The following is an article regarding the facts of the Ford transponder system being defeated. The article is written by Thomas G. Seroogy,CFL. The article is endorsed by Ken Vitty of Sterling Investigative Services and Rich Pacheco of N.E.T.S 

 

Ford Busted or not?

By Thomas G Seroogy, CFL

 

Introduction

 

Broadcasting the potential theft of millions of Ford vehicles; this weekends media reporting of recent transponder research at John Hopkins is creating unwarranted concerns of uncontrolled theft and fraud.

At the heart of the issue is the recent cracking by researchers of the algorithm used in the encryption protection of the Texas Instrument chip used in a single type Ford key.

In typical media fashion, the degree of theft risk this "breakthrough research" presents exaggerated and overstated.

 

Here are the facts:

 

1.   Based on the information provided by the media, relative to automotive applications, the "crack" affected a single chip currently used only on the Ford Focus and Escape, and the Ford produced Mazda Tribute.

 

2.    This breakthrough simply means that keys that could not previously be cloned are now cloneable, and then, only under laboratory conditions.

 

3.   This breakthrough affects the key only, and does not affect the ability to bypass or defeat the immobilizer system installed in the vehicle when working and programmed key is not available.

 

4.   The research was performed by researchers whose leader is heavily involved and knowledgeable of encryption technology; despite their credentials, it still took this group and a handful of computers three months of full time work to crack the chip; the research was heavily financed.

 

Discussion

 

The recent code breaking of the Texas Instrument based Ford transponder key is neither new nor unexpected. Private companies with interest in the production and duplication of the transponder based keys and cloning equipment have always recognized that the protection schemes on encrypted transponder keys are breakable.  In fact, due more to legislative restrictions pursuant to use of encrypted data than by technical limitations, the chip(s) used in these transponder keys use 40-bit instead of the more 128-bit encryption.  As the "breaking" process is nothing more than a trial run of every single possible code, the 40-bit encryption scheme is obviously less secure.

 

From a commercial standpoint, the sole reason for not pursuing this technology is simple economics - the time and resources required to break the codes of the various transponder keys is not only costly, but copyright, patent and other protections create immense and costly legal hurdles.  As such, the investment needed to create commercially available products cannot be justified.

 

Needless to say, breaking the code is a concept not new to entities having roots in auto theft.  Well financed criminal organizations having access to the technology and with the money and resources to invest are well aware of any inherent weaknesses in not only the key, but the overall security of any specific vehicle security system.

 

So, what does this supposed breakthrough mean to the face of auto security?  In the opinion of this expert - not much if anything.

 

Simply put, once all the hype is boiled out of this issue, it means that the keys using this particular Texas Instrument chip can be cloned, That's all.

 

And as a cloneable key, using this technology to steal a car still requires access to cloning equipment and keys capable of working with the encrypted chip, plus an already programmed and working key.  In typical media fashion, however, the ability to use this technology for theft is overstated.

 

In reviewing the information on this breakthrough it should be remembered that John Hopkins research performed the break and cloning under ideal conditions.  the subject chips or keys were exposed and stable, not the conditions of an actual attempted theft.

 

In reality, the limitations of cloning severely limited its effectiveness as a method of theft;

 

1.   The extremely short transmission range of the chip (4to20mm) make "code grabbing" extremely difficult without having the key in hand.  coming into close enough proximity of a transponder chip for the time needed to grab the code is highly unlikely.  Plus, barriers such as the material of a pocket or purse, other metallic objects like keys, and even ones hand can limit the ability to grab a code.

 

2.   Compounding the difficulty is the fact that many chips, direction also affects the ability to properly grab or steal a transponder code.  When a standard GM PK3 transponder key (a cloneable key) is placed into a common and well known transponder reader, the unit correctly detects a Megamos chip.  if inserted upside down, however, it detects a Phillips brand chip.  when an otherwise uncloneable encrypted Cadillac Catera key is placed upside down in a commercial cloning device, the key can be read, copied and a cloned key can be created.  Ford's newest key, using a Texas Instrument encrypted "wedge" chip, only operates when properly positioned in the ignition lock's keyway.

 

3.   as more then 70 percent of todays vehicles come equipped with transponder based immobilizers, the likelihood of an individual having more then one transponder key on his/her person is extremely high.  if more than one transponder is on the key chain or within close proximity to one another, grabbing or stealing causes both keys to simultaneously transmit there code, disrupting or corrupting the code received by a code grabbing device.

 

4.    Once a key is cloned, the vehicle must be located.  this can only occur in targeted thefts; which involve not only access to a working programmed key, but also enough surveillance to determine the vehicles owners address or location of the vehicle.

 

5.    Finally, from a commercial perspective, due to the legal and economic barriers mentioned earlier, the production of and accessibility to commercially available equipment and keys capable of working with the encrypted chips is not likely to occur anytime soon; severely limiting the potential for using this technology for theft.         

 

 

Conclusions:

 

it seems the media has struck a chord of the alarmist public.  The research considered a breakthrough is simple a working demonstration on the limits of some levels of encryption technology.  But, the technology used to break the encryption on the Ford key is not new and not, generally speaking, complicated, however it does demand time and money.

 

While 128-bit is preferred, the global market under which this technology is used imposes legal limits that restrict manufacturers to the less secure but still extremely effective 40-bit encryption.

 

Aside form the time and development costs, using this technology to actually steal a vehicle requires the time and expense involved in targeting and surveillance. in fact, the only credible scenario for a theft of this type involves car owners having their key cloned at a car dealership, hardware store, and/or locksmith; where both a working key and a vehicle location or owner address are surrendered.   Still as stated earlier, the necessary equipment is not currently commercially available and probably wont be for some time. 

 

Another scenario with opportunity for theft using this method is through locations offering valet services.  instances of theft involving valet services , however, while not unheard of, requires a coordinate effort by a gang or organization that is well structured, understands the technology and its application, and is capable of a higher degree of planning.  This technique eventually fails, however, because it requires direct contact with the vehicle owner, and, through repeated theft becomes traceable.

 

For a car thief to use cloning as the method of theft, it is necessary to have direct access to a working and programmed key,  the technology and tools to clone the key, time to clone the key, and foreknowledge of the vehicles location.  In all likelihood these opportunities may only present themselves through direct contact with the owner.

 

Needless to say, considering the personal exposure and the degree of planning required for this theft technique, the cloning "breakthrough" of the John Hopkins research team really isn't the crime industry's auto theft method of choice.

 

As regards fraud, insurance companies are bound to see a surge in stolen vehicle claims that involve the use of a cloned key.  Remember that as presented by the media, the automotive transponder chip in question affects the Ford Focus and Escape, and the ford produced Mazda Tribute only.  And, while the same code breaking process can be applied to most all other auto manufacturers keys that employ the challenge response encrypted technologies, is still involves an investment in time and money.

 

Finally, we need to ask does the John Hopkins demonstration reduce the security of the Ford (or any) encrypted transponder technology and increase the likelihood of theft?  that depends on perspective.

 

Relative to "security by obscurity" the research has now made public what has been known only for privately years, in this vein security of these transponder systems have been reduced.

 

Relative to an increase in actual and legitimate thefts? Not likely - this method requires targeting and surveillance to be affective, and there are too many cost and time effective alternatives to this method, still, time will tell.

 

Relative to detecting give ups?  Highly unlikely - the equipment to clone encrypted keys is not commercially available and development is beyond the means of most individuals, small gangs and small companies.     

 

As a final note what does history teach us about the use of cloning to steal a car?  from the first transponder based vehicles that rolled off there lines.  General Motors and Honda vehicles as well as several other manufacturers, have been vulnerable to cloning.  To date cloning has not been noted as a major method as theft for these vehicles or any other transponder based vehicles.  In other words we just don't see it happening.

 

What does this breakthrough mean to the insurance company SIU and law enforcement?  The cloning method is still a legitimate technique of stealing a vehicles.  However, its use will probably be confined to specific geographic locations. 

 

As such it is important that officers and SIU personal obtain detailed information on the history of the vehicle: ie, location of theft, names of shops performing recent repairs, location were valet service was used, etc.  in other words was the insured and vehicle ever exposed to a circumstance where a second party had unsupervised to the key and the home or work address of the insured.

 

All in all, the media hype behind the research is intriguing, but void of real world application.