how are late-model cars stolen?

Factual Questions
#1

My car cost about $28K when I bought it nine years ago. It has a chip in the key: if the ECU does not detect that chip, it simply won’t run the engine.

I assume that by now this anti-theft technology is pretty much standard on current model cars. How are such cars being stolen these days? I imagine the honking-horn alarm can be circumvented, but without a flatbed that can winch up the entire vehicle[sup][/sup], is it possible/feasible for a thief to drive away such a car without the key in his possession?
[sup][/sup]this assumes a FWD vehicle: the front axle would be in Park, and the rear axle would have the parking brake on. A thief couldn’t just pick up one end of the car and tow it down the road, at least not without squealing the tires the whole way.

#2

The security system doesn’t prevent the parking brake from being released, so there’s nothing stopping a thief from breaking a window or otherwise opening the car up, releasing the parking brake and then towing the car off on two wheels.

Depending on how savvy the car thieves are, the security systems still aren’t completely undefeatable. For example, supposedly in west coast cities there are gangs that specialize in Hondas and have the requisite tools and knowledge to bypass the security system and hotwire them reasonably quickly. But it is a somewhat disturbing side effect of nearly theft-proof cars that less sophisticated car thieves now have to actually steal the keys, which means committing more potentially violent crimes like mugging the owner or breaking into their house.

#3

:smack: Thanks for not calling me stupid, even though I would have deserved it. :smiley:

#4

yep, some crook with a tow truck can easily get it.

http://articles.philly.com/2011-05-07/news/29520231_1_tow-truck-drivers-tow-truck-operators-scrap-yard

Car and Driver had a story about some new Jerr-Dan towing rig which can actually pull a parallel-parked car out of a spot, even with cars parked in front of and behind it:

#5

My 2000 Pontiac periodically believes that I am stealing it, and turns off the fuel pump for ten minutes. :confused:
It would seem that a piece of wire to run the relay would fix that long enough to swipe it.

#6

The trouble with such locks is that no matter how hard it is to fake such a chip, there’s probably a way to cut the chip-checking circuit out of the loop or cross two wires in such a way that the circuit believes you have the proper key. Such a microchip is like adding a deadbolt to a door-- it’s helpful a thief has a key that fits the door but not the bolt, but not very helpful if a thief is attacking the hinges. I’m not saying that they’re a bad thing, or entirely unhelpful, but they’re not a cure-all.

#7

So its not impossible to bypass the chip in a key feature? That is, for me at least, a little far out there. I gotta wonder – how easy and how common is this. Hard to know how I’m going to find out. If I ask for specifics, it’ll look like I’m trying to learn to do it myself. I wonder if there are statistics, or police reports about car theft rings built around this particular skillset – or is it so common, that one crook in ten has the ability, and its not worth mentioning. Like Machine Elf:, I thought the chip was foolproof.

#8

I would think it would be a relatively simple matter to hook up some kind of diagnostic/testing module to a car’s ECU and do whatever one needed to do via the testing unit.

#9

Someone is going to lose a key sometime.

#10

Some cars have a single control computer which controls both the engine and the rest of the stuff in the car. If everything is in that single computer, then it can simply refuse to operate the engine if it doesn’t sense the correct key transponder. Since it is all in one computer, unhappy computer = no start.

Other cars have multiple computer modules, generally split with one for the engine (and maybe transmission) and the other(s) for the rest of the car. The normal implementation on those is to have the anti-theft handled by the non-engine computer. There’s an interlock where the engine computer won’t operate normally if it can’t talk to the non-engine computer.

I have a race car which is pretty much an engine in a tubular steel frame, and the engine computer needs to be told there’s no second computer, or it will shut off the engine after around 15 seconds. The anti-theft (such as it is) on this race car is completely separate from the engine control computer and simply disables a bunch of stuff by disconnecting power from them.

Of course, a thief could simply tow a car away and then work on it at their leisure, perhaps by replacing the computer with a different one for which they have a known-working transponder. It probably isn’t practical to do that while actually trying to steal the car, since it is often in an very inconvenient place (on most BMWs it is behind the glove box, and you need to remove the glove box, other parts of the dash, and some of the heater ducts. Then you need to disconnect a bazillion wires - like Spock’s Brain).

This all assumes that the goal of the theft is to end up with an operable vehicle. My understanding is that a large portion of “professionally” stolen cars get cut up for parts.

Unfortunately, some vehicle anti-theft implementations suffer from software bugs, or at least “security by obscurity”, and various people have published information on ways to defeat particular systems.

Note - I use the generic term “engine computer” as different manufacturers have different terminology. For example, ECU (engine control unit) or PCM (powertrain control module).

#11

In the UK there has a been a rise in burglaries with the specific intention to break into a house to steal car-keys, as this is the only way to start a modern car. Unfortunately many people just leave their keys on a handy table just inside the front door.

#12

This is what happened to a friend of mine whose Subaru Impreza was taken. They broke into the house while everyone was asleep, stole the keys to both his car and his roomie’s pickup truck, moved it into the street so they could get the Impreza out, then reparked the pickup in the driveway.

#13

The testing unit probably only works if the key is in the ignition and/or doesn’t allow you to do anything to the ECU but only observe. No doubt some systems may permit exploits, but for the most part I don’t think the ECU software would be written by complete idiots.

#14

At least in continental Europe, high-end model cars are stolen by gangs specialized for this. Police claims that in Eastern Europe, where cars are proportionally more expensive (as compared to other living expenses and wages), people can “order” models of cars which are then custom-stolen in Western Europe.

If you have a whole gang operating an industry-type outfit, it’s worth the effort to bribe one guy working in a repair shop or customer service shop in copying the software and hardware specifications of the key, hiring a hacker to copy it a hundred times, and voila, you have a car key that opens the door and starts the car.

Or you break in and steal a hundred genuine car keys that have not been sold yet. Or steal the hundred reserve keys for the sellers to test-drive the customers with.

Alternatively, a big outfit like this actually drives around with a trailer labeled like a repair company, and winches the car up as if for a repair. The whole car is then towed across the border into a specialist shop and taken apart for parts, which are sold as original Mercedes … (which they are after all) to shops in Europe. This is worth as much cash as the car intact, and avoids the problem of the police later identifying this car as stolen based on the Vehicle ID engraved onto the frame. Police and car makers are now thinking about putting ID numbers on the major expensive parts to combat this, but there are many many parts in a car, and to stamp each with a number, entering this number in a database, checking this number against the database, across all Europe, each time a shop buys a part to replace something … lots of work for little payoff.

Or you drag the car away and let your hacker work on it in a quiet spot across the border.

This is also the reason why old junked cars are bought by the dozen by shady outfits: they want the car papers plus number which are legitimate to give to a car same model but stolen to make it legitimate again when re-selling.

#15

I had a similar thing attempted, but fortunately they didn’t get my keys. A few months after I bought a new car someone broke into our house while my wife and I were asleep. Fortunately, they just grabbed a couple of bags (my work bag and her handbag) and jackets that were close to the front door, rather than coming upstairs.

Presumably they were hoping to find the keys to my new car, but they only got those to my wife’s seven-year-old Renault hatchback. They didn’t bother stealing that one. :stuck_out_tongue:

I heard via the owner’s club of another break-in nearby targeting the same model of car, but that owner wasn’t so lucky - they woke up to find a man standing at the end of their bed demanding the keys.

From what I’ve heard, key theft is an increasing problem now that so many cars are more theft-proof.

#16

Note that the new keyless systems are less secure, not more secure, than old fashioned keyed systems. Most if not all of these systems have flaws that are known and exploited by thieves. Slashdot sometimes has articles about this.

Here’s a famous example:

In a perfect world, these would be great. Which is completely irrelevant since we don’t live in anything close to a perfect world. Reality is broken.

Just because something is “new” and “digital” doesn’t make it any more secure. Frequently they aren’t.

#17

Ah yes, the keyless system that works by transmitting (very insecure) order by radio … meaning that every time you accidentally press the key inside the radius, your car unlocks! (They had a nice film illustrating this in the Ratgeber Technik show: a guy comes home, parks his car in the street and locks it, goes to his front door, where his little daughter runs up and hugs him, pressing the key remote in his pants pocket, leaving the car unlocked).

Additionally, the car makers have to account for the case of owners legitimately loosing the keys and needing replacements; car sellers needing multiple keys for their salesmen; car rentals multiple keys for replacement in case of loss; car repair and towing … so the system must allow keys to be duplicated, and duplicate keys lying around in some locations.

Also, every system, whether hardware or software, that has been encrypted by humans can be broken by humans. First rule of cryptography, which leads to the conclusion that there is no 100% safe system, only relatively safe systems compared to others.

#18

IIRC, Audi or BMW cannot create duplicate keys ow - they simply hook the dealer diagnostic computer up with the originals and re-number all the keys and the car with the same code at the same time; so you cannot create one new key for an existing car.

With wireless keys, it used to be easy to steal the code; sort of like the joke about the early days of remote garage door openers, where you hook a 555-timer to a counter and radio - the earliest openers had 3 or 4 digit codes and no lock-out for bad codes so you could cycle through all possibilities in range without even stopping while you drove by…

The thieves who stole Beckham’s X5 with the original wireless key probably just used a computer generating every possible code until it unlocked. My BMW (2008) requires the physical key inserted in the dash, so you need something that is shaped like the key as well as answering with the correct code.

#19

At least on the prior generation of BMWs which had real ignition keys (and RFID interlock) and not just a fob you snapped into a holder, this isn’t the case.

Each BMW shipped with a number of keys (for example, mine came with 2 regular driver keys, a valet key, and a wallet key). The regular keys had the remote lock/unlock/panic buttons, the valet key would only open the driver door and start the car, and the wallet key was an emergency plastic key. All of them have the passive RFID for anti-theft, but only the regular keys could unlock the car remotely.

At the dealer level, the BMW system would only allow a total of 10 keys to exist for any given car. Keys are ordered pre-cut and programmed from BMW corporate. If you somehow got a blank BMW key and cut it, you’d get one that would unlock the cylinder but which wouldn’t start the car. In order to purchase an additional / replacement key, you are supposed to have to provide proof that you have the authority to do so (it is a bit more complicated than just showing the title, since the title may be held by a leasing company, but you get the idea). I have actually done this - I purchased an additional full-function key for my girlfriend some years ago.

Note that there are thus THREE separate mechanisms in place - the traditional cut key part used to rotate the door and ignition cylinders, the RFID used in the anti-theft, and the powered transmitter used for remote locking and unlocking. You CAN “introduce” new radio remote keys to the car (the procedure is in the owner’s manual), since the prior generation used removable batteries instead of ones that recharged while in the ignition. But they won’t start the car, only unlock it remotely.

If for some reason you need a key and that would take you over 10 (you lost a lot of keys, or some other reason), the dealer is supposed to require proof of an unencumbered title (no liens, etc.) in your name, and will insist that you purchase the keys as well as a new General Module (which, as I alluded to earlier, is the Spock’s Brain thing behind the glovebox).

BMW AG can reset the counter in the General Module and assign it a new code (otherwise, they’d have to scrap any that came back as part of recalls, warranty work, etc.) but that capability is not present at either the dealers or at BMW NA.

#20

I am not a expert on all chip type systems, but on Volvo systems the answer is no you can’t

Again it depends on the system. Early GM systems only had 12 chips. You could do a brute force attack by getting 1 key of each chip cut to the car by 12 different dealers. Modern Volvos have several thousand chips that have to programmed into the car to get it to start. To do the programming requires access to Volvo’s data base to get the proper codes to unlock the programming features.

Again it might be different with other systems, but on a Volvo, the answer is BZZZZT, thanks for playing.
Here is what goes on when I go to unlock my car and start it.
Push unlock button, a coded rolling code is transmitted to the car. The car compares to to the codes stored in memory and the expected new rolling code. If there is a match the car unlocks. If not, no unlock.
When the key is inserted, the chip is read by the antenna around the key hole. If the chip is recognized, then the Central Electronic Module trades passwords with the Engine Control Module
“The duck walks at midnight”
“It always rains on Tuesday”
If each module recognizes the other’s password, then and only then is the start allowed to proceed. If anything in the above process fails a message appears in the driver’s display “Start prevented, try again”
On some models a bit newer than mine after the passwords are exchanged both modules read the serial number of the ABS module before the start is allowed.
Bottom line is replacement of one module will not allow the car to be started, it requires the replacement of two or maybe three modules before the car will start.
Easier to get a tow truck.