I have heard that the cars without real ignition keys (in other words, those rfid fobs without a mechanical ignition lock) that it could be possible to authorize a new key by communicating on the OBD2 connector. You do not need access to a working key if this is true, but it is my impression based on some things that I have heard that the private part of some asymmetrical cryptographic material must be known. Whether it varies from car to car, I'm not sure. (This system is called CAS by BMW)
However, in the cars with real ignition locks, the immobilizer is not as easy to defeat as the "nakedsecurity" piece implies.
Since 1994 or so (with the introduction of the EWS2 system) the ignition key contains an RFID tag with a permanent shared secret and a password which is updated every time the key is used. It has always been possible to get close to such a key and read it, then write the information into a new key. Since the password is updated when the key is turned to the 'run' position, as soon as either of the "identical" keys are used, the other will stop working.
To authorize a new key on the EWS2 or EWS3 systems using the diagnosis connector, the new key must contain a shared secret already known by the EWS brain. The factory programmed ten such secrets into each EWS brain during manufacture, and four keys were delivered with the new car when it was sold. When a new key is requested through the parts department, that key is delivered with one of the known shared secrets. Then it can be authorized with a diagnosis request.
To change the shared secret information in the EWS brain to arbitrary information, or to discover the shared secrets known by the EWS brain, it must be removed from the car, physically opened and bootloaded. (It's one of the 68hc11 processors, and there are test points on the board for the mode select pins, manipulating these can place the hc11 in a mode to run a bootloader delivered over the serial line.)
(One difference between the EWS2 and EWS3 systems is that the EWS2 brain sent another, static shared secret to the engine control to signal permission to start - a simple 32 bit word. In EWS3, this communication involves some cryptography.)
It is possible that the database of shared secrets became available when the "Heartbleed" flaw became known. I have heard that their VPN was attacked. If this material were stolen, probably the bitting information required to cut a mechanical key were stolen along with it.
The keyless entry remote of these BMWs is more like the ones used in every car, even though it is part of the same ignition key with RFID tag for immobilizer: the key has a seed and does some transformation every time a remote button is pressed.
Indeed. You can do this using the BMW manufacturer software (which is comically not hard to find), at least for the E9* series of BMW's. Not sure about the newer F3* series, but I wouldn't be surprised.
I think they really did not count on tools like NFS to find their way into the de facto 'public domain.' However when CAS was designed, they knew (or should have known) that somehow all the manufacturing-side tools were getting out. Also some of the regional technical people who support the dealers carry them around on their laptops. A couple of beers can earn you a lot of secrets sometimes.
However, in the cars with real ignition locks, the immobilizer is not as easy to defeat as the "nakedsecurity" piece implies.
Since 1994 or so (with the introduction of the EWS2 system) the ignition key contains an RFID tag with a permanent shared secret and a password which is updated every time the key is used. It has always been possible to get close to such a key and read it, then write the information into a new key. Since the password is updated when the key is turned to the 'run' position, as soon as either of the "identical" keys are used, the other will stop working.
To authorize a new key on the EWS2 or EWS3 systems using the diagnosis connector, the new key must contain a shared secret already known by the EWS brain. The factory programmed ten such secrets into each EWS brain during manufacture, and four keys were delivered with the new car when it was sold. When a new key is requested through the parts department, that key is delivered with one of the known shared secrets. Then it can be authorized with a diagnosis request.
To change the shared secret information in the EWS brain to arbitrary information, or to discover the shared secrets known by the EWS brain, it must be removed from the car, physically opened and bootloaded. (It's one of the 68hc11 processors, and there are test points on the board for the mode select pins, manipulating these can place the hc11 in a mode to run a bootloader delivered over the serial line.)
(One difference between the EWS2 and EWS3 systems is that the EWS2 brain sent another, static shared secret to the engine control to signal permission to start - a simple 32 bit word. In EWS3, this communication involves some cryptography.)
It is possible that the database of shared secrets became available when the "Heartbleed" flaw became known. I have heard that their VPN was attacked. If this material were stolen, probably the bitting information required to cut a mechanical key were stolen along with it.
The keyless entry remote of these BMWs is more like the ones used in every car, even though it is part of the same ignition key with RFID tag for immobilizer: the key has a seed and does some transformation every time a remote button is pressed.