[ssh]

I think the situations are very different between our continents. Shame you don't seem to believe us. I park in Heathrow airport many times a year and those carparks can be hectic.

If you are in the game of thieving then its easy pickings.

Well... I like to think I've traveled extensively (6 continents, 2 million flight miles, etc.), and I can think of only one time when people were this close to me (departure lounge in Bangalore). And in that case, my claustrophobia hit so hard I had to create a "pocket" around me. Again, 4cm? A meter, maybe, but no one gets that close to me without me being aware. And if I'm traveling in those cases, I set my phone to require me to unlock it before it uses NFC (turn off Express Mode for the BMW card).

And yes, I'm a professional security person (a "professional paranoid" as we like to say), and I understand the risk, but with NFC I just don't see it being significant.

 

[NCe40]

I've never had comfort access before. I have grown to love it. But this thread has added to my already (amateur status) paranoia. What are the things I should be looking for in public parking areas? A car following me to Walmart, then parking next to me to scan my key when I get out of the car? I ordered a Faraday pouch yesterday as a result of this thread. Take it out of the pouch to get in the car (inconvenient - kind of defeats the purpose of comfort access), keep it out while driving(?), keep it out so the doors lock(?), then put back in the pouch? I'm not sure where/when I am vulnerable.

 

[Chuck]

I've never had comfort access before. I have grown to love it. But this thread has added to my already (amateur status) paranoia. What are the things I should be looking for in public parking areas? A car following me to Walmart, then parking next to me to scan my key when I get out of the car? I ordered a Faraday pouch yesterday as a result of this thread. Take it out of the pouch to get in the car (inconvenient - kind of defeats the purpose of comfort access), keep it out while driving(?), keep it out so the doors lock(?), then put back in the pouch? I'm not sure where/when I am vulnerable.

For a relay attack:

• one person needs to be holding a scanner < 4cm from your key.
• another person needs to be holding the transmitter < 4cm from your car's door handle
• you need to be moving around, so your key doesn't go to sleep
• the relay is used to forward a cryptographic challenge and response from the key to the car to open the door
• Once insider the car, they need to place the transmitter in the charging bay and forward a 2nd cryptographic challenge and response to start the car

you won't be able to prevent someone from standing next to your door handle while you're not at your car.
you just need to make sure no one is holding a device or bag within 4cm of your key

 

[ssh]

For a relay attack:

• one person needs to be holding a scanner < 4cm from your key.
• another person needs to be holding the transmitter < 4cm from your car's door handle
• you need to be moving around, so your key doesn't go to sleep
• the relay is used to forward a cryptographic challenge and response from the key to the car to open the door
• Once insider the car, they need to place the transmitter in the charging bay and forward a 2nd cryptographic challenge and response to start the car

you won't be able to prevent someone from standing next to your door handle while you're not at your car.
you just need to make sure no one is holding a device or bag within 4cm of your key

That 4cm is for NFC (the phone/watch as key). It's a longer distance for the fob (Bluetooth).

 

[gsbaker]

I didn't have enough in my leasing budget for fancy features like Comfort Access, so I take comfort in the fact that my keyfob is more secure.

However, is it possible that an attacker would be able to catch and replicate the signal of the keyfob when I press the button to lock/vulnerable the car? Or is only the comfort access keyfob vulnerable?

Would it be safer to only unlock the car via the phone app?

I think I live in an area where this is unlikely, but still I went through the drill of solving the problem.

I have a faraday pouch and when I want to park my car securely I put the fob in the pouch while still in the car.

I then get out and lock the car by the touchpad on the door handle. This way there is no unlock signal transmitted outside the car. With the fob inside the car there is significant shielding until I open the door.

I believe this is a fair protection and not too difficult to use.

 

[dudenjen]

All I can say is..... "this is scary stuff." I just hope my luck holds out and I never fall victim. Not to discount or disparage, what sounds like legitimate concerns, but I'm 60 yrs old now, and I choose not to worry myself about it. I have age and other life-health related concerns to keep me busy. I'll keep my insurance in force and buy another car if my i4 is stolen.

Drive it, enjoy it, and try not to let "would be criminals" rob you of your driving pleasure.

 

[niam]

4 cm distance between humans is common in scenarios involving public parking and such?

Please provide photographic evidence of this. It sounds unbelievable, as if strangers and drivers routinely spontaneously engage in tango dancing.

You have a very large country. We do not have large rural areas in some part of europe. Big cities are difficult for drivers and parking. But believe me so time i have to wait to be able to go into the car since i am not able to go in because the parking car beside me in to near to my car…
I was not arguing about security of the fob, only about t he fact that you are in a queue, to pay your parking fee, to go into the elevator to reach you car in the underground where you left it etc…
The cities are overcrowded…

 

[trivalent]

You have a very large country. We do not have large rural areas in some part of europe. Big cities are difficult for drivers and parking.

Interesting. I was born, raised, and lived for almost 40 years in New York City. Not the biggest... but it's a pretty big city.

Also I lived in San Francisco twice. While it is not a big city, it is somehow European in scale and configuration, I think. I drove there some, but mostly rode motorcycles there. What little public parking there was in SF, it was more accessible to a motorcyclist. In all of that, I have no recollection of anyone being 4 cm from me who was not my passenger on a motorcycle.

Albeit I never drove in Europe (I was only ever a passenger in cars there), I lived in London for work briefly; and I spent some time in Paris and Berlin. Maybe it was different times and/or I wasn't in the right places. But I cannot recall seeing, at large, situations in European cities where motorists were bodily 4 cm from strangers, even in egress and ingress situations.

I cannot refute your experience. Based on my own anecdotal observations, however, I do question your report of it as being relevant to this specification (4 cm).

 

[NCe40]

fact that you are in a queue, to pay your parking fee, to go into the elevator to reach you car in the underground where you left it etc…

This is what I was most worried about in terms of vulnerability. I completely understand the proximity in these situations. Since you would be moving around in the above mentioned scenarios, I am assuming the key fob is still broadcasting a signal to the would-be-thief standing behind you who then sends it to a confederate standing at your car door?

The day this thread popped up, I ordered a Faraday pouch. It arrived last night. Tested it. Works great in that it doesn't open the car doors even if I hold the pouch next to the door handle.

 

[ssh]

This is what I was most worried about in terms of vulnerability. I completely understand the proximity in these situations. Since you would be moving around in the above mentioned scenarios, I am assuming the key fob is still broadcasting a signal to the would-be-thief standing behind you who then sends it to a confederate standing at your car door?

The day this thread popped up, I ordered a Faraday pouch. It arrived last night. Tested it. Works great in that it doesn't open the car doors even if I hold the pouch next to the door handle.

For the fob, yes. For the NFC (digital key) either turn off express mode (so you have to unlock the phone to use it) or use an RFID blocking pouch/sleeve.

Although if someone is within 4cm of me, they have my full attention.

 

[NCe40]

For the fob, yes.

That's what I needed. TY.

 

[trivalent]

Although if someone is within 4cm of me, they have my full attention.

Exactly. 😅

 

[Matty106]

Exactly. 😅

So you have parked up in a multi-storey car park and get into a busy lift. It could be a 360 degree situation where anyone can have a device that could scan you. Not Bangalore, but an Airport that I will drive to in my own car from my home.

Another thing to consider is a vulnerability could one day be discovered in NFC which could easily be exploited without your phone or fob.

It's a personal choice if you want to accept the risk.

 

[ssh]

So you have parked up in a multi-storey car park and get into a busy lift. It could be a 360 degree situation where anyone can have a device that could scan you. Not Bangalore, but an Airport that I will drive to in my own car from my home.

Another thing to consider is a vulnerability could one day be discovered in NFC which could easily be exploited without your phone or fob.

It's a personal choice if you want to accept the risk.

If Express Mode is off, NFC can’t be read while the phone is locked. So, turn it off in this case.

If there’s an NFC exploit, it will be known everywhere since it’s used for so much.

There are always theoretical risks, but for my car I’ll stick with the known risks.

As for the fob, it’s not as simple as it seems. BMW uses rolling codes, so playbacks don’t work. However, relay attacks will.

 

[trivalent]

So you have parked up in a multi-storey car park and get into a busy lift. It could be a 360 degree situation where anyone can have a device that could scan you. Not Bangalore, but an Airport that I will drive to in my own car from my home.

No. However...

Another thing to consider is a vulnerability could one day be discovered in NFC which could easily be exploited without your phone or fob...

But it has not yet been discovered, as far as I know. Because that was the only use case I was commenting on, after the phone NFC scenario was broached in this thread, I stand by my conviction that not even the "busy lift" example presents a risk to the phone NFC user.

 

[niam]

Interesting. I was born, raised, and lived for almost 40 years in New York City. Not the biggest... but it's a pretty big city.

Also I lived in San Francisco twice. While it is not a big city, it is somehow European in scale and configuration, I think. I drove there some, but mostly rode motorcycles there. What little public parking there was in SF, it was more accessible to a motorcyclist. In all of that, I have no recollection of anyone being 4 cm from me who was not my passenger on a motorcycle.

Albeit I never drove in Europe (I was only ever a passenger in cars there), I lived in London for work briefly; and I spent some time in Paris and Berlin. Maybe it was different times and/or I wasn't in the right places. But I cannot recall seeing, at large, situations in European cities where motorists were bodily 4 cm from strangers, even in egress and ingress situations.

I cannot refute your experience. Based on my own anecdotal observations, however, I do question your report of it as being relevant to this specification (4 cm).

New York is certainly a big complex city, only to clarify: i never wrote about security of the fob and never spoke about 4 cm. I think it depends where you are and what time of the day you refer to. My argument was only that our cities are overcrowded and some people doesn’t pay attention to leave enough parking space between two cars…, might be my English problem…

 

[J_P]

A few people have mentioned not having comfort access as more secure. Can anybody explain this? I didn't think relay attacks had anything to do with comfort access and having comfort access makes you no more vulnerable than not.

 

[gsbaker]

A few people have mentioned not having comfort access as more secure. Can anybody explain this? I didn't think relay attacks had anything to do with comfort access and having comfort access makes you no more vulnerable than not.

I think comfort access transmits a signal at all times, leaving more time for relay attack.

but without comfort access you must still transmit a signal whenever you press the unlock button. So at that time if there is a relay device switched on it could detect you.

I don't recall whether it is standard or optional, but I can lock my car by touching the door handle.

I must test again whether this works with the fob pouched

 

[gsbaker]

Exactly. 😅

Depends on who it is

 

[yobro 24]

That's my point... less than 4cm from me when the key is available on my phone? No one gets that close to me... ever!

Not even your wife!