepare for the worst and hope for the best" thing.
Also, in Amsterdam, don't get a fancy bike.
> When you’re not in one of the big cities, it is in fact common that police has time for this type of stuff
I didn't do a nationwide survey, but you can add two places in Limburg (Maastricht and a small town near Echt) to the list of understaffed places since they also wouldn't respond to anything that was not life-threatening (literally asked whether we were threatened with our life).
For added fun, you should try calling the local police on a public holiday. Better have a good reason for bothering these busy bees when they're all out on parking meter patrol!
You sound frustrated, but you clearly don’t know anything about how the police works. Parking fines are not issued by police, that’s a job for the municipality.
> the types of crimes they deal with are much more severe.
Not just that, because of tourists misbehaving everywhere, there are also just way more crimes/disturbances than in normal city/town.
Plus the fact that the number of policemen available is set according to the number of inhabitants, not the number of actual people (e.g. tourists).
As an American, I'm glad I'm not the only one :)
That said, I thought that car theft was all but gone in the US, at least for modern cars, whereas in Europe it still seems common. (Eg, if you follow international forums for newer car models, nobody in the US talks about theft anymore, but our European counterparts talk about these highly complex theft schemes). But then someone was posting about theft in Sacramento, so, I don't know.
There's a huge difference between the US and EU in this regard. If I steal a car in California and try to sell it in Nevada, I can expect to be arrested.
If I have a car stolen in The Netherlands and it's being sold in Romania, and I find out who's selling it and where, I'll be told that I have to travel to Romania and file report with the local police there before they'll do anything.
The only inter-state enforcement we have in the EU is Interpol, which doesn't care about anything like that, they only handle the likes of violent crime.
So it's kind of like expecting to recover your stolen car from Mexico or Belize, except crossing the border is a lot easier.
Actually you would just have to file a theft report with the local police and the car would not even enter Romania without the driver likely arrested and the car confiscated, as there is a real time db of cars reported stolen that is shared among the EU members and more. I imagine it could take a bit more effort to actually get the car back. You would probably have to worry much more about the car being torn apart and sold for pieces or leaving Europe through Rotterdam.
Romania is not in Schengen area so they shouldn't get there, the farthest they would get to in that direction is Hungary, at least in theory.
Anyway a few year ago my car was stolen in Slovakia (the insurance paid out so my loss was minimal) and was found after a year in Hungary - the thieves were trying to sell it but it was found out they tried to change the VIN. Because apparently you can't register a car with a stolen VIN in EU. And that's nothing to do with Interpol as far as I know.
> Romania is not in Schengen area so they shouldn't get there
Why is that? Plenty of stolen European cars roaming in Algeria and Tunisia. And with the help of corrupt officers they are registered here.
As I said, in theory, it should be very hard to get out of Schengen with a stolen car. But of course corrupt officials can help.
Registering a car with a stolen VIN should not be possible within the EU. Of course "should not".
Interesting because stolen cars are sometimes broken for parts, but perhaps there's no profit in that in US? There was an 'OEM+' car modding craze here a few years back where certain top-end Audis were being targeted solely for their front seats, which would then be fitted to older VWs.
And back when the S2000 was new, people were stealing them for the seats, and so on. But overall it seems like auto thefts have dropped precipitously since the 90s. Likely a combination of coordinated efforts and computerized DBs across states, cars getting harder to steal, etc, making it less worthwhile. Whereas, if parent is correct and it's easier to "get away with" in Europe, the remaining hurdle is technical, and quite an interesting problem to work around, even to this non-thief :)
Parts-related theft is here, but it targets a fairly different set of cars - generally somewhat older (so needing replacement parts) highly common cars. See: https://www.statista.com/chart/6551/the-10-most-stolen-cars-...
I suppose these make for less interesting news stories since they aren't nearly as tricky to steal.
If the old "Top Gear" shows are to be believed, eastern European countries are full of cars stolen from western European countries. Then there's this: (http://articles.chicagotribune.com/1999-12-27/news/991227006...).
Just got outta jail (again) couple days ago, Vista Detention Facility. Plenty of people were in for GTA (g-ride) or joyriding. My roommate is being bailed out of Banning tonight for joyriding.
I think it is easier to sell vehicles stolen in Europe. All a thief needs to do is drive the vehicle to Eastern Europe and there will be a buyer. Selling a stolen vehicle in the US is a lot more difficult.
Or getting it to Mexico, I suppose.
The key point isn't the BMW, it's the unspecified distress. Lives could literally be on the line, and a fast response might make a difference.
Intelligent design by BMW. Keep it vague, even though it should totally be able to differentiate between a sudden G-force, a button press, or an electrical issue (wire cut), but the car/call centre doesn’t specify the exact causative issue.
A simpler explanation is that BMW doesn't want to be legally liable if a car crashes but the special sensor algorithm reports it as a break-in, or vice versa.
After all, they're just sensors, and they're still just guessing. Far better for them to report "something is wrong" than to file a false report.
>because some BMW call center calls the police in the middle of the night telling them that some car reported unspecified distress within some radius
Isn't that much more severe than "window smashed"?
It's "Burglary in process, or someone might be dying, and you haven't received a 112 so no ambulance is on the way."
The BMW just reported some ambiguous state of distress, whereas a person calling the police and telling them that some car has had its windows smashed in in downtown is by all reasonable criteria equivalent to a burglary in process. If someone's not stealing from that car now, they will be in 5 minutes.
>The BMW just reported some ambiguous state of distress
It reported damage to the car severe enough to sever the door frame!!
Exactly this, not sure what sort of speed of impact you'd have to be in with an F30 3 Series to bend the window frame significantly enough to break that wire, but you'd have to imagine very high.
Don't you read the news? There have recently been articles in the international press that Amsterdam is a jungle right now:
> Official ombudsman, Arre Zuurmond told Dutch paper Trouw that "the city centre becomes an urban jungle at night".
He added: "Criminal money flourishes, there is no authority and the police can no longer handle the situation."
This article and the other one quoted from the Guardian are cherrypicking quotes to make it sound far more dramatic than it really is.
Total crime numbers in Amsterdam are down substantially on prior years (https://www.ois.amsterdam.nl/popup/1663). The number of Dutch prisoners have halved over the last 10 years. Dutch prisons are now so empty the space is being rented out to other countries (https://www.bbc.co.uk/news/magazine-37904263).
At the same time, the number of tourists to Amsterdam has increased 60% over the last 10 years. It is not surprising the numbers are sometimes difficult to manage.
But, speaking as someone who since 2000 has lived in Amsterdam or visited at least monthly, I have never felt safer in the city.
That is a British tabloid.
Here, have a Guardian:
A most damning indictment indeed.
No it is not.
I was in Amsterdam last weekend, at the party mentioned at the very end of the article. Thousands of people packed into the square on a Friday evening having fun. Minimal police and security guards present.
On the Saturday, hundreds of thousands of people visited Amsterdam to watch the Canal Pride on the Prinsengracht. The police reported minimal disturbances, and arrested a grand total of 25 people, 17 of which were for pickpocketing . That is a substantial reduction on prior years.
You miss the implication of the comment I was replying too.
The comment I was replying too was able to dismiss the legitimacy of the offending 'news' article with a simple observation.
I was commenting on the efficacy of such pity denigration, not the quality of Amsterdam's nightlife.
That’s how you sell newspapers and clicks.
Im in Amsterdam quite often, it just a short drive from where I live in Germany, and it’s a safe and fun place to be, if you take into account that it’s very touristy.
I’ve been watching the canal pride from a park this year and was amazed that people even actually cleaned up their mess. Very unlike than at home, unfortunately.
The quote is specifically about a few areas like the red light district that see so many drunk and/or high tourists that the situation gets too unwieldy. Quite a specific situation that's not saying too much about the general crime level.
It's rich that a British paper publishes an alarming story on this since British tourists are a huge part of these crowds.
They didn't search the whole neighborhood. They got a call about a potential accident and ofc checked it out.
> The officer I spoke to was unable to tell me which phone number or external call center it was, but that it was, in fact, a call center. The message they passed on was that there was either a burglary attempt or that my car was involved in an accident.
That last bit is key: "or that my car was involved in an accident." An accident means people could be hurt which is something the police have to respond to.
> "Has anyone been hurt? Nope? Then we're not coming".
Sounds like San Francisco as well. Petty crime and theft go uninvestigated and run rampant.
The BMW customer engineers are smart: perhaps by design, their system doesn’t know if someone is having a heart attack, or a broken window, so they can push the emergency services to respond quickly and find out.
I had a camper stolen from in front of my house in about 30 minutes. The police never even bothered to show up and only put an alert out a good 5 hours after the theft, by which time I suspect it was either out of the country or parts in some chop shop's bins. Highly annoying. For all the cameras and tracking going on it is surprisingly ineffective to actually do something about a crime.
Why should the police be sent to a smashed window? Not much they can do at that point unless you caught somebody red-handed. "Yup, that window is totally smashed. OK, just file a claim with your insurance company."
Maybe I read too much about fooling fingerprint readers and think this is easier than it really is, but isn't it easy to check for prints in the car? In the general case, a shattered window means someone stole something and must have touched something in the car.
Of course not everyone is in the database, but if they are ever caught with anything they will be.
I suppose that cross-checking hundreds of possible prints against those of the owner and legitimate passengers would be quite a lot of effort for the slim chance of the burglar not having used gloves...
I know the guy, he lives in Utrecht, west of the A2.
This definitely isn't the first time this technique has been used. I'm sure I've heard many similar stories before and the internet backs me up.
Hi guys, very cool to see how this is being picked up over here. Shame on me, but I actually forgot to submit it to Hacker News.
The key fob method is out of the question for my car. I've known about it for a while and store my keys in special bags.
I see quite a few people asking why a sting wasn't organised. I of course shared the M.O. with the police and we actually had a few phone calls from them over the past few days. They are sharing the information with their colleagues but to be frank, they are not going to spend an entire night waiting around for a potential car theft.
We live in Ijsselstein, a city just south west of Utrecht, and car burglary and theft is quite a big issue in our area. My previous car, a BMW F20, actually got broken into twice in 2 weeks. Both times they stole the entire nav system. I've become quite adapt at filing reports but besides filing a report the police can't do anything for you.
The first time it happened they asked me whether or not I saw visible blood stains. Only then would they send a patrol car to do sample research. In any other case, they just ask you to file a report and be done with it.
Let me know if there are any questions you'd like me to answer while I'm at it.
I'm also interested in writing some follow-up articles about car security/theft prevention. If there's anyone willing to contribute, let me know!
You may want to look into rewiring your OBD port so that it doesn’t work without you flipping a switch somewhere, or building a “key” with a male and female port + some wires, then storing the “key” in some hidden location (spare tire?).
Or just expose two data lines from the OBD wiring harness and jump them together. Remove the jumper to operationalize the OBD port.
FYI: cutting off VCC may not always work since some devices may derive enough power through other lines that have pull-up resistors to function. I’ve seen it happen in other industries.
Not sure if such products exist commercially, but it would have some value for someone to build them.
A few days ago, I read on the most reliable source in the world, the internet, that if you have a class 3 alarm system from BMW, the OBD port is blocked as soon as the alarm goes off. I do want to verify this with the dealer once my holiday is over.
I also read about the OBD key cloning, but I'm not sure whether or not that was an issue with the first F30s. I'm unsure whether or not it still works with the F30 LCI from 2017 that I have
Oh, and get a dashcam with parking mode!
Front and rear. Maybe the sides too?
They’re increasingly inexpensive, and you can move them car to car as you buy/sell.
I originally bought a forward facing, and as i’ve upgraded, my old forward facing is now my rear facing.
I've been thinking about that. A good one with parking mode and cloud support sets you back about 800 euro including installation. It could be worth it but the chances of the cops actually catching someone based on the footage is quite slim.
For hit and run accidents in which you can record a license plate it might be worth it.
Cut the cloud storage, install yourself, and buy direct from Asia. Except the flash card, buy that from Amazon. Then it should cost less than US$100 per side.
Oh dear. So we figured out that SD cards „directly from asia“ are either counterfeit, fake or low quality. But apparently cameras are fine? Well, good luck then.
I've anecdotally heard a lot of stories about the relay/replay attacks on keyless ignition systems used in many BMW models and other cars as well. No need to smash the window at all in some cases. Remarkably simple attack in principle, and probably a nightmare to explain to your insurer given there will be no evidence of a break in.
Makes you wonder if you should start storing the key in a metal/RF shielded box at home...
This has happened so many times (I've heard of at least 5) in the UK to Tesla cars that Tesla themselves sent out a warning with instructions on how to turn off the passive entry feature that allows this attack.
Here's a video of a relay theft (of a Merc) from West Midlands police in the UK...
Photo from a camera of attempted theft, from a UK Tesla owner...
Maybe you could stop this attack by having an IMU in the key so it only broadcasts the unlock signal while it's being held/moved.
Many suggestions for foiling this (including some interesting Tesla specific ones, like having the screen ask for a PIN), but the simplest is to just have the key not unlock the car unless a button is pressed.
Not a massive inconvenience.
If you had a receiver with a nanosecond precision you can measure the distance to the key with enough accuracy that the relay attack doesn't work anymore. I don't know why manufacturers don't do that yet - I guess the parts necessary are still not available at scale yet?
I personally just keep the keys in a metallic bag at night, blocks all signals perfectly.
I have built an access control system that does a similar thing. Long story short: Time Of Flight is patented and no one can use it. Our system used a nice workaround... We tried to convince car manufacturers to use or license our tech and they seemed happy with their current stuff.
How can one patent something so obvious as measuring how far away something is based on how long the signal takes to bounce back? That principle underlies...so many things.
Edit: I looked up the patent. Here it is: https://patents.google.com/patent/US8930045. I understand that patents protect novel inventions and that under some standard this may be considered "novel". On the other hand, I myself have frequently used the technique of sending a signal, awaiting a response, and then using timing to derive the distance. It seems such an obvious application to this use case that there is nothing novel here.
Hmmm. 2013? I beat them by a year.
A few years before 2002:
You just have to convince the patent examiner that it's not obvious. There's bound to be prior art (radar), so it could probably be invalidated if you want to spend the money on it, and you don't have some alternative ready to hand.
It's coming in the next generation of keyless systems: https://www.3db-access.com/
I’m curious, why not just proper cryptographic challenge-response?
Key sends a “wake up” signal, car hears it and sends a random challenge, key receives it, signs it with its private key and send is back. If the response is correct the car unlocks, otherwise not and the user can try again.
Seems like à solved problem really.
The entire point, rightly or wrongly, of keyless entry is that you never have to touch the key, simply have it somewhere in the vicinity of the car, such as in your pocket. No button pressing or user input. You approach the car and it is already magically unlocked and ready to be started, usually via a starter button on the dash.
Therefore the same concerns regarding relaying still apply, unless I’ve misunderstood your reply, but your later post suggests pressing a button on a key. If buttons on the key are pressed, this ceases to be “keyless” as the car industry understands it - this is back to conventional remote locking.
This is precisely how it works already, exactly as you described. The issue is that the relay just boosts the signal,so the car thinks your key is nearby, while in reality it's in your bedside drawer.
Why not relay that, too?
Relaying would still require the owner to push a button on the keyfob, right?
No. The point of this whole thread is there is no button so that when you approach the car it unlocks automatically. That's why this attack is possible by extending the range with repeaters. The key likely already has something similar to what you suggested but that can't prevent this attack.
Is that how contactless payment cards are protected?
No, contactless cards could be hacked in the exact same way cars are, but it's not worth the trouble since you would need an authorized terminal and the most you could steal is £30 - it's just not worth the trouble.
Steal £30 off enough people, though - RFID/NFC has been demonstrated to have a range of several meters under some conditions, so just stick your equipment in a bag and wander through a shopping centre. Probably pickup a dozen or so. I understand those who buy RF-shielded wallets all too well.
But like I said, only an authorized terminal will process transactions, so you need to figure out how to get one. And then, visa and MasterCard take at least a week to pay out any money from card transactions - so your terminal and likely the entire account will get banned before you get a penny out of that money.
It's not that £30 is little money - it's that it's nearly impossible to secure a working terminal and then once you have that actually get any money out of it.
Like the parent comment said, you need an authorized terminal, which is linked to a merchant account, which is linked to your bank account (and thus your identity). What do you think visa/mastercard is going to do when the fraud reports start flooding in? Chances are, you're going to be caught before your first payment arrives in your bank account.
If you get a pin number then it’s different. AFAIK there are contactless ATM’s.
Contactless ATMs still require a pin - one of the defining features of contactless is that you can't get cash with it. If you ask for cashback at the till and use contactless then you also need to enter the pin.
Sure. Was just trying to solve the problem while keeping the same experience, which some automotive manufacturers must think is worth providing to customers.
Well, for some people, pulling the parking brake is a "massive inconvenience" which ends up having serious consequences.
Technology can't solve everything.
The entire idea of passive keyless entry is that you just have the keyfob in your pocket, and can enter the car as you approach it without touching your keyfob.
That also means that relay attack is always going to work. So either accept the risk or disable the feature.
The attacker could just wait outside your house for you to hold or move it as you head off to work in the morning then come back at night to pick the car up
It doesn't work like that. This can't be recorded and replayed later. This attack works by extending the range of the exchange between car and key in real time using handheld repeaters.
That's actually not hard to explain to your insurance or the police at all. This happened to me 5 weeks ago. The car was parked directly in front of my entrance door and the key was basically on the other side of that door.
The scene of my car not being where it was supposed to be was so surreal that I did not even realize it was missing the first time when I walked out the trash. I basically walked around an invisible car.
Only when I wanted to leave the house and thought, well shouldn't my car supposed to be there did it dawn on me that something is amiss.
When I went to the police, the first thing they asked me was how far my keys were away from the car. My insurance was asking the exact same thing.
Remarkably the car was found when the police in our neighboring country stopped a driver under the influence of drugs.
Getting the car back (still ongoing) was so much hassle that I almost would be happier if it would not have been found.
It goes without question that all my keys are now stored inside a metal box when not in use.
I was a bit worried that the box does not shield the signal enough. The best way I could think of to test it was to put the key inside the box and hold the box to the steering column and try to start the car. It's probably not foolproof but I hope it is enough.
Well, now when that technique is well known it's another story.
It's like the case where PIN numers on credit-cards where cracked but because noone knew it could be done people where assumed to have been negligent if the thief knew the code and automatically denied any compensation.
... until they caught the guys.
> Getting the car back (still ongoing) was so much hassle
I'm very curious to know why was it was such a hassle? Unless the police were keeping the car as evidence in a truly major crime, why wouldn't they immediately give back your property?
Ok, I'll try to post a quick summary.
As a background info. The car was stolen in Austria and 5 hours later stopped in the Czech Republic close to the border to Poland. It is a leased car, so there is also the leasing company involved in all decisions.
Since it seems to have been part of a bigger operation (several cars stolen over the weeks prior) a special unit working on this case got involved (from the Austrian police).
When I contacted the insurance they had me sign a waiver that I will also take back the car if it takes longer than a month to return it. This should have rang some alarms bells but I was still optimistic, after all I could have basically taken a train to the Czech Republic and drove back on my own.
Then it was week after week of people shoving the responsibility back and forth.
The Austrian police wanted to get the car to do a forensic analysis, and wanted it to be hauled back on a truck instead of driving. The insurance company flat out told them no, because it is to expensive.
Then I had to send my key to Poland (kind of ironic since this was the intended destination of the car all along) because the employee of the company that would collect and return it was located there.
After 3 weeks the officer in the Czech police was on vacation (pro tip: don't let your car get stolen during the summer vacation period :) ). The following week the insurance company wanted to know if they can finally collect the car. The Czech police told them basically yes, but the Austrian police had not given their OK, and now the Austrian officer on the case was on vacation.
After the 4th week when everyone finally thought that it could be returned, the Czech DA said the< needed to wait a bit longer because they still needed it for the case against the thief.
Now it's week 7 and I at least have seen my car after it was hauled back to the car dealer where the insurance company has sent an adjuster to check what needs to be repaired (the y have cut the connection to the car telemetry unit and caused a few scratches on the front fender).
I am not yet allowed to drive it home since those things need to be repaired first.
So my expectation if that I will get it sometime later next week, which would then be 8-9 weeks in total.
> The scene of my car not being where it was supposed to be was so surreal that I did not even realize it was missing the first time when I walked out the trash. I basically walked around an invisible car.
This reminds me of the street cleaning hazing ritual most newcomers to Cambridge, MA go through. I was about to call the police and report a stolen car when I saw the street cleaning sign and realized the day it specifies was the present. Either way not a happy feeling.
> I was a bit worried that the box does not shield the signal enough.
They make "Faraday Bags" exactly for this purpose.
>They make "Faraday Bags" exactly for this purpose.
Only "they" do not certify them in any way (for several reasons, including the fact that there is not - yet - an accepted standard for measurement) and in any case a Faraday bag (in the sense of a mesh) may be very effective at a given frequency and almost transparent to another one).
A tin box should always outperform a Faraday bag in shielding RF.
I needed a quick fix that everyone in our house would be adopting quite quickly, and it should also fit into the style my wife used to decorate the entrance area. So the bowl where our keys were usually collected was replaced by a metal box with a lid.
However, in the long run I won't bet on workarounds to prevent the signal to be repeated, I will rather use one of those steering wheel locks that's brightly visible from the outside. That does not prevent someone from breaking into the car, but it will prevent them from easily driving away with it.
A security camera has also been placed there, so I hope overall it is enough of a deterrence
I think you can also disable the keyless entry (that is, entry without hitting a button on the fob) in most cars. Said cars should also just stop if it doesn't detect the key while driving, so starting keylessly should still work.
> "probably a nightmare to explain to your insurer given there will be no evidence of a break in."
Is that really an issue? This isn't the first type of theft that doesn't require a break-in. Tow the car and there's no evidence either.
If you say it's been stolen then it's been stolen. File the police report and that's the end of that, no? Unless they have specific reason not to believe you personally (history of fraud), it'd be a crappy insurance company that would question it.
True, it's probably not _that_ hard, but I doubt it's all that great an experience either. At least with towing there is arguably a significantly higher chance of witnesses or CCTV footage of a number plate, and on most modern luxury vehicles will trigger the alarm. With this attack it looks like the driver simply opened the door and drove off as if they were the owner, which is far less likely to arouse suspicion in most neighborhoods I would imagine.
A personal anecdote from this side of the table.
Back in early 201x I was asked to take a look at a certain car manufacturer's project proposal. They wanted to introduce keyless unlock and ignition to their line.
I got the spec and the proposal. There was no security - the number of possible signalling combinations was in low thousands and the system was completely open to trivial replay attacks. So I got back and laid out my concerns and requirements: unique keys per car, strong nonce and proper cryptographic setup to make replay attacks impossible. The manufacturer balked, claimed it was too expensive and we lost the project.
Less than a year later certain mr. Miller demonstrated the very same type of key-fob replay attack against a different manufacturer.
I keep my keys inside of these: https://www.amazon.com/Faraday-Wisdompro-Blocking-Shielding-...
I already do. I keep the keys to my mercedes in an rfid-blocking bag next to my bed at night, because unfortunately it's vunerable to that exact type of attack.
The thieves would have been wiser to take something, anything to make the narrative of the original break in more believable. They didn't sell the narrative well enough, which left people curious.
Maybe there was nothing in the car, but you are correct, should have taken something or at least opened the glovebox to make it seem like they were searching for valuables and found nothing.
Given that they knew exactly which system to disable, they probably also knew that the call center will be contacted the second they broke the window, and the police could be there within minutes. I don't know how well secured anything stealable is nowadays, but I can imagine it'd take a few minutes to remove e.g. the navigation system.
I wonder why they bothered with the smash - broken glass would make people take their car to a dealer. Just the "failed jimmying" might have gone if not unnoticed as a police issue procrastinated in fixing. Maybe they were just frustrated auto thieves.
How would they have disabled the alarm without breaking into the car?
The other one was an air pressure sensor, used for
detecting sudden changes in air pressure. This is the
sensor that will, among other things, detect a broken window.
There's an old saying about not committing more than one crime at a time.
The cops probably scared them away while they were in the act.
Why did they not park the car back and wait with the police on call in order to catch the thieves that would have come back the next night?
I had a phone stolen recently at knifepoint (attempting to sell it on a classifieds site). When I told the police I could make them come back next day (posting another ad, etc) they wouldn’t give a shit.
I suspect this is the same reason.
You'd have to get the Japanese police involved.
With the alarm disabled, they could wait a month.
I'd argue they would have to act quickly though - there was an alarm going on the dashboard when the car was started.
I would assume because of the short timeline, the novelty of the technique, a lot of paperwork being involved, and possibly a whole different police department that would have to do it.
I was sure he would wake up next morning and find the car missing. I think he was really lucky that this wasn’t the case and the thieves waited(?) for the next night.
Yeah, I don't understand this. After you went through all the work of disabling the SOS, you can just take the car then, unless breaking the window was the way they initially got inside, and maybe they were thinking that the person would blindly repair the broken window to increase the value of the car on the black market? I don't know.
When they broke the window SOS was triggered. They knew this and that Police were en route.
When they cut the wire in the pillar, they didn't disable SOS, they disabled the triggering mechanism. The idea being that they would return and break the window again only SOS wouldn't be triggered because that wire was cut.
Because the police arrived 5 minutes after they disabled the SOS button.
The next night, there would be no SOS notification when they broke the window again. Or maybe they'd only have to tear away a plastic bag, if the owner hadn't gotten the window replaced.
Or maybe they were hoping to find a valet key in the car, making their job even easier, either that night, or the next night.
I don't know why he didn't talk to the police and tell them what he suspects and see if they would set up an ambush for the car thieves that night. Put the car back in place and wait for them to show up
The thieves didn’t have to come back the first night. Could have done it weeks later.
Yeah but would you drive around in your brand new car for weeks with a big SOS error light in the dashboard? Knowing it's covered by insurance and/or warranty, too.
The theft relies on the few people who would actually ignore the error light, I mean theft shouldn't be so easy...
Wouldn't a jammer do the thing?
After the frst paragraph(s) I was expecting the security center to be fake, the actual thieves, and have them send out a 'customary repair service' that would have to take the car back to the dealer or something.
I think the proper cause of action in that case was to return the car and do an old fashioned stake out with lots of beer.. I mean redbull and catch the burglars redhanded.
yes. I honestly don't know why this was not done. It sounds like the most obvious thing to do if you know that the burglars are going to come back anyways the next day.
Way to catch some sophisticated thieves, and if they don't show up anyway. Then stop going to that dealership.
The smart thing to do would have been to leave your car outside again, and have the police hidden down the street, so when they returned they could catch the crooks!
It's clear what has happened here...
Cutting that wire loom disables the cars 'call home' functionality (probably by cutting it's antenna), as well as conveniently disabling the alarm.
The thieves who cut it this time were too slow though. Presumably, the 3G connection takes ~30 secs to boot up, find a cell tower, and connect to BMW servers. The thieves hoped to break the window and cut the loom immediately, before the connection to the server was made.
Aren't they just always on? Also the modem would have to be on the other end of that cable loom for that to work when it's much more likely to be down in the glove box with the rest of the control modules and you don't need an antenna that long for a WAN modem.
You probably want the antenna away from all the metal body panels of the car. Hence normally running a cable up the A pillar.
The modem itself probably isn't booted up to reduce vampire power drain. If it was always on, it would drain the battery after a few weeks. More likley, when the alarm goes off it starts booting up.
My cell phone still gets decent signal sitting down in the center console in the cubby below the entertainment system, enough to stream music at least which is more than it'd need for an SOS function. If your phone can send a text it's got more than enough signal to do the SOS functions.
I’m surprised they wouldn’t just arrive with a GSM/3G/LTE jammer to begin with.
Assuming it's not always-on.
More surprising that the car has some call home feature that the owner doesn't seem to know about.
Having recently gotten a new BMW (in USA), they give you a huge packet of about 30 pages explaining the BMW TeleService and the "SOS" button. They also make you sign a power of attorney-style doc giving them rights to notify police in case they believe your vehicle is in trouble and provide police/EMS with its exact location.
Mercedes and Audi have similar systems, as do others via OnStar. This is one of few cases where i believe having an "oh shit" button/system that automatically activates in case of serious accident or another event is valuable.
EDIT: oh, and this is entirely opt-in, at least on BMW.
BMW offers a car-sharing service in some cities in Europe through a joint venture with Sixt, called DriveNow. Some assholes like to take these cars and go for joyrides/street races. One of these idiots ran over a bicyclist and killed them. The court/prosecution asked DriveNow to give them the "black box" data of GPS location/heading/speed, but the company doesn't monitor GPS during trips. The court asked BMW, and BMW could comply. A bit freaky...
(After reading more about it, the black box is only for cars used in this service, and apparently BMW and DriveNow have a "data protection firewall": BMW only tells DriveNow where the trip started and ended, and doesn't know who rented the car, and DriveNow knows who the renter is but doesn't know more other than the start/end of their trip)
It's in some cities in the US too. It's not freaky at all for a company to want to protect their assets (the DriveNow cars). Mercedes Benz does this with their Car2Go cars as well, and I'm sure ZipCar also does this too. They have custom software running to enable all the DriveNow/Car2Go functionality.
No, not entirely. Please give me the instructions on how to opt out. Whenever someone asks (which is rare), the forums are filled with replies like "why would you not want BMW to monitor you? are you a fraudster?" IOW the forums do not know how to opt out either.
Everytime I take my 2016 in to service, I ask both sales and service to disable teleservices. They say they cannot. I then call BMW teleservices (every time), and they tell me that the dealer has to do it.
There are explicit instructions from BMW online that in Germany you can take it to the dealer to have it disabled. No mention of any other country.
Yes, the emergency aspect of it is valuable. It's not worth the compromise in privacy, at the complete discretion and ineptitude of a corporation that has a profit motive.
In 2016, I certainly did not sign (and was not asked) any kind of doc authorizing location disclosure. My car definitely does have teleservices activated. (don't know if they will report my location)
There are three components to my knowledge. below is my anecdotal knowledge so pls verify if needed :)
- remote car monitoring/bmw connected app. this can be tweaked (its off by default) via idrive. I believe there is also some anonymized sharing with "parknow" and real time traffic apps.
- maintenance notifications. this is on by default and can be disabled in bmw's new "my car" website. They also send you a postcard letting you know its on periodically.
- "sos" services - I would call BMW and ask to have it turned off (its on by default). The signing of the doc might be depending on the state you're in. Mine's NJ reg, but NY dealer.
If BMW ever shares the location data with third parties other than police, I would have major issues with all of this.
To answer sibling post, SIM cards are located inside the Navi computer, which is a big gray/black metal box behind one of side access panels within the trunk (or under trunk for most sedans). BMWs can also be coded (google that- dealer wont do it) to not use SIM data completely. If you truly want teleservices disabled, find a friendly BMW modder shop adept at coding and they'll help you void your car's warranty :)
> If BMW ever shares the location data with third parties other than police, I would have major issues with all of this.
By that time it would be too late. And the problem with privacy-related info (like location history) is that once revealed, it can’t be re-secured. So the only
proper fix is to not collect it in the first place.
Also BMW is a car company. Consumer data protection is not their core competency. Then info may not be intentionally revealed. A rogue employee may decide to listen in (as in OnStar case). We can’t know what controls they have in place to mitigate risk. Since I obtain almost no value I want to be able to opt out. That they make this difficult is so aggravating. But I love their cars. I wish I could quit you BMW.
I wonder if GDPR is a factor for new car sales. In fact maybe that’s why you got a big packet and had to opt in, and back in 2016 it was instead quite impossible to opt out.
GDPR is quite hard on the fact that you must opt in. It can be argued that using the services they provide is enough of an opt in, but the GDPR states that they must explain in detail what the collect and what they'll do with the data.
Under the GDPR you could force BMW to hand over what data they have on your car. That way you would at least have some idea of what gets stored and for how long.
As a US citizen residing in the US, no I couldn't. (They might voluntarily disclose, applying GDPR globally, but they aren't required to do so.)
Additionally, my interaction is with BMW USA, not BMW AG. If teleservices is instantiated locally in the US for US customers, then it's doubly the case the BMW need not respond to any such inquiry.
> I wonder if GDPR is a factor for new car sales.
You brought the GDPR into it.
Can you pull the SIM card?
Cards can be pulled physically but not replaced without changing out hardware associated with telenav units.
No, because this is an embedded system and fiddling around with that is maybe going to void your warranty?
Not in the US. So long as your changes don't cause damage your warranty can't be voided.
I've known about the SOS button since I've been driving BMW for over 6 years. Luckily, I've never been in a situation where I needed to use it.
What I didn't know is that it would dial home if the connection was lost. Even the person I spoke to at the dealer wasn't aware of this.
Almost every major luxury car has a feature that reports on the operation of its self-driving(-like) features, data which is used to refine the next generation.
Many products have features the owners don't know about. Intel ME was a hidden feature of Intel processors for a while before anyone figured out it existed.
No it wasn't, it was well documented in marketing, sales and technical literature/documentation.
It seems overly complicated when just relaying your key fob is a known attack that's working. The scenario of them just failing to steal the car seems more plausible.
Would it be possible, that the order of actions was actually different? The thief first pushed thin tools through the door gasketing and actually cut the wires from the outside. Not sure how well and how successfully, but i actually presume that this wasn't as good cut as they tried to achieve. Then, they tried to break the window and continue with the theft, but the system reported them too fast anyways...?
I doubt that this is what happened. I'd like to see someone remove the jamb cover from the outside and also cut the loom from the outside. Not sure what kind of tool would be able to fit through the door and do these things. You can clearly see on the third image that they forcefully removed the cover with a screw driver or something else since it's completely bent
The author also mentions that these cars have radar and air pressure sensors - I don't know how accurate these are, but forcing something through the gasketing could cause a change in air pressure enough for it to trigger.
If you have a car that has keyless entry store your keys in a metal box and confirm it wont unlock the vehicle even if you take the box and put it next to your door. Also if you drive a modern ford do everything you can to block access to odbii port as they can clone a key in seconds using special tools.
BMW burglars appear to be very skilled. The entire board computer was taking from a friend’s car and the screws and cables etc were all tidily set aside as if it was a professional replacement. And this within an hour, on the front porch..
Well, I assume that the burglar was paid, de facto making it a professional replacement.
> The entire board computer was taking from a friend’s car and the screws and cables etc were all tidily set aside as if it was a professional replacement.
Probably the thief didn't want to risk any kind of damage on the board caused e.g. by shorting two wires during cutting the cabling and thus shorting a capacitor on the board.
Makes me wonder how many of the thieves of modern cars are professionally trained service people from the respective car companies who are paid off to get the vehicle into a state where it can be cleanly taken away.
You are basically just paid to bypass security.
The difference is that in IT, whether you are a professional or not, the systems you’re working on will still ask you for authentication.
In cars, it’s security by obscurity. If you know the protocol to talk to the car’s computers via the OBD port, you are pretty much root without even providing any credentials.
Funny reading this. I had the same experience with a rental bmw 530 in italy.
Nothing stolen, only window shaddered and SoS going blind.
I left for Germany that day though, so I must have been lucky.
Thanks for posting
Since all protection in cars (no matter how complex is) is mass produced, it is very easy for thieves to purchase same/similar car and study it. However, I'm wondering what will happen if an ordinary Hacker Joe (a guy who knows a little bit of electronics and software) installs custom protection, no matter how simple is?
Knowing that for thieves, the most precious resource is time and if you force them to work more than expected, they might gave up...
Thieving isn't a good life -- for one thing, thieves lie awake at night worrying that someone's going to steal their stuff.
I wonder if they were in fact intending to steal the airbag, but were disturbed in the process. Airbag theft is fairly common and lucrative. You can extract the A-Pillar bag through the window without opening the door. In cars without the radar/pressure sensors you have some chance of doing that without setting off the alarm.
Immediately, I'd be wondering what very powerful spy agency or organisation felt the need to break into my car, and why.
I'm not sure I'd be so paranoid. We've read of people managing to hack the key openers, etc. They're an attractive target.
I mean, if you were going to leave a box containing $30,000 on your doorstep. A box not only containing 30k, but a box that was labelled that it contained 30k. How would you protect it? Put a serial number on it so you can prove it's yours? A bike lock? A motion sensor? Cement it into the ground?
What lengths would you expect someone to go to, to try to walk away with this box? Just give it a little kick to see if it moves? A screwdriver or a pry bar? Angle grinder?
Once you divorce yourself from the commonality of a car, it's quite bizarre to think that not only do most people leave their second most valuable possession (or most valuable, if you rent your home) on their doorstep .. but that they just assume it won't happen to them. It doesn't take a targeted attack for someone to realise that that exposed, valuable, mobile asset is .. well, exposed, valuable and mobile.
$30k in cash is not the same as a $30k car. A $30k car that's been stolen is not worth $30k, then there's liquidity, risk and a bunch of other things. Having your car parked outside is not at all like having a box containing $30k outside your house.
I have to worry about a $1,000 bicycle. For some reason it's just socially accepted that this will happen to a $1,000 bicycle. But park a car worth an order of magnitude, and the level of worry actually goes down. That's the bit that throws me for a loop.
I'm not trying to argue that anyone should live in fear. Just that assumptions of state-sponsored action severely overestimate which ballpark this lives in. This is more complex than an opportunistic thief, but well within career criminal - and probably well below "steal to order".
That's because most of us recognize that 20 seconds with angle grinder will make that $1,000 bicycle disappear. 20 minutes at a stolen bike dealer - which are everywhere - will turn it into $50.
20 seconds with an angle grinder will not make a $30,000 car disappear. Selling it on the black market is also a much bigger pain in the ass, then selling a stolen bicycle.
People leave $300,000 dollar homes unattended all the time - protected by nothing more then a flimsy lock, and a few panes of glass. Yet, most of the time, people don't worry about someone stealing their house.
A bicycle is also often more than an order of magnitude easier to steal; you can't just pick up a car, and a bolt cutter won't cut it even for a car worth $5,000.
well then is it closer to having a box with $15k? $10k? $5k? In all these situations, the incentive is still there.
Probably $3-6k but with the associated risks and punishments of a $30k crime, and much more if you happen to have a firearm on you while committing it.
This is Europe, nobody stealing a car is carrying a gun.
Presumably it takes a business and facilities to to realize its value, so the barrier to entry is high. Like the thief needs access to a shady used car dealer or shady used parts business, unless it's a low volume rural thing where they can strip cars in the backyard and sell parts on eBay.
Assuming the 30000$ car is one ton, that's only 15$ per pound of car... Not too valuable.
Amsterdam to the Polish border is 8 hours. Do you think it'd be worth $1000/hour?
(Yes, this is perpetuating a horrible stereotype. Nothing personal, Poles, you just happen to be the closest border for this particular stereotype.)
Nah, BMW-thieves are incredibly resourceful. They managed to steal parts of the dashboard and airbag from my neighbours car, without further damage, while in the driveway with the alarms not triggered on a modern 3-series. All the neighbour noticed was the dog barking a few times at night. We all sleep within 30 ft of that car. Practice makes perfect. Those parts are sourced to eastern Europe and are stolen on demand.
It's a widespread problem right now. It happens in waves, and if you go to BMW dealers in larger cities it's not uncommon to see 4-5 5 series missing the dashboard and airbags.
What I don't understand is what are they using it for? Can they upgrade older models with it?
Sorry for the late reply. The story (I'm in insurance, but no means to check for validity) is that in Europe total losses are sold for their chassis numbers and then pretty much built up from stolen parts in Eastern Europe. I had a bad run in with a likewise situation when someone crashed into my rear and the offer for the wreck was way high. That meant I had to go get a new one, since via technical total loss I could not get my own car repaired without financial risk.
Crashed vehicles will need replacement dashboards and airbags, probably stealing them to do dodgy repairs on cars that have been in big accidents.
Hardly, this was a very unsophisticated attack, they cut through the entire loom as opposed to through individual wires so it was quickly noticeable what had occurred.
Did you even read the article? They knew enough to disable SOS and interior car alarm sensors in a seemingly subtle way most people would dismiss. Maybe they should’ve taken their time and waited around for police?
What’s unsophisticated is stealing a radio or nav by slashing the back of the wiring loom, and then the owner having to replace the entire loom at the cost of many thousands of dollars. It sucks but that’s life. Car thieves aren’t your friends, DGAF about damage, and those that don’t operate on a “speed is life” principle get caught. Maybe you should show a little respect to the knowledge and tactics demonstrated?
Why should they show respect to these car thieves? They made a valid point; it's easy to imagine an attack like this being done better.
That agency would have jammed communications in the area so no alarm would have been raised, unless raising an alarm was their actual purpose.
Signal jamming will trigger high-end car alarms as well.
Also, if the alarm is connected to a security provider, a disruption in communication with the car will also cause them to follow up on it.
What is this magical land you live in where signal jamming triggers a CAR alarm?
PDF alert: https://automotive.vodafone.co.uk/media/239296/stolen%20vehi...
I wouldn’t trust a mobile carrier with anything - they can’t even protect their mobile customers from basic stuff as SMS spam or eavesdropping via SS7.
Not to mention, I technically can’t see how this thing will be able to phone home if the mobile phone frequencies are being jammed.
That would make me crazy. Before an important meeting that would seriously throw me off. It's a good play
They were in posession of a 0-day for this car
Probably not necessary to flatter oneself in such a fashion.
In Sacramento car theft is a big problem. The scheme there is to steal a nice car, purchase a wrecked one at a lot (salvaged) for pennies, then swap the vins and serial numbers with the salvaged car then sell it. It works really well. So if you buy a used car in sacramento there is a %90 chance it has a salvaged title.
However large an issue it is, I'm pretty confident a majority of used cars sold in Sacramento are not stolen, let alone 90%. (Maybe you were just exaggerating.)
The author should feel lucky that he encountered "fancy" thieves.
Modern cars are so hard to steal that mots thieves resort to violence to get your car.
Contrary to insurance companies, I'd rather have my car stolen than to be knifed.
It would seem the person took the time to review a wiring diagram or had some previous experience.
Hope he still went on vacation as planned, I kind of miss that information
We are actually. Not with the BMW as intended but with my girlfriends car. Currently driving from the south of France to Bretagne for our last week. The car has been fixed by now and will be picked up the 18th. I'll update the article later today too!
The current modus operandi is to find your BMW/Land Rover/Mercedes. Wait for it to come to your hand carwash, tyre company etc and get uninterrupted access to the OBD port along with the key. Program new key, find the address of the vehicle, walk up a few days later and drive it off at 3am in seconds.
If that's too much like shooting fish in a barrel, then the 'keyless relay theft' is probably more your bag. Using a relay transceiver, if the key is in the house within range, then you can trick the motor into thinking the key is present. Many cars will allow you to continue to drive them even if the key if out of range. Provided you don't turn the engine off, this gives you plenty of scope to get away and clone a new key in the meantime.
Tl;DR, OBD and keyless technology is basically flawed. The best countermeasure is a good old fashioned crook lock.
Sounds like a perfect opportunity to do a sting.
Just use a steering wheel lock.
Theives are usually lazy and they don't make more efforts then required.
My friend has holes in the front of the car to make it easier for theives to attach a hook and then tow the car into a truck.
But if you put pressure above a threshold on any of the holes, car keeps sending one SMS to his number every 5 minutes.
This is in Romania.
How is cutting the line to a car's panic button unlike cutting a car's brake line? (that is, attempted murder)
Even cutting brake lines wouldn't automatically be attempted murder; it would depend on circumstances. Equating that to cutting off the panic button is quite a stretch though. I've never owned a car with a panic button, nor known anyone whose life one has saved (unlike brakes).
I imagine they hoped to steal it before anything were to happen to the owner.