Keyless BMW cars prove to be very easy to steal

A lot of higher end cars are now coming out with RF fobs that unlock and start the car. There is no longer a physical key that is inserted in the ignition. It turns out that for BMW this means stealing the cars is extremely easy for a sophisticated criminal. We always liked the idea of metal keys that ALSO had a chip in them. The two-tiered security system makes sense to us, and would have prevent (or at least slowed down) the recent  rash of BMW thefts that are going on in the UK.

So here’s the deal. A device like the one seen above can be attached to the On-Board Diagnostic (ODB) port of the vehicle. It can then be used to program a new keyfob. This of course is a necessary feature to replace a lost or broken device, but it seems the criminals have figured out how to do it themselves. Now the only hard part is getting inside the car without setting off the alarm. According to this article there are ultrasonic sensors inside which are designed to detect intrusion and immobilize the vehicle. But that’s somehow being circumvented.

You can check out a keyfob programming demo, as well as actual theft footage, after the break.

Fob programming demo

Theft video

[Thanks Lee]

83 thoughts on “Keyless BMW cars prove to be very easy to steal

  1. Chrysler has a solution to this. When trying to reprogram new keys to their LX platform cars, you have to wait for 15 minutes once starting the no existing key procedure…

    You also need the (available for free from the dealership) 5 digit code.

    1. The code they require is generated by software, that can be relatively easy hacked. Mercedes have a similiar system on their cars but with an addition key that you require.

      For many other things the mercedes star system requires a passcode from head office in germany. Although recently one can buy a genreator to generate these codes, that even the dealers dont have!

    2. May be able to be overriden.

      In the case of the VW systems, the secret key code is stored in the instrument cluster EEPROM.

      Which can be dumped over OBD – I’ve done it to reprogram keys for people that don’t want to pay the dealer a ton of money to get a key programmed (and the dealers never see the code, they get it from an automated system, whereas I get the code in front of me).

      However, the VW system does have a time delay on programming – I think 1 minute for every attempt to start with a non-programmed key – on later versions.

      Wouldn’t be surprised if some device (I’m guessing the videoed device is one of them) could get past that restriction, but as I’m not stealing cars (actually, the cable I use for EEPROM dumping, I mainly got it for reflashing ROMs into different clusters so I could upgrade my cluster to one from a different model, with more features, but still maintain compatibility with my engine), I don’t need that ability.

      1. On the Mercedes system they are stored in the EIS Eeprom (electronic ignition ecu). It also has to match up with the cluster, and the engine ecu. Most likely a similar situation.

    3. That is a rather old system. And you are slightly wrong. If there is no existing key you have to repeat the procedure three times without stopping. It takes around 46-48 minutes. Plus you still need to have the biting decoded.

      But the sad part of it is, after you do this then all other keys will no longer work ever again.

      If you do have access to a correct key then you can just put it in and turn it, take it out, then do the same to a new key with the same biting. This will get you a duplicate.

  2. If I were designing these cars I would focus more on making the doors harder to bypass seeing as the most time consuming and risky part of the operation would seem to be getting into the car.

    From the carjackers POV I can’t see much difference between keyed cars and fob cars, its just trading one set of skills for another.

    1. … focus more on making the doors harder to bypass …
      Unless it has impact-resistant/bullet-proof glass, it’s not hard to get inside any vehicle.

      1. @+1 Bard:

        You are right. It isn’t.

        “Locks keep out only the honest.” It’s an idea centuries old.

  3. RF keys are cool and all, but i think i can just use my good old fashioned secure key-ed entry. Or maybe I could get a small arduino to power a fingerprint reader and a relay to start my car.

      1. Well thats why the relay would be inside the dash, inaccessible. And since it is a personal hack, i doubt the car thief will have that much electronic background and if he does i doubt that he will be able to figure out my circuit that fast.

      2. most cars disable the fuel injectors and ignition coils also. it’s one thing to get the fuel pump going and crank, it’s another to coordinate spark and injection.

      3. Im saying i would put a relay across the key ignition in a normal car. Which would in essence just bypass the key. So i dont have to worry about bypassing anything, the car would just think there is a key in the ignition. And the only thing you would need to do is scan your finger then press the start button or something.

      4. Sounds great, too bad you did not bridge the fuel pump relay that my car alarm takes out when it is armed. If you dont do a full real disarm, the fuel pump is disabled.

        any car alarm that is not a piece of crap does this.

      5. Why would a car thief even think to use a magnet on a random relay in a random circuit that he most likely knows nothing about? And like i said before, the relay would be hidden in the dash. Are people not reading the whole comment or is there some kind of spreading brain-tumor epidemic that makes you want to say stupid shit on the internet?

      6. @Tim: A decent car thief knows where the wires of the car he steals goes. That also means that the wires to and from your relay are “nonstandard”. Hiding the relay won’t help when the wires to/from it can be bridged under the steering column, exactly the same as one could do earlier.

    1. scotch tape to lift the print from the reader, place print on reader, start car. very few print readers are advanced enough to beat this teqnique.

      1. All finger print reader i used requires living tissues to work : usb fingerprint protected key; sagem entry door security, pc biometric.

        Those fingerprint reader that easy to full are almost “century” old…

        1. Can’t those generally be beaten with something like warm gelatine? I know the iPhone fingerprint reader can be beaten like that, and you’re the first person I’ve really heard say that without being immediately disputed.

      2. Except for a swipe fingerprint reader. I actually haven’t seen a hollywood style “press your thumb” finger print reader in quite a while.

    1. I believe they were primarily trying to cover up the light source for the camera – specifically to prevent the camera with the best angle from getting a clear picture of any of the people involved. I know I couldn’t see any faces.

    2. I’d guess someone showed them how to steal the car – but that someone is bright enough not to be out stealing them

  4. This is mostly FUD. Yes if you can get into the car and connect to add a new key, you can do it. BUT, the recent BMW’s that have keyless CALL HOME when this happens. It triggers the GPS locator.

    So unless they drive it into a metal van, they are not going to get away with the theft. Which it’s easier to just tow it into the van and take your time at a secure location.

    I suggest in the future getting your info on high tech car theft from a reputable site and not a “for entertainment only” site that is full of fiction.

    1. You know you can buy GPS jammers for under $20? Thieves using the kit in this article are smart enough to know they need one of these, too.

      1. @anon: last known position would be the owner’s residence, or wherever. how would that be useful to a LEA?

    2. Sorry to disappoint you, but these guys are way ahead of you.

      Look closely at the guy who comes up late and actually steers the car away. What’s that thing he is holding? Could it be a radio (GPS and GPRS) jammer?

      To think that a gang who steal hundreds of cars a month don’t know how to defeat a simple radio frequency beacon is insane – if they didn’t know, then they’d have already been caught!

  5. Sort of scary, but I seriously doubt that anyone would want my 328i. Now if I had a 335i coupe or an M3, than I’d be worried.

  6. If you have access to the car and the equipment to reprogram from the OBD/II port and you made your living stealing cars I’m sure you’d know A) that there’s a GPS locator B) How to disable it in a timely fashion.

  7. My BMW motorcycle key chip was supposed to be uncrackable. My locksmith had a RFID setup that duplicated it in a minute.

    1. Yep. Bikes are easier than cars in a number of ways. Security is great but it takes a keen mind and tons of knowledge to sort out the truth.

      Basically don’t trust salespeople.

      1. There has never been a lot of security put into motorcycles because at the end of the day four guys and some two by fours can throw almost any bike in the back of a truck and be gone in a few moments. Most stolen cars and bikes are parted out. You can’t really do that with bmw control units because they are all synced to each other and freak out if you drop them in another bike. Just remember you don’t have to out run the dragon, just the dwarf parked next to you.

  8. how expensive are *_ALL_* the electronics for a BMW car???

    i mean compared to the rest of the car as a whole????

    heheheheh, muhahahahah…: disconnect the battery and send 120vAC through it! :D XD hahaha no alarm or GPS then just lift (parkbrake-ed) wheels off the ground and ship!

    …if the alarm really DOES disconnect (BY MECH.RELAY) fuel pump then thats one less thing to replace after the 120vAC :)

    1. This is also fun to do over ethernet. Well lots of voltage, low amperage or the wires will short instead of frying all the NICs in the area.

      (might as well have sum fun with old equipment before going to the big steel storage locker outside)

  9. The FBGA with challenge/response algo is always in the bcm or ecm for all makes, most can be dumped, all can be bruted, all can be silicon reversed through fbga or passive transponder. There is cloning procedures too, usually 2 keys for one with some sequence.

    Expensive cars have GPS, medium cars have integrated alarm sensors, in addition.

    Oh you can also clone and have cut all, cutting can be done at and gas station in most cases that can do double sided wafer sidebar, which is most of them.

  10. Judging by the amount of time he was spending next to the wing mirror, I can’t help thinking BMW have done something stupid like route the CANbus out there.

    Direction indicators, power mirror adjustment – if it’s all operated by CAN, what’s the betting it’s on the same bus as the ECU / immobiliser / alarm etc…

    1. What for using the mirror … You have nowdays tire pressure meters whitch are integrated wireless into the CAN bus so I think your right about the CAN bus but its the Tire pressure

  11. I’m just speculating here, but the car may have a physical key unlock. Assuming it does, there’s a good chance the alarm could be disabled from there.

  12. Why does the alarm system not work.

    It’s clear, that it helps not much to prevent from stealing, when no one can hear the alarm.

  13. why is everyone trying to guess how they done this if you watch the clip you can see they access something within the car to reprogram a key you can even see one of the guys holding something that looks like an rfid reader. then if you follow the link to the forum in the description of the clip it even tells you how they pulled it off.

  14. alarms on bmw’s are a $600 option. They are not standard. The ultrasonic transducers are part of the alarm package and are not installed in a car without an alarm. This car doesn’t seem to have an alarm…

    1. When I bought my 08 335i i found out that all that IS already installed, just not enabled. They wanted to charge me $600 to add some chip to some socket.

      Never really looked into the details of this.

  15. Is everyone missing the obvious but me, in the video they break the window (why the alarm didn’t go off then I don’t know) then reach in under the dash, stick the reprogrammer in the jack and program the fob, seems BMW could have prevented this by (1) putting a plate over the jack or put the jack under the hood or in the trunk, the problem here is a bloody stupid design to begin with.

    1. The OBD-II port is required by law to be accessible and unobstructed. In the US, the placement is restricted to an area around the driver’s legs such that a diagnostic tool won’t obstruct operation of the vehicle. I don’t have the specifics in front of me. Some vehicles may offer a second OBD-II port with a slightly different connector in addition to the standard placement. Combine the above with the findings of insecurity in Bluetooth OBD-II adapters and things get scary.

    2. But hiding it would defeat the intent of the OBD-II standard, which was to make an OWNER-ACCESSIBLE diagnostic interface. That’s why there’s a standard connector, pinout, and interface protocol in the first place, as well as a requirement that said connector be accessible to an operator in the driver seat. Certainly this is considered a laudable goal for a hackaday reader.

      Besides, anywhere the manufacturer can hide it would STILL be accessible to thieves, who do not have the requirement of “while sitting in the driver seat” appended to their definition of accessible. Once you have access to the cabin, popping the hood is trivial. A remote trunk release is almost certainly standard on something as expensive as a BMW, making it every bit as trivial as the front hood. Hiding the connector is just implementing security through obscurity, and not a solution to what is a real problem.

  16. extra layer of protection from alarm systems would be to disconnect the whole fuse box and let it be disconnected until alarm is turned off with a remote. Of course one can add a couple of relay’s to render obd port useless. So let say when alarm is off fuse box is on and obd port is working and can be used. But if alarm is on then fuse box and obd port is cut off (useless) so only the alarm is on.
    P.s. only theory here, and my personal thoughts.

    1. Such modifications may be illegal in your area. IANAL. If you are in an area which requires regular emission testing, this could get you into trouble.

      1. Or there is another option as of every thing works no matter if alarm is armed or disarmed but if alarm triggers (activates) then fuse box is cut of with a real powerful relay ant in addition obd port is rendered useless with relays but when you disarm everything is working as should be.
        P.S. i don’t think this is forbidden by the law, well not in my country :)

  17. What I find dumb is that the BMW system allows keys to be added on the fly with no security/passcode checks, and will just allow the key to instantly work. Perhaps BMW needs to hire some ex car thieves to help test their systems before putting them into production.

  18. My 2007 BMW 328i SULEV US does not come with an alarm.

    There a few people who have done the 555 timer (or picaxe ;) circuit to make the clown nose red led blink when the car is off.

    I have insurance for auto theft.

  19. So, if you have access to the ODB interface you can disable the alarm and start the car. why would you need the fake key at that point?

    this is nonsense. oh yeah, on the 90′s models you could program a new key it by pressing some radio button and pointing the IR led to another one on the dashboard… i doubt it was used by ANY real thief. just like that.

    only thing is, the odb interface is usually under the driver panel or under the hood. and it exist on every car made after 1980 or so.

    1. its not the “fake” key, its a “blank”, through ODB and that nifty device, you tell the car that it is the new key, so car lets you use it as original…

  20. A few things I learned years back that most people probably wont care about:

    1. Rolling code systems on all systems use weak entropy and PM generation. ‘Code catchers’ are 300-400 mhz trunked(fixed table in flash) that keygen based on challenge which is usually only a shifted sequence.

    2.High-end makes you can disable integrated onstar and other tracking systems usually through the BCM or sometime even the lcd navigation

    3. transponder keys and fobs use weak challenge/response. It’s usually discreet algorithms that no talented people care to reverse though out of lack of resources or interest.

  21. every security system designed and made by man, can be bypassed by man. hence – no real secure solution, the only, important, factor to bypass security is time.

    1. this isn’t really true.. crypto and hardware isolation work because even the most efficient silicon reversing is tedious and doesn’t recover all components, and crypto is big number factoring and curve algorithms, that when paired with encoding and/or compression defeats any brute forcing.

      Memory corruption(buffer overflow variants) can be mitigated with cache hashing. This defeats ROP payloads that bypass current mitigation’s like ASLR and page table locking.

      I do agree that humans can’t write secure code though, this is why their has to be abstract meta controlled isolation, hardware assisted.

      Of course you’ll never see this, cause the designers and engineers fresh out of grad school that big companies hire have a ‘am I allowed to do that it’s not in any textbook?’ approach to everything, and expendable non-effective skills. Same for engineers at the BMW plants..

  22. Simple solution : If OBD port is accessed while car is locked, wait a few mins until any access allowed, sounding horn and flashing lights every 30 secs.

    If I had this car I’d put in a dummy OBD port with a few thousand volts on it…

    1. I like this idea!

      If the car is stopped, locked and with nobody inside, then:
      activate the OBD bus activity sensor (sniffer).

      If some activity appears, then:
      block the car for 15-45m, activate alarm 1m, and if possible, tell the owner.

      If the car is unlocked, deactivate the OBD sensor.

  23. It appears that perhaps the interior alarm sensors are disabled if the car is in motion.

    In the security video above you’ll notice three stages:
    1. Break into the car
    2. Key-guy hops in
    3. Cohorts immediately start pushing car

    They start pushing immediately, while the key-guy is still programming the key. As soon as he gets it authorized and starts the car any alarm concerns are done with.

  24. One more reason why I wouldn’t buy an expensive car.
    Get a cheap one that nobody will want to steal, spend about the same money on a medium motorcycle, enjoy life :D

  25. Security is nothing more than a wall people can get over, the idea is to make a wall so big its not worth the effort and yet where there is a will there is always a way

    Security fails like this happen all to often.. maybe i should change profession and learn to be one of the guys cracking this and selling on black box’s which let you steal a car as in most places that not illegal and still nets plenty of cash :D

  26. The best immobilisers are the ones you devise yourself. The non standard mod. Being a non smoker, on my first car, (78 passat) the coil would only be connected if the cigarette lighter was in. Another mod was a switch inside the ignition switch cover that shorted the supply line if the cover was removed. An inline fuse placed anywhere (hidden) along the harness would short. By the time you’ve taken the cover off, there would be no power to work with.

    The ultimate is the removal of a vital part. In older cars the rotor could be removed in under 30 seconds, and would fit in you pocket. Not for you every day trip but parking in a dodgy area one day, I took the rotor with me only to find the car unlocked the bonnet had been opened and a box of tools was left in the passenger foot well. Thanks for the hacksaw thief, I still use it today. :-).

  27. Don’t they push the car just to prevent the owner from hearing the engine noise?

    Seems as the footage does not show any steps before the window is smashed, we can only speculate on how the alarm is circumvented.

    Maybe they use a film over the glass to prevent it from falling inwards (you see them pull most of the glass out). They then access the ODB port without setting of the motion sensors because they are not positioned to cover the area right at the front by the dash.

  28. Wow, need a new spare key for my E70 – this may be a lot cheaper than from the dealer. Where do I get this reprogramming tool from?

  29. Who cares? Anyone who can afford a 50k BMW is going to have full coverage insurance. You don’t really lose (much), the insurance co does.

    Any car can be taken. I’ve known two people over the years that had immobilized cars (dead battery) taken with flatbed/repo trucks and those weren’t even new or expensive cars.

    I doubt new BMWs have a high theft rate. Criminals usually want easy cars to steal or older ones where the parts are hard to get and they can steal and part them out. Stop worrying about stuff like this that doesn’t happen that often and there’s not much you can do about it… Enjoy life.

  30. I see a lot of comments of making the vehicles harder to get into, and steal.

    Problem is, ALL vehicles need to jump the shark on this. At the same time.

    Some of the crooks in the US, have gotten damn smart, damn fast. They know they don’t have the skills to bypass the security on the new vehicles. So get this…. They steal a fucking tow truck! I’ve literally seen this happen twice. Not bad for the crook who is getting smarter day by day. But alas, not good for any vehicle owner.

    1. Not that smart though – every GPS tracker I know of reports (dials out) if the car starts moving with the engine off. If it is on the back of a truck, the cops will still find it.

  31. Brian says:

    I am old enough to remember when no one hacked into a typewriter. I have also worked in the chip design industry and know there is no such thing as a perfect safe, undoable chip, the same thing goes for computer programs .

    Try putting a big steel bar, with a coded lock, through the steering wheel. Ok, they can still steal the car but the effort of cutting the bar off,without damaging the car beyond ‘unsaleable’ would not be worth it to the lazy car thief.

    Yes I own a BMW.. Try insuring it against theft and the insurance broker will put the phone down on you..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s