Pinch My Ride Ignition keys equipped with signal-emitting chips were supposed to put car thieves out of business. No such luck but try telling that to your insurance company.
By Brad Stone Wired Magazine Issue 14.08 - August 2006 http://www.wired.com/wired/archive/14.08/carkey.html Last summer Emad Wassef walked out of a Target store in Orange County, California, to find a big space where his 2003 Lincoln Navigator had been. The 38-year-old truck driver and former reserve Los Angeles police officer did what anyone would do: He reported the theft to the cops and called his insurance company. Two weeks later, the black SUV turned up near the Mexico border, minus its stereo, airbags, DVD player, and door panels. Wassef assumed he had a straightforward claim for around $25,000. His insurer, Chicago-based Unitrin Direct, disagreed. Wassefs Navigator, like half of all late-model domestic cars on the road today, is equipped with a transponder antitheft system: The ignition key is embedded with a tiny computer chip that sends a unique radio signal to the vehicles onboard computer. Without the signal, the car wont start. And Wassef still had both of his keys. The insurance company sent a forensic examiner to check out the disemboweled SUV in an impound lot. The ignition lock, mounted on the steering column, had been forcibly rotated, probably with a screwdriver. The locking lug on the steering wheel, which keeps it from being turned when the truck is not in gear, had also been damaged. But the transponder system was intact. The car could have been shifted and steered, the investigator concluded, but the engine couldnt have been turned on. Since you reportedly can account for all the vehicle keys, the forensic information suggests that the loss did not occur as reported, the company wrote to Wassef, denying his claim. The barely hidden subtext: Wassef was lying. I got shafted, basically, Wassef says. Hes not the only one. US carmakers and auto-mobile insurers are unshakably certain that vehicles protected by transponder immobil-izers cant be driven without the proper keys or, at least, that circumventing those transponder systems takes more sweat and money than most auto thieves are willing to expend. So car companies advertise their security systems as unbreakable, insurers and consumers believe these assertions, and then folks like Wassef find themselves engaged in all-out war when their cars vanish. The insurance companies have good reason to be suspicious. They lose $14 billion to auto fraud every year in the US; by some measures, 20 percent of all stolen-car reports are trumped up. But when it comes to transponders, their faith is misplaced. Auto antitheft systems are usually secure for only a few years, until thieves crack the system. The carmakers are calling these passive antitheft systems, but theyre not, says Rob Painter, a Milwaukee-based forensic locksmith who has testified in dozens of auto insurance court cases, for both sides. They are just theft deterrents. Tell me a car cant be stolen and Ill show you how to do it. Two years ago, my white 2003 Honda Civic which my wife and I had affectionately named Honky disappeared from the street in front of our San Francisco home. It has a transponder, and all three of our keys were accounted for (including the spare valet key). Police were polite but not much help; they speculated that thieves had towed the car away or hoisted it onto a flatbed truck and broken it down for parts. But Honky materialized two weeks later on a side street near the ocean. It was out of gas and littered with cigarette butts and pirated Pantera CDs, but otherwise undamaged. The ignition cylinder was intact, and our keys still worked. The car was a living, gas-sipping rebuke of modern antitheft technology. Mystified, I wrote up my experience for Newsweeks Web site in early 2004. I figured that would be the end of the story, but I got hundreds of emails from people with similar tales. Im still getting them type stolen car into Google and my article is in the top 20. The most stirring notes were from those who got spurned by their insurance companies. John Hutton, an architect from Fairfax, Virginia, lost his Acura RSX last fall and was reimbursed only after six months of aggressive wrangling with Geico. The inspector treated me like I was a liar and a criminal, Hutton says. It all kept going back to the transponder system and their belief that You cant steal it! You cant steal it! Sally Nguyens Acura TL went AWOL last New Years Eve and was later found gutted and submerged in the Sacramento River. When an investigator from her insurance company, Esurance, dropped by her house, he left a business card on which hed scrawled, Regarding your stolen Acura. Six months later, Esurance denied the claim, citing her cars security system. Esurance wouldnt talk to me about her case. Mohammad Awan lost his 2002 Ford Explorer last year; his son wrote to tell me that his insurer, Progressive, felt the existence of a transponder system plus other red flags, like Awans outstanding debt amounted to enough evidence to deny the claim. Your vehicle is equipped with an immobilizing trans-ponder system which will not allow it to start without the use of a proper transponder key, read the denial-of-claim letter. Perhaps no story was worse than Wassefs as he tried to deal with his stripped Navigator. Unitrin subjected him to a day-long deposition process called an examination under oath. Investigators asked about his collapsing marriage and demanded financial documents and telephone records. Wassef complied, believing he had nothing to hide. By June, with no reimbursement in sight, he filed a breach of contract suit. Meanwhile, hes still paying $825.39 a month for an undrivable car. Unitrin did not return multiple calls regarding Wassefs case. Compared to Wassef, I got off easy a couple hundred dollars for a detail job to eliminate the cigarette smell. But I found myself wrestling with a high tech quandary: What really happened to Honky? In other words, how do you steal the unstealable car? The 1986 Corvette had the first electronic antitheft system, the Pass Key I. General Motors embedded a small pellet in the base of each key blade; when the key was inserted in the ignition slot, the cars computer detected the electrical resistance of the pellet. There were just 15 assigned values, but Pass Key still revolutionized automobile security. For the first time, a crucial piece of a vehicles antitheft system existed outside the car. The high lasted only a few years. People started complaining about not being able to replace lost keys easily, so GM opened a back door. Dealers and locksmiths got permission to stock key blanks, and by the early 90s police were arresting car thieves who had rings of all 15 GM keys. Of course, no security system is impregnable. Even the toughest wall safe is rated in terms of how long it would take a sufficiently motivated crook to bust it open with tools or a torch. As thieves gain experience, they can crack the safe faster and faster. Every security system goes through the same natural history. When new, its nearly unbeatable. But then users ask for more convenience and the keepers of the system relax the rules, or smart attackers study the system long enough to breach it. The system begins to fail, creating an evolutionary pressure that ultimately results in the development of a new model and the cycle starts all over again. Thats what happened a decade ago, when the rise of eastern European black markets sent auto theft rates skyrocketing in Europe. German insurance companies asked for new security precautions, and in 1995 BMW debuted a sophisticated antitheft system based on radio frequency identification chips. US and Japanese manufacturers quickly embraced the technology in their high-end models. Most of these new transponder-immobilizing systems including the one in my Civic use a fixed code. Insert the key into the ignition and a transceiver in the steering column pings a microchip in the keys thick black plastic handle. The chip radios back an alphanumeric identifier of up to 32 characters, one of billions of possible combinations. The signal is only strong enough to travel about 7 inches, but when the cars computer gets the right code, it activates the other onboard electronics. More expensive cars, like some Mercedes and Lexus models, use sophisticated rolling codes, generated anew after each start, passed to the key, and fed back for authorization during the next ignition cycle. Like the Pass Key, the new RFID technology was extremely effective for a few years. Thefts of the 1997 Ford Mustang, one of the first US cars with a transponder, dropped 70 percent from 1995 levels. (The rest were attributed to tow-aways and stolen keys.) Insurance firms were elated. There was -pretty much a God-given belief that if a car with a transponder was stolen, the owner was sunk, says Larry Burzynski, a senior special agent with the National Insurance Crime Bureau. The perception was that the theft had to be owner involvement. Insurers pressed auto-makers to deploy the technology, and even now the most frequently stolen cars in the US were built before the transponder era like the 95 Civic and the 89 Camry. Newer models make the list only when manufacturers forgo transponders. TO car thieves, smart keys became little more than the latest challenge. By 2000, forensic locksmiths like Painter were demonstrating for juries how crooks were getting past the transponders in Fords: Pop the hood and pull a certain fuse from the power relay center in the upper left corner. Zap, youre in. Meanwhile, transponder-equipped cars were being resold to new owners, and keys were disappearing behind couch cushions. Auto-repair supply and locksmithing companies started selling devices like the Code-Seeker and the T-Code, which allow anyone to create a new set of keys for a fixed-code transponder-equipped car. The Jet Smart Clone (catchphrase: Clone the uncloneable!) duplicates any fixed-code RFID chip by reading its code and imprinting it onto the blank chip of a new key with the same mechanical cut. In the fall of 2005, Bay Area Mercedes dealerships were targeted by a regional theft ring with a clever, seemingly primitive tactic. A thief posing as a customer would express interest in a top-of-the line model and go for a test-drive. Afterward, when the salesperson went for the paperwork, the thief would replace the cars keyless starter transponder with an identical-looking mock-up from his own pocket. Then hed leave and return later to nick the car. Thats what happened in mid-November at a Bay Area Mercedes lot in Pleasanton. A $78,000 black S430 disappeared overnight; police traced the cars GPS unit to the parking lot of a Frys Electronics, but when they arrived at the store, they found not the missing Pleasanton car but another S430 stolen from a Monterey car lot earlier that year. They also found its driver, a 25-year-old San Jose man named Naheed Hamed. He took off in the car, leading a freeway chase that reached 100 miles per hour and ended when he took an off-ramp too fast and rammed into a tree. A few days later, police found the Pleasanton S430 near Hameds home and towed it back to the dealership. Inside the car, mechanics discovered a technological treasure trove: an original Mercedes electronic ignition system and custom Mercedes fuses, all wired with alligator clips to the dashboard and to the fuse box underneath the drivers seat. The car also held a Pelican PDA carrying case and a wireless RFID-signal-sniffing antenna. Investigators suspect that Hamed spliced in his own ignition system and power source, then used the PDA to upload pirated software to the cars computer to disable the transponder and swap the two cars GPS tracking numbers. Of course, he also believed he could beat the cops in a car chase. Yeah, the guys an idiot, says auto security expert Mike Bender, a consultant on the case. But you have to be a brainiac to understand the stuff that this guy had. That kind of technology is too expensive and too complicated for your basic chop-shop crew, but they usually dont need it anyway. For the past few years, Bay Area cops have pursued a ring of thieves that break into Hondas and Acuras with jiggle keys keys with the teeth shaved down so they can turn the tumblers inside any cars door lock. After the thieves gain access, they shuffle through the glove compartment and snatch the manual, where dealers unbeknownst to many car owners often leave an extra valet key. Ivan Blackman, the manager of the Vehicle Information and Identification Program for the NICB, says that insiders are gradually getting over their dogmatic belief in the invincibility of transponder systems. Companies are slowly realizing that the cars can be stolen, Blackman says. Maybe hes right though things arent changing fast enough for Emad Wassef and Sally Nguyen. I still didnt know what happened to Honky. Maybe someone at the dealership or a valet had cloned my key with a device like a Jet Smart Clone, then showed up later to take the car. It was also conceivable that someone grabbed the vehicle identification number off the dash, went to the dealership, pretended to be me, and had an extra key produced. Still, either scenario seemed like it would require an awful lot of footwork for a Pantera- and nicotine-fueled joyride. Then I heard about another possibility. Earl Hyser, the superintendant of State Farm Insurances Vehicle Research Facility, told me that some transponder-equipped cars came with a secret cheat code designed to allow people who lose their keys to drive back to the shop. I asked the SFPD about it and was referred to Ken Montes, famous in Bay Area street racing circles for a souped-up 1992 Honda Civic he built as part of a tuner team called the Benen Brothers. The SFPD told me the team called the car Spanky, which instantly made me feel a certain kinship. I went to see Montes at his custom motor-cycle shop about a half hour south of San Francisco and asked him how someone could have stolen my car. He just laughed. If I want to take your Civic, Ill do it in 10 seconds, he said. Then he confirmed Hysers story. The mythical Honda override exists: Its a series of presses and pulls of the emergency brake. Each car, it seems, has a unique override code, which correlates to the VIN. You want to get yours? Montes asked. Sure, I said. He called an acquaintance who worked at a Honda dealership. I listened, awestruck, as Montes fed the guy a barely credible story about a cousin who had dropped his keys down a sewer. The dealership employee was at home but evidently could access the Honda database online. I gave Honkys VIN to Montes, who passed it along to his friend. We soon had the prescribed sequence of pulls, which I scribbled down in my notebook. I walked outside and approached Honky. The door lock would have been easy a thief would have used a jiggle key, and a stranded motorist would have had a locksmith cut a fresh one. I just wrapped the grip of my key in tinfoil to jam the transponder. The key still fit, but it no longer started the car. Then I grabbed the emergency brake handle between the front seats and performed the specific series of pumps, interspersed with rotations of the ignition between the On and Start positions. After my second attempt, Honkys hybrid engine awoke with its customary whisper. I had just jacked my own car. ================================ George Antunes, Political Science Dept University of Houston; Houston, TX 77204 Voice: 713-743-3923 Fax: 713-743-3927 antunes at uh dot edu Reply with a "Thank you" if you liked this post. _____________________________ MEDIANEWS mailing list [email protected] To unsubscribe send an email to: [EMAIL PROTECTED]
