Tuesday, April 5, 2011

Why can't I just buy a motorcycle without WORK interfering?

It seems that Information Security is something that is not only my profession but ingrained into every little thing that I do. Not to say that I am conscious of it or even attempt to CLAIM that I am secure but it pops it ugly head up in the most conspicuous places.

This past friday (April 1st 2011) I decided that I would go test drive a 2011 Ducati Diavel.



This is the motorcycle I have been looking for. It fits the silly criteria I have put forth to restrict myself from buying such toys. Leave it to Ducati to come out with what I was dreaming as a hybrid "Cruiser/Sport Bike." Well, they did it and it drug me straight into the dealership a few days after its release to the public. The bike is a muscle bound sprinter that is dripping with technology. It has a FULL Light sensitive TFT screen, multiple different riding modes (changes the bikes stance,compression,engine tune,shocks,and even shift points), and just about every other gadget you could throw on a stock bike (ABS, Trac Control, and MORE). This is the Geek Muscle bike of my dreams...and I was in awe.

So, after an extended stare at it I decided to take the bike for a much anticipated test drive. The salesman gladly handed me a few papers to sign and off I went. The bike was AMAZING. Not only does it have enough tech to make an ADD security guy like me completely enamored, but it will quickly bring you back to riding with its 162 horsepower roar. I was in pure motorcycle bliss. Crushing speed-limits in 2ond gear with a smile stamped on my face and 87 degree Denver air wisping by. I was sold. On my way back to the dealership I stopped by one of my good friends house to get a second opinion before I put down the deposit. After turning the bike off (via the On/Off electronic button)I went to grab him from the house but he wasn't home. So, I hopped back on the bike and was headed back to the dealership. Except it wasn't that easy.

I got on the bike and hit the start button. The pretty screens fired back up with an electronic buzz and the TFT read "password" and showed 4 spaces. (was located where teh "riding mode" is on the pic below:



"Great...a password...arrgh... just like work" was the first thing that rolled through my head. I call the dealership to see if they can help me out and hand over the password. Just my luck, it was the end of the day and their phones had already rolled over to voice mail. Needless to say, my message was not very pleasant.

So, like any InfoSec type.. I start my assessment. ( the work in PTES recently has kept me on the method side of practice)

#1 Find the key (looked all over... no key... damnit... must be one of those proximity keys... maybe it is under the seat.)

#2 try and open existing areas that require key ( well, jiggleers are not much use on side dimpled lock/key... but i felt around a bit to see if there was anything obvious I could spring it with... no dice)

#3 Guess the PW " Hrm, these arent security people.. lets try the standards. 0000,1234,4321,1111,9999.. nope... maybe some that are bike or location specific... 0303,3030,0720,7200, 0666,6660,9990,0999... and so on... trying other ducati model #'s and things that may represent my location or even the bike *hence 666-Diavel..) STILL NO LUCK

#4 Bypass (I rooted around the bike for about 20 min trying to see how the ignition worked. Of course... I could trace the mess of wires back to an area that required tools not present at the time... so no luck there

Stuck and unable to do much more, I called in some backup. My wife was on the way to the dealership and Ryan was on the keys trying to ask the interwebs for the password. There was nothing out there in a quick search that he could find. *Oh yea.... I didn't have my phone with me so I was doing this all through a neighbors cell*

Finally after almost 2 hours, the phone rings. It's the dealership. In haste I say " what is the password" and they walk me through it. the password is 1375... a number that seemed familiar. The bike fires back up and I am back on the road towards the dealer. As I arrive the salesman is standing out front with a long face. He calls out

Sales Guy(SG):" Man, I am sooooo sorry. I should have told you about that password. One of our tech's lost the key so we have had to run it with the password instead of the key."

Great... now I care more about the security of the bike...than the discount I could have negotiated from being a pissed off customer. I respond

Me:"So, you run this without the key?"

SG:"Yep, if you have the key the password screen just doesn't show up.. but its an awesome feature if you ever lose a key or something. It is set up that way from the factory."

Me: "Um, yea... or if someone wants to steal your bike and guesses your password"

SG: "I supposed thats true"

Me: *relooking over the bike and seeing why 1375 is familiar* "Huh, the code is the last 4 of the VIN"

SG: "Well, lemme tell ya something *as he shields his mouth like he is telling a secret* ALL OF THESE BIKES USE THE LAST 4 OF THE VIN AS THE PASSWORD. THAT IS HOW THEY COME FROM THE FACTORY"

Just then, you can see my wife's face drop and look at me... as if to say.. " I CAN'T believe that you just told HIM that!!!"

ME: " Can you change the password"

SG: "We have a call in to them on that, but as of right now there is no option"

Me: " Holy $#it, that is horrible."

I was blown away. Now I sit there with the bike of my dreams and it is tainted with a trivial flaw which could allow for its theft. What to do? Well, sad to say, I walked away. I needed to feel out mitigation options for this fundamental flaw.

Just to be sure, I checked this out with a few other ducati/security fans. It seems it is true. Ducati in ATL 1 of 1 bikes started. Ducati Dallas 2 of 2 started. Ducati London 1 of 1 started. Boy oh boy, were the salespeople and others surprised to see them fire up.

With the righ mindset this could be an AWESOME feature. 2Factor auth to start my BIKE!!!! HELL YES!

BUT...

In the name of convenience, like most other failed security controls, we are left with a 4 digit password between the criminal and the 162HP prize.

16 comments:

  1. *sigh* This is why we can't have nice things.

    ReplyDelete
  2. with an option to change the password or have it be more than a 4 digit numerical password this would be an amazing feature. Alas, as you stated, just a fun joyride waiting to happen.

    ReplyDelete
  3. 1) Pin code is used when the Hands Free key (HF) failed or if you lose your key... In clear, it is for override electronic security immobilizer.
    2) Pin code can be change, and must be change by the new ridder (It's written down in the user manual, it's a good security point :-)
    3) Pin code is limited to 4 digits.
    4) Not design for use your bike without the key every day...
    5) So, it is not use for a two factors authentication, even it is should be nice... but not sure ridders care about two factor authentication starting system today.
    Ref: http://www.ducati.com/services/maintenance/index.do

    ReplyDelete
  4. Thanks for posting the obvious, Yann, but you're missing the point.

    This is like handing a key over to thieves. Or at least making it quite easy for them to figure it out on their own.

    ReplyDelete
  5. I read through the Diavel's Owner's Manual, and there's a simple procedure in there to change the PIN code.

    Nickerson's dealer must not have known what they were talking about (we've got a call in to Ducati...), but it still means that a thief with lots of time could conceivably get lucky, even with the janky PIN entry procedure.

    The real weak link here is the PDI process. It's up to the dealer's salescritter to ensure that the customer changes the PIN to a unique (HA!) number at delivery.

    I can't count how many times I've had vehicles 'Delivered' with most or all PDI unperformed. Now, if having the customer change the PIN is part of PDI...well, you can imagine the rest.

    ReplyDelete
  6. I checked with Ducati and it isn't true that the code is set to the VIN at the factory. The code is set by the dealer to a number the customer requests.

    Mark from ducatinewstoday.com

    ReplyDelete
  7. When I picked mine up the code had been set byt he dealer and they instructed me on how to change it immediately to my own preferred pin.

    Sorry - the salesguy had no idea what he was talking about.

    ReplyDelete
  8. with an option to change your password or have it on a digital 4-digit password would be a striking feature. Unfortunately, as you said, just a fun ride to happen.

    motorcycle chain lock

    ReplyDelete
  9. Still a 4 code pin, seems too easy to guess.

    Is there a timed lock out feature for incorrect guesses?.

    ReplyDelete
  10. Change the pin and get the bike Chris - it is outstanding. But get the carbon one and then let's go for a ride together :)
    --villain

    ReplyDelete
  11. The security hole is funny but I don't see why it's a deal breaker. At least here in Europa, nobody trusts the key, everybody use a U-lock or a brake lock.

    Considering that, you already have a two-factor authentification in order to run your Diavel.

    ReplyDelete
  12. For the record - I just checked my 2011 carbon black and if the dealer never set a pin code at all, then the whole function of starting without the key in your pocket is off the table. My bike won't even present the pin option till I go through the option menus and tell it that I actually want a pin in there. BLING! Diavel rules! :)

    ReplyDelete
  13. That is my dream bike too. But the Ducati is far more expensive than my econo car.
    motorcycle injury lawyer los angeles

    ReplyDelete
  14. Well this is great article , I think this is excellent piece of work by the writer and i believe that to read this topic a lot of visitors will visit this blog.
    bus to kl

    ReplyDelete
    Replies
    1. I have to say that the information here was the most complete that I found anywhere. I can’t wait to read more from you. Thanks for the great content...
      Singapore Car Rental

      Delete