The myth of the non-secure Ducati PIN number
Stories of a Ducati Diavel motorcycle default ignition password have been circulating for several months, and have even made it as far as an entry in the open source vulnerability database. This claims that the four-figure PIN number, by entering which a rider can start the bike without the ignition key, can be simply determined from the vehicle ID number. The phrase 'drive-away exploit' has been used. The problem is, it's simply untrue.
It is true that the Ducati Diavel and the Multistrada before it do have the option of entering a PIN number instead of using a key, and this PIN number can also deactivate the immobiliser. But everything else is mere rumour. Ralf Müller of Ducati dealer and tuning shop BeFaster told The H's associates at heise Security that new vehicles are delivered to the dealer with no PIN number set. It is the dealer's job to set a four-figure PIN and, on handing over the vehicle, to inform the customer of it and how he or she can change it. Customers are often advised to use their bank card PIN number, as they are less likely to forget it.
Ducati has in fact done everything right; it would be hard to find a better way of implementing this kind of security concept. But the truth is rarely allowed to get in the way of a good security breach rumour. In a posting on the Sophos blog, Paul Ducklin speculates that it could be related to a case in which a dealer did indeed use the last four digits of the vehicle ID number as the PIN number on a vehicle used for test drives. This was noticed by a blogger who proceeded to turn it into an amusing anecdote, which then spread like wildfire.
One question that appears not to have been asked is whether it might be possible to build a device to quickly run through all 10,000 PIN number combinations; heise Security say they intend to look into this.