[MPG]

Pretty short range as well. Not sure if this is due to the fob or not. The car does not detect the fob sometimes when it is in the car. I have to push the start button twice a few times in order to get the car started

[Kabrich]

Quote:

Originally Posted by MPG

Pretty short range as well. Not sure if this is due to the fob or not. The car does not detect the fob sometimes when it is in the car. I have to push the start button twice a few times in order to get the car started

That sounds like you have a bigger problem. For my other cars, I often left the car keys on the sunroof of the car in my garage. With the F30, it apparently thinks I am in the car and the radio et al continue, as opposed to walking away with the FOB.

[BavarianFanatic]

Quote:

Originally Posted by dinonz

I consider it a security feature - if the transmission level is low, then the chance of thieves scanning codes is very low.

^^^This.

As security technologies advance, so too do criminal technologies. You would be amazed how simple it is to monitor transmissions these days. Hell, in my world, the "Smart Card" (a credential with imbedded integrated circuitry) was supposed to be one of the most secure means of providing identification authentication. Until it was discovered that folks were setting up with scanners housed in briefcases in building lobbies and skimming all of the data off of the cards. Now most of the agencies that are aware of this require folks to keep them in metal sleeves now.

I don't think it's wise to implement a high power transmitter in a fob. Especially for the comfort access authentication.

[john08135i]

Tint the windows and it gets much worse.. also i have been using the chin antenna gain and it works.

[JesseS]

Quote:

Originally Posted by BavarianFanatic

^^^This.

As security technologies advance, so too do criminal technologies. You would be amazed how simple it is to monitor transmissions these days. Hell, in my world, the "Smart Card" (a credential with imbedded integrated circuitry) was supposed to be one of the most secure means of providing identification authentication. Until it was discovered that folks were setting up with scanners housed in briefcases in building lobbies and skimming all of the data off of the cards. Now most of the agencies that are aware of this require folks to keep them in metal sleeves now.

I don't think it's wise to implement a high power transmitter in a fob. Especially for the comfort access authentication.

If a fob+remote access is implemented correctly then it shouldn't matter if someone's sitting across the block with a scanner recording transmissions. (Of course, I have no idea if bmw implemented it "correctly".)

To prevent exactly the sort of attack you are talking about (any sort of replay), fobs should transmit the next pseudo-random number in a pseudo-random sequence generated from a common seed known only by the car and the fob. The car should accept only the next N pseudo-random numbers in the sequence since the last one it saw from the fob, meaning that if you press "open" too far away from car too many times the fob will stop working until it and the car are back in sync.

Hmm, that's a bit jargon-filled, but it's a bit like this:

The car and the fob have a random list of page numbers from a common dictionary. Nobody else knows the page numbers. When you press open, the fob skips to the next random page number and transmits the first word on that page. The car keeps track of the last page it saw and will only accept the next few "first" words from the page list. Once the car has accepted the "word" it memorizes that page number as the last page used and will from then on only accept words "after" that in the page list. If some nefarious third party sees the word (or even a number of words) that doesn't really tell them anything useful because reusing that specific word will no longer open the car and they don't have the page list to figure out what the next words would be.

All of that pseudo-random jargon is just a clever way of having this "page list" without actually needing to store a list of "page numbers".


(This only applies to non-CA. Automated forms of access have a totally different problem and power-limiting is undoubtably a necessity for CA.)

[JesseS]

Quote:

Originally Posted by john08135i

Tint the windows and it gets much worse.. also i have been using the chin antenna gain and it works.

Just metallic tints or any tinting?

[dinonz]

Quote:

Originally Posted by JesseS

If a fob+remote access is implemented correctly then it shouldn't matter if someone's sitting across the block with a scanner recording transmissions. (Of course, I have no idea if bmw implemented it "correctly".)

To prevent exactly the sort of attack you are talking about (any sort of replay), fobs should transmit the next pseudo-random number in a pseudo-random sequence generated from a common seed known only by the car and the fob. The car should accept only the next N pseudo-random numbers in the sequence since the last one it saw from the fob, meaning that if you press "open" too far away from car too many times the fob will stop working until it and the car are back in sync.

Hmm, that's a bit jargon-filled, but it's a bit like this:

The car and the fob have a random list of page numbers from a common dictionary. Nobody else knows the page numbers. When you press open, the fob skips to the next random page number and transmits the first word on that page. The car keeps track of the last page it saw and will only accept the next few "first" words from the page list. Once the car has accepted the "word" it memorizes that page number as the last page used and will from then on only accept words "after" that in the page list. If some nefarious third party sees the word (or even a number of words) that doesn't really tell them anything useful because reusing that specific word will no longer open the car and they don't have the page list to figure out what the next words would be.

All of that pseudo-random jargon is just a clever way of having this "page list" without actually needing to store a list of "page numbers".


(This only applies to non-CA. Automated forms of access have a totally different problem and power-limiting is undoubtably a necessity for CA.)

Looks like a few companies need to be told how good their shit really isn't...

http://www.guardian.co.uk/technology...ker+News+50%29

[Chris215]

i would say anything after 10-12 ft your completely screwed .

[JesseS]

Quote:

Originally Posted by dinonz

Looks like a few companies need to be told how good their shit really isn't...

http://www.guardian.co.uk/technology...ker+News+50%29

Ahh, yes. In the information security industry that's called "Security Through Obscurity", and it doesn't work. Precisely for the reasons the article discusses: You can, perhaps, stop the Good Guys from figuring things out but you can't stop the Bad Guys because they don't give two hoots about the law, so you end up with situations where the criminals share all their knowledge with each other but those of us on the other side aren't allowed to try to stop them by sharing info (and thus forcing the manufacturers to improve).

Stupid.

IMO, any car company that knowingly implements poor security and then tries to cover it up with "gag orders" is criminally negligent.

[jdong]

Replay attacks are relatively easy to protect against. What's harder to protect against is a proxying attack, where one attacker follows you while another one stands close to your car, and they both carry transmitters that repeat the transactions between the car and the remote, essentially acting as an extension cable for your car remote.

[JesseS]

Quote:

Originally Posted by jdong

Replay attacks are relatively easy to protect against. What's harder to protect against is a proxying attack, where one attacker follows you while another one stands close to your car, and they both carry transmitters that repeat the transactions between the car and the remote, essentially acting as an extension cable for your car remote.

That only works for fully-automated access (like CA), but yes, like I said, CA does have an additional set of problems. If the power output from the fob was high enough you could just find a nice BMW in an office parking lot and proxy the car's transmissions into the building, while attempting to open it, pick up any responses and proxy them back.

Some manufacturers try to protect against this by having a very strict latency bounds check (time between when the car asks the fob to respond and when the fob's response comes back). Because the proxy attacker's retransmission algorithm and electronics will always induce some sort of latency this theoretically can prevent the attack. Of course, it also creates an arms race in terms of retransmission speeds (as well as potential well-timed replay attacks if there are any flaws in the request/response algorithm).

Personally, I would love to have a fob with a complete power-down switch, so I could ensure the fob would never respond to any transmissions when I was at home/office. Perhaps with a safety check to ensure you could only power-down after the car acknowledged it was completely off and locked.

(Note: One thing you can do is construct or buy a small faraday cage and put your fob in it at work/home. Something like http://www.select-fabricators.com/pr...lding-pouches/, which should attenuate RF signals sufficiently to prevent the fob from "seeing" proxy attacks and/or responding. You need to make sure the cage attenuates the correct frequencies though; I think most fobs are in the 300-500 mhz spectrum, but I'm not 100% on that.)

[lifeofbimmer718]

This happened to my 2014 328I after i enabled comfort access for closing. the range was random and sometimes it would not start unless i held the key close to the steering wheel. When i took of comfort access the range came back

[deviantspeed]

Quote:

Originally Posted by Wombat

have you tried the top gear key FOB trick?
just put the key to your head

http://youtu.be/_jACSPipPSE
[u2b]

[/u2b]

In the PNW we used to put it under our chin, press semi-hard and it actually worked. Your body becomes a ground plane (maybe) and reflects more of the radio wave outwards... well maybe not more, but changes the parabolic curve a bit.

I have nothing to back this up, other than it worked when I was in my teens.