Why the Most Expensive Cars are the Easiest to Steal
Theft of expensive vehicles by sophisticated car thieves is a big business, especially in Europe. Many of the cars are never recovered and often sold to fund organized crime. That’s created a brisk market for the tools to pull off thefts of BMW 7-Series and Mercedes-Benz S Class sedans. The break-in equipment that’s legitimately sold to locksmiths and car garages (as well as police and intelligence agencies to search and plant bugs and tracking devices) often find their way to crooks. These include lock picks, decoders, keyless entry bypass systems, and readers to extract key profile information from the computers that control access security within the vehicles.
While car makers have concentrated on improving the security of locking systems, they have also made it easier to steal cars with impunity. The security of motor vehicles can be covertly compromised in many ways, but the more sophisticated forms of technical bypass occurs by exploiting three techniques: lock picking-decoding tools, wireless intercept of communications between the car and its keyless entry systems, and the decoding and extraction of key profile information from the central computer controller systems within vehicles such as a Mercedes.
Owners have always believed the proper key was required to open or start their car. That is still true, sort of. But in their pursuit of greater convenience for drivers, automakers have been adopting more keyless entry systems that give a driver a virtual key that can stay in their pocket or purse. While this makes things easier for owners, it is also a boon to anyone that has the tech-tools to circumvent the system, all of which rely on wireless communications which is easy to intercept. Compounding the problem is the fact that car manufacturing groups such as GM and VW use common door locks, key blanks, and internal locking components which means that very clever picking tools are readily available to anyone that wants to buy them. Later in this article a Skoda is shown to be opened in seconds with such a pick tool-decoder that is manufactured in Bulgaria.
Virtually all high-end cars offer the option of keyless entry. The security technology allows wireless encrypted data interchange between key fob and vehicle to substitute for the traditional mechanical physical key. Once the data is authenticated the doors can be opened and the car started by simply pressing the ignition button. The technical name for this system is Passive Keyless Entry Start or PKES for short. The same approach is used with contactless credit cards, alarms and door locks, but it’s still a wireless signal that criminals can spoof, clone, relay, or otherwise attack.
In cars equipped with PKES, the security relies upon two separate radio systems that are built into the key fob and vehicle. When a driver is within about three feet of the car and triggers the system, usually by touching the door handle, a low-frequency (LF) beacon within the vehicle transmits a signal to the receiver in the fob. When this message is received, a second UHF transmitter on a separate frequency communicates with the authentication receiver in the vehicle. If the key is paired with the car, it is verified and the doors can be opened and the ignition activated. The design of all of these systems depends on the range of the low frequency beacon, which is broadcast at either 20 Khz or 125 Khz.
Vehicle manufacturers set the operable range at about three feet, meaning that the driver must be very close to the car or the doors won’t open and the ignition work. The purpose of the low-range one-way transmission from the car is to wake up the key fob with a challenge query and trigger a response back to the car. Proximity insures that someone else far away cannot initiate the communication. The flaw in this scheme is that, with the right equipment, the signals to and from the fob can be repeated and intercepted from farther away than automakers anticipated. Watch how Sascha Wendt of the Lockmasters Group in Germany demonstrate how the long-distance intercept works from a few hundred feet away. The technology to do this is available to law enforcement but criminal gangs have also managed to acquire them from other vendors, causing a rash of car thefts that perplexed police investigators in Europe and in the U.S.
The relay attack can be carried out by one or two people. One uses a repeater to extend the range of the LF car beacon to activate a UHF transmitter on the key fob. The UHF transmission is what gets intercepted. You only need to pair the key fob and car once. Once the authentication takes place, the car can be driven away without a key and new keys can be produced for the cars at a later time after the car has been driven away.
There is a technical solution to stop keyless car hacking. A Zurich company called 3db Technologies makes a chip that can be installed in cars to pinpoint the location of the key fob to within five centimeters using encrypted communications between devices. No spoofing allowed. The inventor of the technology, Boris Danev, claims it can defeat the relay attack that Lockmasters demonstrated to me in Germany. I was shown how the chip worked in an office in Zurich using a laptop with an internal map that tracked how far the locator chip was away from the computer. It was extremely precise. Boris is in talks with all major car companies, who he reported, seemed oblivious to the problem before he demonstrated it. He confirmed that virtually every keyless entry system is vulnerable to attack.
Some have suggested that keys be shielded to prevent thieves from intercepting signals, much like the RFID shields that are being sold to protect credit cards. This will not work with PKES, according to Danev, because transmissions would be blocked, defeating the purpose of the system. The only way to secure the technology is to do a distance measurement between the key and the car.
Vehicle locks can be easily picked and decoded
HUF is one of the largest car lock manufacturers in the world. The company supplies many of the major car companies including VW and Mercedes-Benz, yet very clever decoders and pick tools have been developed to open theirs and other locks in seconds, as was demonstrated to me in Poland last week at MB Engineering. Watch how one of their technicians opened a Skoda in seconds with a tool produced for the company in Bulgaria.
What makes car locks so vulnerable is that so many vehicles have the same key blanks (such as HU64) and design of internal locking components, so all can be quickly compromised with just a few tools. Lots of vendors, including Zieh-Fix and Lockmasters, sell easy-to-use and sophisticated tools to get into most cars. Once the lock is picked, a key can be easily generated with a key cutting code machine.
Why you don’t need to pay $350 for a replacement key fob: Make your own!
Cars can be thought of as multiple interconnected computer systems, when considering the bypass of their security layers. There are many microprocessors within a vehicle to control everything from ignition timing, door locks, ignition starting systems, to windshield wipers. All of these computers have to talk to each other.
The Controller Area Network (CAN Bus) was introduced in 1983 to the automotive industry by Bosch and is standard throughout the world. The security problem is that data on the CAN Bus can be decoded and used to generate keys to clone transponder codes that are the basis of key fobs and their authentication scheme. Data on the CAN Bus runs through virtually every cable in the car, so tapping into a cable at almost any point will yield the same result. This means, for example, drilling a small hole in a side-view mirror from outside of the car to access wires can provide valuable information.
MBE is a small software and hardware division of Lockmasters located near Warsaw, Poland in Pruszkow. I met with their marketing manager, Przemyslaw Chec last week at their development center and was shown the tools they developed to rapidly decode the information from Mercedes cars and then produce keys that will start the cars. The company has specialized in hardware for this specific car manufacturer because of its global popularity. They developed hardware and software to plug into the ignition port of the car, extract the pre-stored key profiles at the time of vehicle manufacture, and then process the raw data through a highly-protected underground computer site in Lithuania that, within ten minutes or less, will return the required codes to produce keys.
Car manufacturers often snow customers into believing this is impossible so that they can charge up to $350-$400 to replace the keyless entry fob. Chec produces the almost identical electronics for about five dollars. They put their circuit board in a Mercedes shell and sell it, programmed, for about $100. Here’s my interview with Przemyslaw Chec about the security of vehicles and how they compromise them.
Koert Groeneveld, the director of R&D with Mercedes in Stuttgart indicated that they were studying the issues raised in the video and that the company takes indications of security breaches very seriously, and had no further comment at the present time.
Anti-theft systems for vehicles need to improve in order to protect consumers and insurance companies from losses. Unfortunately, the more technology that is incorporated in the new cars, it appears the easier it is for thieves and others to compromise them. So, if you are concerned about your expensive car being stolen, you might consider not ordering keyless entry for your next car purchase, and ordering door locks that cannot be opened in less than a minute. Oh yes, and be sure that all of the internal CAN Bus cables are shielded because they can be tapped into as well to derive critical information. Welcome to the new world!
This article originally appeared on Forbes.