Announcement

Collapse
No announcement yet.

Bavarian Motor Works

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Bavarian Motor Works

    I'm a great fan of BMW vehicles - always have been. My dream car is the 7 series long wheelbase version (E38, not the newest revision), preferably with extra security options. I digress.

    When I was drooling over BMW's web site many moons ago, they were incredibly open on their web site about the security vehicles available, particularly for Presidents, Heads of State, advisors and so forth. Double-glazed bullet-proof glass as standard, armoured vehicle body, run-flat tires and many more wonderful gadgets (sadly not including blood transfusion sachets).

    This has changed over the last few months and they now have a very coy attitude. I wish I could quote but the BMW site does not take kindly to Lynx (yes I told the bloke who made it, no he doesn't care). So I made up this quote from my memory and have no recollection of security levels. Any quotes from the web appreciated, otherwise I will update this thread with *actual facts* tomorrow infront of a GUI.

    BMW offer 7(?) levels of protection for vehicles, ranging between the security concious public to the high-risk Presidents. Levels 1-4 (?) are available to purchase over the counter for serious amounts of cash. However levels 5 to 7 (?) are restricted.

    BMW will take into consideration the purchaser's risk levels, decide on the most appropriate vehicle for them, then sell it to them under strict terms and conditions. The vehicle must never go on the open market; once they decide they no longer want it, it must be sold back to BMW to be re-circulated within the selected few.

    Now that's security. There are still obvious gaps in the protocol, but shit there are so many security measures employed in levels 5-7(?) by BMW that it (a) makes great marketing and inspires confidence but (b) prevents wide circulation of known issues.

    Don't let that last point start a flame war.

    Do any IT manufacturers employ such security? Would the model work? What are the major flaws? I have a friend who works for a bank (obviously not saying much, don't blame him) but from what he's said they simply buy equipment other companies cannot afford. There doesn't seem to be high-security IT equipment sold to the "select few".

    Edit; Clarified question
    "There are those who do the work and those who take the credit. I try to be in the first group, there is less competition there." -- Gandhi

  • #2
    Originally posted by Spanners
    Do any IT manufacturers employ such security? Would the model work? What are the major flaws? I have a friend who works for a bank (obviously not saying much, don't blame him) but from what he's said they simply buy equipment other companies cannot afford. There doesn't seem to be high-security IT equipment sold to the "select few".
    Means, Opportunity and Motive play an interesting part to this.

    Opportunity:
    Using the car as a metaphor is not the best choice, since the number of people with "access" to see the computer when it is on the network is much higher than for a car that generally must be visited in person.


    Means:
    Like computers, script kiddies exist with breaking into cars, or breaking their security. If a secret is discovered on how to break the security, it can be shared, but not as quickly. In this way, only one, very skilled person needs to break the secrity and then train others.

    Motive:
    Similar. People want to break into cars to steal them, or gain access to the contents, and similar for computers.

    Problem:
    Physical Security is a big deal. Where are you working your metaphor? A vendor that provides levels of physical security? data integrity? High availability? Reliability?
    Is your interest in OS Security? If so, would a "trusted system" suffice? Issues of compatability, ease of use, and expense in hiring people who can manage such systems properly seem to suggest deeper pockets than most.

    Car security as you mentioned seems to be one of protecting against DoS. (i.e. Eliminating the people inside.) It is just an arms race. Build a better car? Build a bigger/smarter bimb/attack method/force.

    Comment


    • #3
      Originally posted by TheCotMan
      Using the car as a metaphor is not the best choice
      Quite right. I was "thinking outside of the box" by "thinking inside the bottle" (Smirnoff to be exact), taking more than one step back from the world and puzzling over it's problems.

      After my post though I found an article in a magazine that originally got me to research the web. A bit tongue-in-cheek, a bit hyped, but a good read;

      Originally posted by Sebastian de Latour
      BMW Car Magazine Aug 2005 Page 29 "Heavy Metal"
      BMW has divided its armoured range into seven different levels - B1 through 7 - with B1 offering light protection against public disturbances and B6/7 having been designed to deal with full-on urban warfare.
      ...
      one of the tests that BMW carried out on one of its B7 cars was to detonate a grenade and, separately, a small quantity of TNT two feet away from the car in order to observe the effects. While the outer surfaces of the car sustained heavy damage, the occupant cell remained completely intact and unharmed.
      ...
      Lower-security cars, such as those in the B4 class, offer protection against theft, robbery as well as the threat of carjacking - the armour on a B4 vehicle can withstand shots from .44 calibre Magnum revolver ammunition - these vehicles tend to be purchased for private use in countries such as Latin and South America. Other options at the higher end of the security scale include an internal air supply for protection against any gas attacks, and an easily removable windscreen (from the inside, at least) for when you're surrounded on both sides
      ...
      So, who's going to get these High Security vehicles? Well, you won't be finding out anytime soon, as BMW operates a code of absolute discretion, and its own pool of armoured vehicles is made available to customers around the world at short notice, and in almost any location. So, how do you go about getting your hands on one of these leather-lined tanks? Slow down there - BMW doesn't just let anyone hand over a serious-money cheque in exchange for the keys. It has to make sure that none of its High Security cars go to the 'wrong' customers, either new or pre-owned.
      ...
      BMW offers purchasers of its High Security vehicles a buy-back option .. following a thorough inspection at its Dingolfing plant where all High Security cars are built
      I don't know how much of an article I can get away with quoting; you get the idea but the whole thing is a smashing read. You might guess I also intend on buying a (neutered) tank when I win the lotto. They're just so cool.

      Originally posted by TheCotMan
      Means, Opportunity and Motive play an interesting part to this
      Something I didn't consider!

      Originally posted by TheCotMan
      Opportunity:
      , since the number of people with "access" to see the computer when it is on the network is much higher than for a car that generally must be visited in person.

      Means:
      Like computers, script kiddies exist with breaking into cars, or breaking their security. If a secret is discovered on how to break the security, it can be shared, but not as quickly. In this way, only one, very skilled person needs to break the secrity and then train others.
      Summing up the point I think I was trying to reach in a round-about way. If access to the technology of a highly secure system was more restricted, aka "absolute discretion" and "doesn't just let anyone hand over a serious-money cheque in exchange for the keys" (keys, heh) then wouldn't that be a good thing?

      Originally posted by TheCotMan
      Problem:
      Physical Security is a big deal. Where are you working your metaphor? A vendor that provides levels of physical security? data integrity? High availability? Reliability?
      Is your interest in OS Security? If so, would a "trusted system" suffice? Issues of compatability, ease of use, and expense in hiring people who can manage such systems properly seem to suggest deeper pockets than most.
      I'm not sure to be honest, it was a conversational point probably more suited to a light-hearted Friday night bar session than a DC thread, sorry. My perspective on this is a general overview of any system as a whole.

      Perhaps those with the deepest pockets require the most discrete devices..

      Originally posted by TheCotMan
      Car security as you mentioned seems to be one of protecting against DoS. (i.e. Eliminating the people inside.) It is just an arms race. Build a better car? Build a bigger/smarter bimb/attack method/force.
      He-he nice DoS analogy. The arms race sounds familiar though.
      Last edited by Spanners; August 26, 2005, 08:46.
      "There are those who do the work and those who take the credit. I try to be in the first group, there is less competition there." -- Gandhi

      Comment


      • #4
        Originally posted by Spanners
        You might guess I also intend on buying a (neutered) tank when I win the lotto. They're just so cool.
        True, but they're better with *everything* working :) Besides, Daimler Ferret scout cars are *so* much more manouevreable in urban environments. I'l take mine with the Browning .30 machine gun, please.

        Comment


        • #5
          Originally posted by skroo
          True, but they're better with *everything* working :) Besides, Daimler Ferret scout cars are *so* much more manouevreable in urban environments. I'l take mine with the Browning .30 machine gun, please.
          Personally I like the Fox over the Ferret.

          http://www.military-vehicle.net/vcls/fox.htm

          It's a little bigger (good for an Ogre like me) and has a 30mm main gun with a 7.62 secondary.

          There is a guy that has one here locally (a school teacher that has quite the collection) and shows them off at the gun shows periodically.

          -JohnD

          Comment


          • #6
            Originally posted by Spanners
            Summing up the point I think I was trying to reach in a round-about way. If access to the technology of a highly secure system was more restricted, aka "absolute discretion" and "doesn't just let anyone hand over a serious-money cheque in exchange for the keys" (keys, heh) then wouldn't that be a good thing?
            Security by Obscurity is generally not a good thing. There are exceptions. A password is usually obscure, as are PINs. Obscurity only serves to limit access based on education/knowledge, and a known secret can be shared once understood or known.

            Let us assume BMW restricts people who may buy some class of "super secure" car. Where money is involved, several attacks could ensure any car is passed to, "the wrong people."

            1) Social Engineering
            2) Use of a willing proxy that is blackmailed, extored, coerced, paid, etc to order a car for the "bad people"
            3) Simple Theft. How much would it cost to rent a crane or helocopter to lift and transport a car that the builder refuses to sell to you? Is it less than the cost of buying the car?
            4) (more)

            Also, if signals are used to notify people of car theft, perhaps a portable Faraday Cage could be used pre-transport. (the list of escalation goes on...)

            Going further...
            If a company's job is to make money, what value is there is restricting people who are willing and able to pay for your goods/services?
            It inconveiniences the consumer and considering the above, only provides an image of restrictive access. (Sound like the Airport Terminal Security/Feds? Yeah.)
            Once the "wrong people" get their hands on such a car, they can search for weakenesses. It is not in their interest to notify the vendor. While they have this secret, they can create DoS against owners, and accept payment for such a service. (Similar to groups with secrets on how they break copy protection.)

            I'm not sure to be honest, it was a conversational point probably more suited to a light-hearted Friday night bar session than a DC thread, sorry. My perspective on this is a general overview of any system as a whole.
            Heh. Ok.

            Perhaps those with the deepest pockets require the most discrete devices..
            There exist customers with large sums of money gained through less than ethical methods, who are targets of law enforcement or other organzied groups. It would seem that many people who have genuine use for such a car are willing and able to buy them, but be considered "bad people." Would a company really say no to profit?

            Comment


            • #7
              Originally posted by John D
              Personally I like the Fox over the Ferret.
              Good choice. I actually like the Fox; the Ferret just has some sentimental attachment for me as I got a ride-around in one as a kid. Few things at the age of 13 are more fun than the looks on the faces of the people in the Ford Escort as the Browning swings around on them :)

              Comment


              • #8
                Originally posted by TheCotMan
                Security by obscurity is not a good thing.
                Agreed - not when used on its own. I was about to launch into an anti-post claiming "discretion" is not "obscurity", but after a lot of thought you are quite right. Sorry, I'm a bit slow.

                I'll respond to your points in order if I may;

                Originally posted by TheCotMan
                1) Social Engineering
                Agreed. I managed to get a free 7-series test drive for two weeks without really trying. I felt like a king! They ultimately win though, I still want to buy one. Seriously though, it would be a very small percentage of the population who would (a) attempt and (b) succeed in owning such a vehicle through this method. Obscurity? Absolutely. More secure than a Ford Fiesta? You can bet your RaQ on it.

                "Script kiddy"-style behaviour in a vehicular sense is now quite rare.

                Originally posted by TheCotman
                2) Use of a willing proxy
                Again, point 1 with a different target.

                Originally posted by TheCotMan
                3) Simple Theft. How much would it cost to rent a crane or helicopter to lift and transport a car
                There are lots of costs to consider if stealing a car, my incomplete thoughts;

                * The ACTUAL cost (money & otherwise) if rightly caught stealing it. In this case the chances would be small, but "they didn't get where they are today without considering the risk."
                * Transport of the vehicle to a secure location
                * Gaining access to the vehicle while only causing economically-repairable damage (rather difficult in this case)
                * As you mentioned, silencing any transmission in the process
                * Fencing the vehicle to a co-operative buyer

                In my opinion, yes it would cost more to steal the vehicle than to buy it. The theft would be far from simple even if it succeeds. My opinion could be far from reality however, I haven't tested this theory.

                Originally posted by TheCotMan
                4) .. perhaps a portable Faraday cage
                Agreed, there are circumventions for all current vehicle security. But we haven't discussed any of the additional security of the BMW simply because we don't know them or aren't willing to discuss them. Obscurity is far from complete, but I believe it has served it's purpose in this case, and is still a powerful weapon as part of a complete armoury in any defence situation.

                I still believe the infosec community has much to learn from other industries. Infosec definitely think faster and better, but it is still so young. Then again I have much to learn about anything. On a personal note, Faraday and Tesla are my two secret heros. Don't tell anyone.

                Thanks for putting this thread in perspective. But I'll still chew like an adiment dog. Doesn't obscurity in security have it's place? It's not security on it's own, but nor are passwords, or fingerprinting, or anything else on it's own. But as part of a policy it does add some form of protection, even if only from a small percentage of attacks.

                And on the subject of bloody great big (neutered) tanks;

                Originally posted by skroo
                True, but they are better with *everything* working :)
                Not in my country they're not! I'm surprised we're allowed to have microwaves. I've been arrested, but released without charge (as has a friend, on a seperate occasion) for having a BB gun on private land. IT'S A TOY! I fear a tank would not go down well.

                Originally posted by skroo
                Daimler Ferret scout cars are *so* much more manoueverable in urban environments. I'll take mine with the Browning .30 machine gun, please
                Originally posted by John D
                Personally I like the Fox over the Ferret
                Originally posted by skroo
                I got a ride-around in (..a Ferret..) as a kid. Few things at the age of 13 are more fun than the looks on the faces of the people .. as the Browning swings around on them :)
                Damn, you Americans sure know how to have fun. I spotted a post on DC mentioning a ballistic range in Vegas - I must go. Now. Soon. Next year then, whatever. Mind if I tag along? Apparently I'm a marksman with the British equivelant (spud gun), I'd love to try the real thing.

                Please excuse any mis-quotes - this post is hand-typed. Clipboards are but a distant memory. As is sex. What? Don't talk about my sex life, it's none of your business.

                P.S. Thank God for forums, I've learned so much in such an inane thread!
                Last edited by Spanners; August 30, 2005, 14:31.
                "There are those who do the work and those who take the credit. I try to be in the first group, there is less competition there." -- Gandhi

                Comment


                • #9
                  Originally posted by Spanners
                  And on the subject of bloody great big (neutered) tanks;

                  ...

                  Not in my country they're not! I'm surprised we're allowed to have microwaves. I've been arrested, but released without charge (as has a friend, on a seperate occasion) for having a BB gun on private land. IT'S A TOY! I fear a tank would not go down well.
                  Even here, it depends on where you live and whether or not you can be licensed for heavy armaments. For the most part, John Q. Public may be able to own a tank, but all the fun stuff has to be switched off before he can take posession of it.

                  Damn, you Americans sure know how to have fun.
                  Actually, that was at Aldershot. I'm half-Irish, half-American, and spent most of my life up to the age of 24 in either Ireland or the UK.

                  Comment


                  • #10
                    Originally posted by skroo
                    Actually, that was Aldershot
                    Heh heh, of all the places in the UK to have fun, that has to be one of them.

                    Originally posted by skroo
                    I'm half Irish, half American, and spent most of my life up to the age of 24 in either Ireland or the
                    UK
                    That's around my age now, but I've spent most of it in the UK. A supressed soul eagerly awaiting to experience other
                    cultures. I consider you lucky (you might think otherwise).

                    How about I give you a buzz when I win the lotto? "I bet my browning is better than yours."
                    Last edited by Spanners; August 30, 2005, 14:52.
                    "There are those who do the work and those who take the credit. I try to be in the first group, there is less competition there." -- Gandhi

                    Comment

                    Working...
                    X