Comfort Access, the fob, Start/Stop button etc. convenient for us and those who steal cars too! :tsk:

http://www.apani.com/net-news/0506/73

Beware of perverts with a laptop near you when you get in/out of your car? :dunno:

Yikes...hopefully this doesn't turn into a big problem.

:yikes: :yikes:
Beware guys !! i got a key start-stop engine not a button :p

Lo-jack Early warning... won't prevent someone from taking the car but if they take it without my FOB I should get it back quickly. If not... insurance kicks in... but lets hope this doesn't become a problem...

Currently, the people who have been able to commit these crimes need time in order to "brute force" the key encoding. Laptops are powerful enough to churn a key out from a 40-bit encryption (which is what is used at the moment).

As someone who works with crypto, in retrospect I wonder why the auto companies have not gone to higher bit crypto to make it harder for someone to force. It's probably to do with cost/availability from the suppliers, who makes these for the car companies. AFAIK, TI uses a private, unpublished crypto algorithm, which is also usually a bad thing since there is no peer review. Phillips has a longer bit string algorithm (128 bit), but again, I don't think it is a published algorithm. The more bits, the more possible codes, the harder it is to brute force.

If I was an enterprising thief, I would look at the problem the other way, create a reader that captures your key data when you walk past. Since the key is passive, I could access the data via a reader when you walked out of the parking garage (for example). I then play the appropriate data back to your car, and bingo. The biggest issue with this is you would have to be pretty close to the person to read the key info.

Oh, this same technology (RFID) is used in things like the Mobil speedpass, which have had some papers written about the insecurity of the system in the same fashion as I mentioned above.

I wouldn't get too paranoid about your car yet, though having a second channel of security, such as the Lojack Early Warning box, is a good idea.

Currently, the people who have been able to commit these crimes need time in order to "brute force" the key encoding. Laptops are powerful enough to churn a key out from a 40-bit encryption (which is what is used at the moment).

As someone who works with crypto, in retrospect I wonder why the auto companies have not gone to higher bit crypto to make it harder for someone to force. It's probably to do with cost/availability from the suppliers, who makes these for the car companies. AFAIK, TI uses a private, unpublished crypto algorithm, which is also usually a bad thing since there is no peer review. Phillips has a longer bit string algorithm (128 bit), but again, I don't think it is a published algorithm. The more bits, the more possible codes, the harder it is to brute force.

If I was an enterprising thief, I would look at the problem the other way, create a reader that captures your key data when you walk past. Since the key is passive, I could access the data via a reader when you walked out of the parking garage (for example). I then play the appropriate data back to your car, and bingo. The biggest issue with this is you would have to be pretty close to the person to read the key info.

Oh, this same technology (RFID) is used in things like the Mobil speedpass, which have had some papers written about the insecurity of the system in the same fashion as I mentioned above.

I wouldn't get too paranoid about your car yet, though having a second channel of security, such as the Lojack Early Warning box, is a good idea.

Maybe you should send a resume to BMW :rofl:

Although this is a concern, would this hype be along the same lines when ther was that outcry when scanner were picking up garage door openers and remote codes from alarm key fobs? In my opinion, new technology with a couple of incidents, however unfortunate, should die down. I hope I'm right.

My question, for thoughs who may know, is if CA codes are rolling codes?

Maybe you should send a resume to BMW :rofl:
:rofl: I'm sure they know it is an issue. It is trading off how fast it becomes prevalent vs cost of higher security. Some of the newer, open algorithms could provide more security, but may cost too much to implement in a car at the moment. Actually, this can be true for crypto in all sorts of products, not just cars. You have to balance the right cost vs the right security.
In my opinion, new technology with a couple of incidents, however unfortunate, should die down. I hope I'm right. This will not be the preferable way for thievery any time soon; the "load onto a flatbed truck and run" model is more cost-effective. :)
My question, for thoughs who may know, is if CA codes are rolling codes?
From what I have read about the products, the codes do roll, however, they are from a relatively small pool of numbers. While 40 bits might seem to be large pool to work from, newer laptop computers have the power to force the codes by trial and error because they are fast enough now to make it a fairly small pool. If you can grab some "transactions" between the key fob and the car, you might be able to narrow that pool down further.

It's like anything else - if a thief wants it bad enough, they will get it anyway. The current security provides enough to keep most thieves moving on to easier targets.

Yeah I told folks about this months ago in another thread.

Working in the security field, I can assure you this will be a big issue.

A car broadcasting security code information is never a good idea.

Comfort Access? yeah it is comfy alright. For the thieves. :tsk:

It is not just BMW though, Lexus and others are using "hackable" wireless technology in their solutions.

I will stick with a chip in my key thank you.

Working in the security field, I can assure you this will be a big issue. My background is more pure crypto/pattern recognition, but security is implicit just the same.

It is not just BMW though, Lexus and others are using "hackable" wireless technology in their solutions.Certainly as cars get more digital interfaces, the opportunity to hack stuff will be greater. The technology is only coming from a few suppliers, so a hack in one car could possibly be a hack in another; it will depend how much customization is done from the base system.

My background is more pure crypto/pattern recognition, but security is implicit just the same.

Certainly as cars get more digital interfaces, the opportunity to hack stuff will be greater. The technology is only coming from a few suppliers, so a hack in one car could possibly be a hack in another; it will depend how much customization is done from the base system.

Plus the encryption keys are most likely short and will never change once the car is sold.

Plus the encryption keys are most likely short and will never change once the car is sold.Exactly. The cost to change out the system for one with greater security would be prohibitive. Again, it would not prevent me from enjoying my car, but it means that I would consider having some other overlapping security in place.

OK, bottom line it seems theives can do it but it would be a bit impractical carrying a computer around and waiting. So park in sensible spots, do a look out, and make sure the insurance cover has not lapsed!

As someone who works with crypto, in retrospect I wonder why the auto companies have not gone to higher bit crypto to make it harder for someone to force. It's probably to do with cost/availability from the suppliers, who makes these for the car companies. AFAIK, TI uses a private, unpublished crypto algorithm, which is also usually a bad thing since there is no peer review. Phillips has a longer bit string algorithm (128 bit), but again, I don't think it is a published algorithm. The more bits, the more possible codes, the harder it is to brute force.



Because some wanker in the supplying company thought the current level of bits (68 or whatever) is "sufficient" and that is cheaper to manufacture/develop/research/whatever. :tsk:

OK, bottom line it seems theives can do it but it would be a bit impractical carrying a computer around and waiting. So park in sensible spots, do a look out, and make sure the insurance cover has not lapsed!

This is where folks can be quite naive.

Today a laptop is required. In a few years when you 6 series is 5 years old, this technology will be on handheld devices.

The only reason why it is on laptops now is proof of concept. A simple antenna, RFID recording device, and few chips, and battery, etc. and you now have a handheld hacking device for car thieves

The real issue is a new 650's security with CA built today is the best it will ever be. As time goes by, it becomes more and more hackable.

Today a laptop is required. In a few years when you 6 series is 5 years old, this technology will be on handheld devices.


The real issue is a new 650's security with CA built today is the best it will ever be. As time goes by, it becomes more and more hackable.

Fair point chuck92103. In 5 years time, there will be a new security level involving a trillion bits or whatever. Then some crack will figure out how to hack into that and the whole damn "cycle" starts all over. :tsk:

Didn't you guys get the finger print option on your comfort access start/stop button? The only drawback is your wife (or girlfriend) can't borrow the car. Also, no more valet parking.

Lojack and/or a good old kill switch is the best advice I can give if you are concerned.

Personally, if my car is stolen, I really don't want it back. Pretty amazing what can happen to a car in 30 minutes. :confused:

Lojack and/or a good old kill switch is the best advice I can give if you are concerned.

Personally, if my car is stolen, I really don't want it back. Pretty amazing what can happen to a car in 30 minutes. :confused:
Try 30 seconds.

Didn't you guys get the finger print option on your comfort access start/stop button? The only drawback is your wife (or girlfriend) can't borrow the car. Also, no more valet parking.

drawbacks or benefits?

Didn't you guys get the finger print option on your comfort access start/stop button? The only drawback is your wife (or girlfriend) can't borrow the car. Also, no more valet parking.
In all seriousness, biometric fingerprint scanners are pretty easy to spoof. Google "jello fingerprint" for more info. :)

Fair point chuck92103. In 5 years time, there will be a new security level involving a trillion bits or whatever. Then some crack will figure out how to hack into that and the whole damn "cycle" starts all over. :tsk:

Thats what happend with those kryptonite bike locks, some crack head in Miami or somewhere figured out how to break into them with a BIC pen.:rofl: