Hardly 'hackproof': Vehicles' remote keyless entry systems vulnerable

Grits earlier mentioned that I've been spending some time post-session, as a diversion from political topics, immersing myself in the history and functioning mechanical locks and keys. But of course, these days electronically controlled locks are replacing mechanical ones in many settings, perhaps most commonly with the advent of "remote keyless entry" (RKE) for automobiles. As it turns out, the keyless locks used in many modern vehicles are just as vulnerable as the pin-tumbler lock on your front door to somebody who understands how they work.

The auto industry has relied on "security through obscurity" in this arena, hoping ignorance and a lack of technical expertise among car thieves would prevent them from bypassing RKE locks. That worked for a while, but now auto thieves have discovered how to bypass many of those systems, often more quickly than they could have 30 years ago with a "slim jim" or a pick gun. NBC's Today Show reported on June 5:

You think when you lock your car and set the alarm, your car is pretty safe. But criminals have designed a new high-tech gadget giving them full access to your car. It's so easy, it's like the criminals have your actual door remote. Police are so baffled they want to see if you can help crack the case.

A Long Beach, Calif., surveillance video shows a thief approaching a locked SUV in a driveway. Police say he's carrying a small device in the palm of his hand. You can barely see it, but he aims it at the car and pops the locks electronically. He's in, with access to everything. No commotion at all.

Then his accomplice shows up and hits another car, using that same handheld device.

Long Beach Deputy Police Chief David Hendricks is mystified. "This is bad in the sense we're stumped," he told us. "We are stumped and we don't know what this technology is."

He said it's almost like the thieves are cloning your car remote, which is virtually impossible to do. Here's why: On most cars, when you hit the unlock button, it sends a code to the car. That code is encrypted and constantly changing — and should be hackproof.

Except RKE devices are decidedly NOT "hackproof," clearly.  See more background on how thieves may be spoofing them. These vulnerabilities were known long before this recent episode in California. For example, in 2011 USA Today reported that, "Those remote key fobs nearly all automakers offer -- turns out they're fairly easy to hack so the bad guys can unlock your car and high-tail it before you even finish your shopping, Swiss researchers discovered." For that matter, here's an informative item from 2008 titled, "Hacking car security system and remote keyless entry." So at least five years ago these vulnerabilities were well known. In 2009, a commenter at Car and Driver offered up this detailed explanation of one method to bypass such systems:

it's been already over 15 years since car thieves began to use not single but double code-grabbing. with keyless entry systems it works a little more complicated, but the general principle is like this:

1) a driver comes to his car. The key in his pocket sends a code to the car to open

2) while this is performed, car thieves wirelessly capture the sent code, and instead send a wrong one to the car, which the car rejects

3) in a few seconds, the key again sends a code to the car (the "next" floating code, generated by both key and the cars safety system)

4) which thieves again capture, but then immediately send to the car the FIRST code which was captured.

5) the car unlocks (by the first code), the owner drives in a car somewhere, being followed by car thieves who have the next correct code which the car's safety system will be awaiting next

6) when driver leaves the car, thieves simple come and open the car with this "2nd" code.

Clever. Apparently, the Long Beach police and Today Show reporters don't use Google or they'd have figured this out.

This method allows thieves to open doors and trunks but not necessarily start the car. However, last year it was widely reported in Europe that BMW key fobs could be easily reprogrammed using the vehicle's onboard diagnostic port and actually start the vehicle. See here for a video explaining the details of keyfob programming and footage of BMW thieves making use of the tactic.

These vulnerabilities will apply to a huge number of cars on the road for the foreseeable future. It's easy to purchase key fob blanks and clearly knowledge of their detailed functioning is filtering down to the criminal class.

While locking technology will improve over time, historically secrecy surrounding the locksmith's trade has caused technology in that field to innovate at a snail's pace. Whereas most other technological fields operate within a relative culture of openness - e.g., the tradition of scientific publication and the filing of patents - locksmithing is a rather insular profession where detailed technical knowledge is rarely shared outside a relative handful of licensed commercial vendors. Even their trade journal restricts who can subscribe. That makes it less likely that vulnerabilities will be identified by the industry or that security upgrades will be promptly created to patch them when they're exploited by others. The development of encoded keys was one of the most significant improvements in lock technology in the 20th century. But unfortunately, we're now in the second decade of the 21st century and technology that was cutting edge two decades ago is already becoming outdated.

Bottom line: There's no such thing as a "hackproof" lock, there are only locks that no one has hacked yet. And increasingly, there aren't that many of those.

Dallas to use DNA in auto theft cases

The Dallas PD will begin using DNA in auto theft cases, reports the Dallas News. This will make them, to my knowledge, the first Texas police department to routinely use DNA evidence in property crimes. Jurisdictions in other states have had success using DNA for home burglaries, but the Dallas pilot will focus on auto theft.

In particular, it's worth closely watching whether expanded use of so-called touch DNA in property crime investigations will overwhelm state crime labs. DNA labs have big backlogs, and if it begins to be used widely in property crime cases, the system could bog down pretty quickly.

RELATED:

• DNA could solve burlgaries if crime labs were bigger, better, more trustworthy
• Large backlogs for DPS forensics testing
• Unanalyzed evidence held by law enforcement agencies
• Test possible innocence cases among Bexar DNA cache
• Backlog of DNA cases complicates Houston crime lab's bias problems

Creating 'task force' won't automatically solve communications issues on big-rig theft

The Texas Tribune's Reeve Hamilton recently published a feature reporting that:

Texas has the worst rates of cargo and heavy equipment theft — thieves rolling away with anything from semi-trailer trucks full of electronics to a backhoe on a flatbed — in the country. It also has the worst track record of recovering stolen heavy equipment. At 16 percent, its rate of recovery falls five percentage points below the national average.

Despite this, it is the only state reporting significant cargo thefts without an organized law enforcement task force addressing the issue.

With Texas' central location as a North American transportation hub, the state faces unique challenges regarding commercial vehicle theft and there's no doubt the problem deserves concerted focus. (For that reason, it may not be fair or useful to compare Texas' data to, say, New Hampshire's or Ohio's.) But it overstates the case to say there's no "organized law enforcement task force addressing the issue," it's just being addressed locally and regionally instead of statewide. A bigger issue has been that officers staffing such investigations don't always use good strategies, sound approaches, or competent officers capable of working openly and honestly across agencies.

In 2008, Dallas Sheriff's deputies with the North Texas Auto Theft Task Fore were investigating big-rig thefts and actually, knowingly allowed one of their informants to participate in an armed robbery in the next county which they chose not to monitor or prevent. Then the deputies failed to cooperate with Dallas PD's commercial auto theft unit or the Ellis County DA when they investigated the crime.

That episode makes me think the problem isn't that nobody is focused on commercial vehicle theft, particularly in North Texas where Hamilton said the problem is greatest, but that detectives are more focused on turf and protecting their informants than solving the problem. If Dallas deputies wouldn't share information through their regional task force, I don't know what would make them do so with a statewide entity.

Perhaps a new statewide task force would assist in breaking down these kinds of turf-driven communication barriers, which would be a plus. OTOH, a new entity fighting over turf could exacerbate the problem. Quien sabe? Better strategies may be just as or more necessary, even, than more manpower. Either way, it's not the case that without a new, million-dollar task force nobody's focused on these crimes.

Did Austin police commit crime in 'bait car' episode?

I wrote the other day about the Austin PD's "bait car" program in which they left a vehicle with the windows down and the keys in the ignition for several days in a residential neighborhood to entice thieves. In the comments to that post, an alert reader pointed to this page on the Austin Police Department website that claims, "Leaving your key in an unattended motor vehicle is a crime in Texas" (#7). I find that statement especially fascinating considering Austin PD's official reasons for leaving the keys in the ignition of their "bait car," according to the Austin Statesman:

[Sgt. Oliver] Tate said there's good reason to sometimes leave the keys in the ignition and the windows rolled down, even if it raises suspicions. "It's about factors that we are seeing in that area," Tate said. "If cars are being stolen with the keys left in the car, left running, what have you, then we try to stay as close to those factors as possible."

That's a weird twist on the issue, isn't it? I'd never heard before that there's a state law against leaving the keys in the ignition of an unattended vehicle, and in fact somehow I doubt it, though I don't know why they'd make it up. But even if it's false, that doesn't mitigate the irony of police telling the public something is illegal then going out and doing it themselves.

UPDATE - It's definitely illegal to leave the key in the ignition of an unattended car - see the comments for details.

Are 'bait cars' manufacturing crime?

I realize crime is declining, but is it really so rare that police have to manufacture crimes instead of investigating those that are reported? I missed this story when it came out a couple of weeks ago, but the Austin Statesman had an interesting piece about Austin PD's "bait car" program, where the agency leaves a vehicle filled with surveillance equipment parked out in the open with the windows down and the keys in it. According to reporter Michael May ("Police bait car program lands couple who reported suspicious vehicle in court," July 26):

The undercover program produced 70 warrants or arrests in 2008 and 13 this year, according to Sgt. Oliver Tate with the Police Department's auto theft interdiction unit. In the past, Detective John Spillers has been quoted as saying the program has caught suspects as young as 13.

The police did not specify what the arrests were for, how many resulted in convictions or why the number of arrests has declined in 2009. Nor did they provide figures on how much the program costs. However, in 2007 the City Council received an $85,287 one-year grant from the state for bait car equipment.

This program seems to invite crime instead of prevent it. How many auto thefts occur when somebody leaves their keys in the car with the windows rolled down, particularly for days on end? I don't think I've seen anybody intentionally leave their keys in a parked car since the 1970s.

In fact, it's damn impressive that the car could sit with the keys in it for days without being bothered. In that environment, is the program really necessary?

An attorney for a couple accused of breaking into a bait car after calling the police about it suggested the tactic could create liability for police: "'It's a completely functional car,' he said. 'They have no idea who could get behind the wheel. This was near a high school, so it could have been a kid. Or a drunk.' (McCallum High School is in the neighborhood.)"

Said the fellow who first reported the car to police then was prosecuted for searching it: "To hell with being a concerned citizen ... You hear stories of someone getting mugged and no one gets involved. Now I see why."

What do you think? Is the program worth the effort or does it border too closely on entrapment? From the examples in this article it doesn't sound like the program is geared toward targeting hardened auto thieves.

RELATED: From the LRC Blog, "Tax-Feeders and Manufactured Crime."