How thieves steal RFID-enabled cars
Brad Stone's feature on RFID-enabled car-keys for Wired is astounding. In the article, entitled "Pinch My Ride," Stone documents the many ways in which these security systems fail. Most profound among the failures is that insurance companies believe RFID-keys to be infallible and refuse to pay out when your car gets stolen. How do RFID cars get stolen? Well, thieves can disable the RFID reader by removing a fuse, find the spare RFID key in the manual in the glove-box, steal RFID-enabled blanks from a dealer, or, most astoundingly, use a semi-secret sequence of pulls on the emergency brake. This is a textbook example of how security systems can fail: if you strengthen only the door of your safe, thieves will go in through the sides. Like the biometric fingerprint-reading car locks in Malaysia that [a href="vny!://www.boingboing.net/2005/03/31/biometric_car_lock_d.html"]thieves defeat by amputating your fingers[/a], an RFID car lock merely pushes the security problem to a different place: [/p][blockquote][div class="storyCap"][div class="pgTitle"][h1 class="lg"]Pinch My Ride [/h1][/div][div class="pgToolsSub"]Ignition keys equipped with signal-emitting chips were supposed to put car thieves out of business. No such luck – but try telling that to your insurance company.[/div][div class="pgToolsSub"][span class="pgToolsL"]By Brad Stone[/span][span class="pgToolsR"][/span][br class="clear"][div class="buffer"][img]vny!://c.lygo.com/s.gif" alt="" height="1" width="1"][/div][/div][/div]Last summer Emad Wassef walked out of a Target store in Orange County, California, to find a big space where his 2003 Lincoln Navigator had been. The 38-year-old truck driver and former reserve Los Angeles police officer did what anyone would do: He reported the theft to the cops and called his insurance company.[/p] Two weeks later, the black SUV turned up near the Mexico border, minus its stereo, airbags, DVD player, and door panels. Wassef assumed he had a straightforward claim for around $25,000. His insurer, Chicago-based Unitrin Direct, disagreed.[/p] Wassef's Navigator, like half of all late-model domestic cars on the road today, is equipped with a transponder antitheft system: The ignition key is emb edded with a tiny computer chip that sends a unique radio signal to the vehicle's onboard computer. Without the signal, the car won't start. And Wassef still had both of his keys.[/p] The insurance company sent a forensic examiner to check out the disemboweled SUV in an impound lot. The ignition lock, mounted on the steering column, had been forcibly rotated, probably with a screwdriver. The locking lug on the steering wheel, which keeps it from being turned when the truck is not in gear, had also been damaged. But the transponder system was intact. The car could have been shifted and steered, the investigator concluded, but the engine couldn't have been turned on. "Since you reportedly can account for all the vehicle keys, the forensic information suggests that the loss did not occur as reported," the company wrote to Wassef, denying his claim. The barely hidden subtext: Wassef was lying.[/p] "I got shafted, basically," Wassef says. He's not the only one. US carmakers and auto-mobile insurers are unshakably certain that vehicles protected by "transponder immobil-izers" can't be driven without the proper keys – or, at least, that circumventing those transponder systems takes more sweat and money than most auto thieves are willing to expend. So car companies advertise their security systems as unbreakable, insurers and consumers believe these assertions, and then folks like Wassef find themselves engaged in all-out war when their cars vanish.[/p] The insurance companies have good reason to be suspicious. They lose $14 billion to auto fraud every year in the US; by some measures, 20 percent of all stolen-car reports are trumped up. But when it comes to transponders, their faith is misplaced. Auto antitheft systems are usually secure for only a few years, until thieves crack the system. "The carmakers are calling these passive antitheft systems, but they're not," says Rob Painter, a Milwaukee-based forensic locksmith who has testified in dozens of auto insurance court cases, for both sides. "They are just theft deterrents. Tell me a car can't be stolen and I'll show you how to do it."[/p] Two years ago, my white 2003 Honda Civic – which my wife and I had affectionately named Honky – disappeared from the street in front of our San Francisco home. It has a transponder, and all three of our keys were accounted for (including the spare valet key). Police were polite but not much help; they speculated that thieves had towed the car away or hoisted it onto a flatbed truck and broken it down for parts.[/p] But Honky materialized two weeks later on a side street near the ocean. It was out of gas and littered with cigarette butts and pirated Pantera CDs, but otherwise undamaged. The ignition cylinder was intact, and our keys still worked. The car was a living, gas-sipping rebuke of modern antitheft technology.[/p] Mystified, I wrote up my experience for [cite]Newsweek[/cite]'s Web site in early 2004. I figured that would be the end of the story, but I got hundreds of emails from people with similar tales. I'm still getting them – type "stolen car" into Google and my article is in the top 20.[/p] The most stirring notes were from those who got spurned by their insurance companies. John Hutton, an architect from Fairfax, Virginia, lost his Acura RSX last fall and was reimbursed only after six months of aggressive wrangling with Geico. "The inspector treated me like I was a liar and a criminal," Hutton says. "It all kept going back to the transponder system and their belief that 'You can't steal it! You can't steal it!'" Sally Nguyen's Acura TL went AWOL last New Year's Eve and was later found gutted and submerged in the Sacramento River. When an investigator from her insurance company, Esurance, dropped by her house, he left a business card on which he'd scrawled, "Regarding your 'stolen' Acura." Six months later, Esurance denied the claim, citing her car's security system. Esurance wouldn't talk to me about her case. Mohammad Awan lost his 2002 Ford Explorer last year; his son wrote to tell me that his insurer, Progressive, felt the existence of a transponder system – plus other "red flags," like Awan's outstanding debt – amounted to enough evidence to deny the claim. "Your vehicle is equipped with an immobilizing trans-ponder system which will not allow it to start without the use of a proper transponder key," read the denial-of-claim letter.[/p] Perhaps no story was worse than Wassef's as he tried to deal with his stripped Navigator. Unitrin subjected him to a day-long deposition process called an "examination under oath." Investigators asked about his collapsing marriage and demanded financial documents and telephone records. Wassef complied, believing he had nothing to hide. By June, with no reimbursement in sight, he filed a breach of contract suit. Meanwhile, he's still paying $825.39 a month for an undrivable car. Unitrin did not return multiple calls regarding Wassef's case.[/p] Compared to Wassef, I got off easy – a couple hundred dollars for a detail job to eliminate the cigarette smell. But I found myself wrestling with a high tech quandary: What really happened to Honky? In other words, how do you steal the unstealable car?[/p] The 1986 Corvette had the first electronic antitheft system, the Pass Key I. General Motors emb edded a small pellet in the base of each key blade; when the key was inserted in the ignition slot, the car's computer detected the electrical resistance of the pellet. There were just 15 assigned values, but Pass Key still revolutionized automobile security. For the first time, a crucial piece of a vehicle's antitheft system existed outside the car.[/p] The high lasted only a few years. People started complaining about not being able to replace lost keys easily, so GM opened a back door. Dealers and locksmiths got permission to stock key blanks, and by the early '90s police were arresting car thieves who had rings of all 15 GM keys.[/p] Of course, no security system is impregnable. Even the toughest wall safe is rated in terms of how long it would take a sufficiently motivated crook to bust it open with tools or a torch. As thieves gain experience, they can crack the safe faster and faster. Every security system goes through the same natural history. When new, it's nearly unbeatable. But then users ask for more convenience and the keepers of the system relax the rules, or smart attackers study the system long enough to breach it. The system begins to fail, creating an evolutionary pressure that ultimately results in the development of a new model – and the cycle starts all over again.[/p] That's what happened a decade ago, when the rise of eastern European black markets sent auto theft rates skyrocketing in Europe. German insurance companies asked for new security precautions, and in 1995 BMW debuted a sophisticated antitheft system based on radio frequency identification chips. US and Japanese manufacturers quickly embraced the technology in their high-end models. Most of these new transponder-immobilizing systems – including the one in my Civic – use a "fixed" code. Insert the key into the ignition and a transceiver in the steering column pings a microchip in the key's thick black plastic handle. The chip radios back an alphanumeric identifier of up to 32 characters, one of billions of possible combinations. The signal is only strong enough to travel about 7 inches, but when the car's computer gets the right code, it activates the other onboard electronics. More expensive cars, like some Mercedes and Lexus models, use sophisticated "rolling" codes, generated anew after each start, passed to the key, and fed back for authorization during the next ignition cycle.[/p] Like the Pass Key, the new RFID technology was extremely effective for a few years. Thefts of the 1997 Ford Mustang, one of the first US cars with a transponder, dropped 70 percent from 1995 levels. (The rest were attributed to tow-aways and stolen keys.) Insurance firms were elated. "There was -pretty much a God-given belief that if a car with a transponder was stolen, the owner was sunk," says Larry Burzynski, a senior special agent with the National Insurance Crime Bureau. "The perception was that the theft had to be owner involvement." Insurers pressed auto-makers to deploy the technology, and even now the most frequently stolen cars in the US were built before the transponder era – like the '95 Civic and the '89 Camry. Newer models make the list only when manu-facturers forgo transponders.[/p] TO car thieves, smart keys became little more than the latest challenge. By 2000, forensic locksmiths like Painter were demonstrating for juries how crooks were getting past the transponders in Fords: Pop the hood and pull a certain fuse from the power relay center in the upper left corner. Zap, you're in.[/p] Meanwhile, transponder-equipped cars were being resold to new owners, and keys were disappearing behind couch cushions. Auto-repair supply and locksmithing companies started selling devices like the Code-Seeker and the T-Code, which allow anyone to create a new set of keys for a fixed-code transponder-equipped car. The Jet Smart Clone (catchphrase: "Clone the uncloneable!") duplicates any fixed-code RFID chip by reading its code and imprinting it onto the blank chip of a new key with the same mechanical cut.[/p] In the fall of 2005, Bay Area Mercedes dealerships were targeted by a regional theft ring with a clever, seemingly primitive tactic. A thief posing as a customer would express interest in a top-of-the line model and go for a test-drive. Afterward, when the salesperson went for the paperwork, the thief would replace the car's keyless starter transponder with an identical-looking mock-up from his own pocket. Then he'd leave and return later to nick the car.[/p] That's what happened in mid-November at a Bay Area Mercedes lot in Pleasanton. A $78,000 black S430 disappeared overnight; police traced the car's GPS unit to the parking lot of a Fry's Electronics, but when they arrived at the store, they found not the missing Pleasanton car but another S430 stolen from a Monterey car lot earlier that year. They also found its driver, a 25-year-old San Jose man named Naheed Hamed. He took off in the car, leading a freeway chase that reached 100 miles per hour and ended when he took an off-ramp too fast and rammed into a tree.[/p] A few days later, police found the Pleasanton S430 near Hamed's home and towed it back to the dealership. Inside the car, mechanics discovered a technological treasure trove: an original Mercedes electronic ignition system and custom Mercedes fuses, all wired with alligator clips to the dashboard and to the fuse box underneath the driver's seat. The car also held a Pelican PDA carrying case and a wireless RFID-signal-sniffing antenna. Investigators suspect that Hamed spliced in his own ignition system and power source, then used the PDA to upload pirated software to the car's computer to disable the transponder and swap the two cars' GPS tracking numbers. Of course, he also believed he could beat the cops in a car chase. "Yeah, the guy's an idiot," says auto security expert Mike Bender, a consultant on the case. "But you have to be a brainiac to understand the stuff that this guy had."[/p] That kind of technology is too expensive and too complicated for your basic chop-shop crew, but they usually don't need it anyway. For the past few years, Bay Area cops have pursued a ring of thieves that break into Hondas and Acuras with "jiggle" keys – keys with the teeth shaved down so they can turn the tumblers inside any car's door lock. After the thieves gain access, they shuffle through the glove compartment and snatch the manual, where dealers – unbeknownst to many car owners – often leave an extra valet key.[/p] Ivan Blackman, the manager of the Vehicle Information and Identification Program for the NICB, says that insiders are gradually getting over their dogmatic belief in the invincibility of transponder systems. "Companies are slowly realizing that the cars can be stolen," Blackman says. Maybe he's right – though things aren't changing fast enough for Emad Wassef and Sally Nguyen.[/p] I still didn't know what happened to Honky. Maybe someone at the dealership or a valet had cloned my key with a device like a Jet Smart Clone, then showed up later to take the car. It was also conceivable that someone grabbed the vehicle identification number off the dash, went to the dealership, pretended to be me, and had an extra key produced. Still, either scenario seemed like it would require an awful lot of footwork for a Pantera- and nicotine-fueled joyride.[/p] Then I heard about another possibility. Earl Hyser, the superintendant of State Farm Insurance's Vehicle Research Facility, told me that some transponder-equipped cars came with a secret "cheat" code designed to allow people who lose their keys to drive back to the shop. I asked the SFPD about it and was referred to Ken Montes, famous in Bay Area street racing circles for a souped-up 1992 Honda Civic he built as part of a tuner team called the Benen Brothers. The SFPD told me the team called the car Spanky, which instantly made me feel a certain kinship.[/p] I went to see Montes at his custom motor-cycle shop about a half hour south of San Francisco and asked him how someone could have stolen my car. He just laughed. "If I want to take your Civic, I'll do it in 10 seconds," he said. Then he confirmed Hyser's story. The mythical Honda override exists: It's a series of presses and pulls of the emergency brake. Each car, it seems, has a unique override code, which correlates to the VIN.[/p] "You want to get yours?" Montes asked.[/p] Sure, I said.[/p] He called an acquaintance who worked at a Honda dealership. I listened, awestruck, as Montes fed the guy a barely credible story about a cousin who had dropped his keys down a sewer. The dealership employee was at home but evidently could access the Honda database online. I gave Honky's VIN to Montes, who passed it along to his friend. We soon had the prescribed sequence of pulls, which I scribbled down in my notebook.[/p] I walked outside and approached Honky. The door lock would have been easy – a thief would have used a jiggle key, and a stranded motorist would have had a locksmith cut a fresh one. I just wrapped the grip of my key in tinfoil to jam the transponder. The key still fit, but it no longer started the car.[/p] Then I grabbed the emergency brake handle between the front seats and performed the specific series of pumps, interspersed with rotations of the ignition between the On and Start positions. After my second attempt, Honky's hybrid engine awoke with its customary whisper.[/p] I had just jacked my own car.[/p] [div class="bio"]Brad Stone (www.brad-stone.com), who wrote about [a href="vny!://www.wired.com/wired/archive/13.01/ironmen.html"]weight-lifting robots[/a] in issue 13.01, covers Silicon Valley for Newsweek.[/div][/blockquote] [a href="vny!://www.wired.com/wired/archive/14.08/carkey_pr.html"]Link[/a]