No. I believe the CA issues have been resolved by various methods such as random code generation (similar to how the digital key works). I'm still more worried whether OBD port theft is resolved as that makes no difference if you have CA or not.

 

I was told that the key turns itself off after a certain amount time after last use. But I still have it in a RFID pouch for extra security.

 

I would absolutely buy a RFID security pouch/wallet, £5 well spent.

 

I'm thinking, for peace of mind, to get a pouch anyway, they're only a fiver after all...

 

So has anyone disabled / blocked / moved their ODB port (which is very easy to access!)

 

OBD port blocking won't stop keyless relay attacks, which is how most high end thefts happen.

Neither will code randomisation - because this isn't a replay attack, its a relay attack.

You defeat relay attacks by either using an accelerometer in your key design (key not moving in last 30 seconds, key not transmitting)... which only leaves the chance of your car being boosted with a relay attack while you are out (eg in a car park). Don't think BMW use this on the 1 series.

Signal blocking is better way of dealing with it - but make sure you use it ALWAYS not just in your house. Leave the car in a car park, place the key in the pouch.

Stolen from your drive is the headline you see, but its not the only way it can happen and if driveway thefts aren't possible, the crims will change MO.

Better still, don't order keyless or disable it on your car. Sure that is less convenient, but i can tell you there is nothing convenient about having your car stolen.

PS OBD abuse was an older way of stealing cars, no longer a threat I believe on new models.

 

Does anybody know of any good looking RFID pouches? All the ones I've come across are so... eurgh.

 

OBD port blocking won't stop keyless relay attacks, which is how most high end thefts happen.

Neither will code randomisation - because this isn't a replay attack, its a relay attack.

You defeat relay attacks by either using an accelerometer in your key design (key not moving in last 30 seconds, key not transmitting)... which only leaves the chance of your car being boosted with a relay attack while you are out (eg in a car park). Don't think BMW use this on the 1 series.

Signal blocking is better way of dealing with it - but make sure you use it ALWAYS not just in your house. Leave the car in a car park, place the key in the pouch.

Stolen from your drive is the headline you see, but its not the only way it can happen and if driveway thefts aren't possible, the crims will change MO.

Better still, don't order keyless or disable it on your car. Sure that is less convenient, but i can tell you there is nothing convenient about having your car stolen.

PS OBD abuse was an older way of stealing cars, no longer a threat I believe on new models.

I think the 1 series does have movement detection in the key

https://www.whatcar.com/news/more-car-models-get-sleeping-key-fobs-to-combat-keyless-theft/n20439

 

OBD port blocking won't stop keyless relay attacks, which is how most high end thefts happen.

Neither will code randomisation - because this isn't a replay attack, its a relay attack.

You defeat relay attacks by either using an accelerometer in your key design (key not moving in last 30 seconds, key not transmitting)... which only leaves the chance of your car being boosted with a relay attack while you are out (eg in a car park). Don't think BMW use this on the 1 series.

Signal blocking is better way of dealing with it - but make sure you use it ALWAYS not just in your house. Leave the car in a car park, place the key in the pouch.

Stolen from your drive is the headline you see, but its not the only way it can happen and if driveway thefts aren't possible, the crims will change MO.

Better still, don't order keyless or disable it on your car. Sure that is less convenient, but i can tell you there is nothing convenient about having your car stolen.

PS OBD abuse was an older way of stealing cars, no longer a threat I believe on new models.

I read it was the other way around now, keyless relay due to key deactivation after x number of seconds (1 Series does have now) makes driveway drive always via that means pretty difficult of not impossible.

However smashing the window, plug into OBD, reprogram in seconds on and drive away is still common and happening. I haven't seen or read anything to say that isn't a threat anymore, however I have read how they've stopped relay attacks.

Also, can you have Digital Key without CA? That for me makes it worthwhile...

 

OBD port blocking won't stop keyless relay attacks, which is how most high end thefts happen.

Neither will code randomisation - because this isn't a replay attack, its a relay attack.

You defeat relay attacks by either using an accelerometer in your key design (key not moving in last 30 seconds, key not transmitting)... which only leaves the chance of your car being boosted with a relay attack while you are out (eg in a car park). Don't think BMW use this on the 1 series.

Signal blocking is better way of dealing with it - but make sure you use it ALWAYS not just in your house. Leave the car in a car park, place the key in the pouch.

Stolen from your drive is the headline you see, but its not the only way it can happen and if driveway thefts aren't possible, the crims will change MO.

Better still, don't order keyless or disable it on your car. Sure that is less convenient, but i can tell you there is nothing convenient about having your car stolen.

PS OBD abuse was an older way of stealing cars, no longer a threat I believe on new models.

I think the 1 series does have movement detection in the key

https://www.whatcar.com/news/more-car-models-get-sleeping-key-fobs-to-combat-keyless-theft/n20439

Yes it does.

 

OK so if you've got motion sensing keys then only car park relay attacks are a problem.. And those are real.

The obd key attack, is that not defeated by the new digitally locked obd access? Don't know if bmw have introduced that yet, vag have. It should be stopped the same way as you not being able to use obd11 to mod your car any more...

 

The main reason I got comfort access and the wireless charging station was so I could make use of Apple CarKeys (

https://www.bmw.com/en/innovation/bmw-digital-key-iphone-as-secure-bmw-car-key.html

). Cool feature that I understand is not susceptible to relays - it uses a different code/signal each time or something. It can also be used with Apple Watch 5.

I understand that soon with new model BMWs, you won't even need to touch the door handles with you phone/watch. The car will simply unlock when you phone/watch is nearby, just like the comfort access keyfob.

 

Not actually true, you can relay attack those, there are poc's out there of that for these mobile keys for cars.

It uses nfc though, which means the "mole" device (the end of the relay that listens to the key) needs to be 4cm or closer to the target phone/key.

This clearly is a limitation of the attack vs the kessy type keys (which can be attacked at 100m or more)

The trick for nfc attacks is to convince someone to place their phone on the mole... By putting the mole into or close a payment card reader. Eg in a petrol station.

Alternatively you could "bump" the victim (just brush them) and the mole is actually a small device - an android phone for example, not the briefcase that the kessy mole is.

The distance between the mole and the car can be actually global. Accessing your phone in Australia could unlock and start your car in the UK...

 

BTW if this all sounds too technical for a thick as mince car thief.... it would be if they had to figure out the technology, create an attack concept and build the hardware and software but that's not how it works.

The kessy relay kit or the obd plug in device is available off of the shelf, with a set of instructions that even my mother could use. You don't need to understand this to use it any more than you need to understand how this website works to read or post on this forum.

PS the interesting thing about the mobile key mechanism is that it depends on hardware in specific phone models. Its not just ANY iphone that can work.

The hardware enables the phone to function as your car key even if the phone is flat, because that piece is NFC induction powered just like your credit card. It functions entirely autonomously from the phone function itself.

 

The main reason I got comfort access and the wireless charging station was so I could make use of Apple CarKeys (

https://www.bmw.com/en/innovation/bmw-digital-key-iphone-as-secure-bmw-car-key.html

). Cool feature that I understand is not susceptible to relays - it uses a different code/signal each time or something. It can also be used with Apple Watch 5.

I understand that soon with new model BMWs, you won't even need to touch the door handles with you phone/watch. The car will simply unlock when you phone/watch is nearby, just like the comfort access keyfob.

This was one of the reasons I got CA. It's actually quite useful, I've forgotten my keys number of times because I keep it in pouch. But I always have my iPhone with me. Also upgraded to a Apple Watch Series 5. Both work a treat unlocking and lock the doors.

I don't use the auto locking function because I think it's more of a security risk.

Sent from my iPhone using Tapatalk

 

The main reason I got comfort access and the wireless charging station was so I could make use of Apple CarKeys (

https://www.bmw.com/en/innovation/bmw-digital-key-iphone-as-secure-bmw-car-key.html

). Cool feature that I understand is not susceptible to relays - it uses a different code/signal each time or something. It can also be used with Apple Watch 5.

I understand that soon with new model BMWs, you won't even need to touch the door handles with you phone/watch. The car will simply unlock when you phone/watch is nearby, just like the comfort access keyfob.

That's the exact reason I specced it on my F44. How you getting on with it? Is there any fear of it not working having left your key at home?

And yeah that's using the new UWB chips in the new iPhones (11 onwards). Interesting choice to bring it to the iX first and not other models currently in production. I suppose it's another feature it can boast.

 

The main reason I got comfort access and the wireless charging station was so I could make use of Apple CarKeys (

https://www.bmw.com/en/innovation/bmw-digital-key-iphone-as-secure-bmw-car-key.html

). Cool feature that I understand is not susceptible to relays - it uses a different code/signal each time or something. It can also be used with Apple Watch 5.

I understand that soon with new model BMWs, you won't even need to touch the door handles with you phone/watch. The car will simply unlock when you phone/watch is nearby, just like the comfort access keyfob.

That's the exact reason I specced it on my F44. How you getting on with it? Is there any fear of it not working having left your key at home?

And yeah that's using the new UWB chips in the new iPhones (11 onwards). Interesting choice to bring it to the iX first and not other models currently in production. I suppose it's another feature it can boast.

I use it regularly and it has never not worked. On the very odd occasion it takes two or three taps on the door handle to lock/unlock the door. If I am going far from home I would still take my key, just to be on the safe side.

On iX - I think it is also coming to the new 7 series.

 

Sorry if my replies here are very technical, I do InfoSec for a job, this sort of thing is where I live. Just happens these days that my knowledge set applies to much more than pure "computers" as we think of them and now I have dealings with everything from cars to fridges!

 

It uses nfc though, which means the "mole" device (the end of the relay that listens to the key) needs to be 4cm or closer to the target phone/key.

This clearly is a limitation of the attack vs the kessy type keys (which can be attacked at 100m or more)

The trick for nfc attacks is to convince someone to place their phone on the mole... By putting the mole into or close a payment card reader. Eg in a petrol station.

Alternatively you could "bump" the victim (just brush them) and the mole is actually a small device - an android phone for example, not the briefcase that the kessy mole is.

The distance between the mole and the car can be actually global. Accessing your phone in Australia could unlock and start your car in the UK...

Actually after a little research (which is always interesting because infosec is a fast moving subject) it seems NFC can be range extended significantly more than it was ever intended to (which is actually part of its security) and that a direct brush might not be needed.

I'm not going to actually spell out how you physically organise attacks using this technology, because that would be dangerous, but I can tell you that workable plans to use it are possible (my team here have come up with some this morning) and that you should not be complacent.

If there is any safety in the mobile key technology its just that at the moment as an attacker you'd struggle to reliably locate a user of the technology on a regular enough basis to target your attack. If this becomes more common and you can easily go anywhere and spot a victim then it will almost certainly lead to people doing this as technically its not difficult once someone has done the hard work figuring out the technical solution (and they have).

Security by obscurity is no security at all (common saying in the world of InfoSec)


One thing to make perfectly clear though - kessy IS dangerous, even with the motion sensing keyfobs.

And in case you wonder why anyone would steal your car and then not be able to restart the engine after they nick it using any of the things I have talked about here (and they can't) its because cars stolen are not for sale as whole cars, they strip the parts and use them to repair insurance sell offs of "crashed and repairable". These are not viable as a business proposition to repair using new parts purchased (which is why the insurance company have written them off and sold the wreckage).... they are viable to sell if they can strip your car as a donor and those parts are free. The value of your car is effectively laundered, resulting in an untraceable resalable product. Its a huge problem that the police and the insurance industry can't seem to get a grip on.

Watch the video on this tweet:

https://twitter.com/peterstopcrime/status/1142716231717462016

 

OK so if you've got motion sensing keys then only car park relay attacks are a problem.. And those are real.

The obd key attack, is that not defeated by the new digitally locked obd access? Don't know if bmw have introduced that yet, vag have. It should be stopped the same way as you not being able to use obd11 to mod your car any more...

You got any source for VAG using locked OBD? All the VAG forums seem to think theft by OBD is still an issue.

 

The problem with RFID pouches is they often become unreliable and you don't know unless you get into the habit of periodically testing it still blocks the signal. I had comfort entry on a Merc and the key transmission could be switched of with a double press of one of the buttons on the remote fob which I often forgot to do so I purchased an RFID pouch which became unreliable so I ended up making one from tin foil which worked fine. I decided unlocking my car using the remote is no big deal and offers better security because the fob only transmits a signal when the button is pressed hence none of my cars since the Merc have had comfort entry.

In my opinion signal relay theft is far more likely and easier than ODB Port hacking because ODB ports are more secure these days after the spate of hacking that went on a few years ago. To hack an ODB port the thief normally breaks a window which sets off the alarm for a short period before they can plug in to the ODB port and disable it if the port permits them to do it. Only certain ODB ports in which the live rail remained live after the car was locked could be hacked as the hacking equipment relied on using that live for it's power, no live no hack. Why go to all this hassle when relay theft is so easy without damaging the vehicle and most people store their key fob within signal range of the front door perfect for signal relay theft.

I've read that on comfort entry cars BMW have introduced a timer into the fob which switches of the signal transmission after a set time, I'm not sure if this is fact, if it is I'm not sure if it applies across the range of BMWs. I guess the only way to know for sure is to test the fob.

 

OK so if you've got motion sensing keys then only car park relay attacks are a problem.. And those are real.

The obd key attack, is that not defeated by the new digitally locked obd access? Don't know if bmw have introduced that yet, vag have. It should be stopped the same way as you not being able to use obd11 to mod your car any more...

You got any source for VAG using locked OBD? All the VAG forums seem to think theft by OBD is still an issue.

Possibly.... on MQB2020 cars (eg the Mk8 Golf) they use SFD protection (Schutz Fahrzeug Diagnose). Its not explicitly designed for key protection afaik, its designed to prevent autonomous driving parameters being accessed.

It uses a security gateway to protect most of the configuration items, pretty much anything that can be written to, and is only accessible using a one time code generated by a VW system, tied to the VIN and valid for only 90 minutes. All access to the vehicle via this is tracked and logins are really tied down tight to VW dealers and qualified independents.

As an infosec professional, I rate that security as a tough target. Possible to win, but hard, I won't explain how.

Its why you can't modify the parameters like you used to be able to.

You can plug into the OBD port, you can talk to it, but I doubt if you can use anything useful like pairing a new key with it - not without a VW authorisation token.

The other countermeasure to OBD assault (even on not quite the newest cars) is that you cannot even read from OBD without the bonnet being open. Thats's really quite common these days, even without SFD. So smashing a window and plugging in doesn't work - you'd need to get the door open to access the bonnet catch (recessed in the door frame)

 

OK so if you've got motion sensing keys then only car park relay attacks are a problem.. And those are real.

The obd key attack, is that not defeated by the new digitally locked obd access? Don't know if bmw have introduced that yet, vag have. It should be stopped the same way as you not being able to use obd11 to mod your car any more...

You got any source for VAG using locked OBD? All the VAG forums seem to think theft by OBD is still an issue.

Possibly.... on MQB2020 cars (eg the Mk8 Golf) they use SFD protection (Schutz Fahrzeug Diagnose). Its not explicitly designed for key protection afaik, its designed to prevent autonomous driving parameters being accessed.

It uses a security gateway to protect most of the configuration items, pretty much anything that can be written to, and is only accessible using a one time code generated by a VW system, tied to the VIN and valid for only 90 minutes. All access to the vehicle via this is tracked and logins are really tied down tight to VW dealers and qualified independents.

As an infosec professional, I rate that security as a tough target. Possible to win, but hard, I won't explain how.

Its why you can't modify the parameters like you used to be able to.

You can plug into the OBD port, you can talk to it, but I doubt if you can use anything useful like pairing a new key with it - not without a VW authorisation token.

The other countermeasure to OBD assault (even on not quite the newest cars) is that you cannot even read from OBD without the bonnet being open. Thats's really quite common these days, even without SFD. So smashing a window and plugging in doesn't work - you'd need to get the door open to access the bonnet catch (recessed in the door frame)

Interesting, I never considered about it having to be permanent live. On the 1er the OBD port is easily accessible, and works without the bonnet being open, but does require the ignition to be on to access anything (certainly the case to get Bimmercode to work)

 

I think protection against OBD attack by a variety of countermeasures has happened.

The biggest target group for OBD attacks seemed to be the previous generation of Fords. I guess their OBD port was permanently live and had no bonnet interlock and the system wasn't protected like SFD.

Doesn't surprise me, over the years Ford's security systems have had a track record of being readily compromisable, sometimes even using half a tennis ball...

However all security is a constant evolution of attack and defence, but remember the defences are always behind the new attack techniques.

 

Really interesting stuff Zapad - where do you get your expertise? What safe guards do you use yourself?

After learning about the comfort access security compromise, my wife thinks we should either deactivate comfort access and/or use a steering lock. I'm loathed to do this after spending money on the feature.