At first I thought, how is this Ford's fault? How is this any different from someone just picking the trunk lock?
But then I realized: Ford actively provided the car codes to a car they'd sold, to someone who wasn't the owner, without the owner's permission. This is no different from the locksmith who installed the lock to your house, giving someone else a copy of the key to your front door "because they said they knew you".
Maybe Ford calculates that it's easier to just give out the codes to people related to the dealers, for convenience, but that needs to factor in that they should be forced to pay heavy, heavy fines or restitution when bad things happen.
And even worse, imagine if someone were raped or killed because of Ford's negligence concerning codes. People's security in their cars is a serious thing.
>Lopez said the smuggling organization was able to get a duplicate key from a locksmith in El Paso, who got the codes after calling up a Ford dealership.
>An FBI affidavit says someone at a Dallas auto dealer accessed the codes in Ford's database, giving out more than 2,300 codes over an 18-month period.
I think dealerships, of all places, would be (should be) allowed to have codes for cars in their lot. I trust dealerships to have these codes. If they do nefarious things with them, they should be punished, but I don't think Ford should be punished for having a dealership-accessible database of key codes. Whoever was cooperating with the criminals is, to me, the person to blame here (along with the criminals).
It makes sense for dealerships to have codes for cars in their lot. But it sounds like dealerships have access to codes for all Ford cars, which is a pretty clear least-privilege violation.
A Ford dealer must be able to service any Ford vehicle, including replacing lost keys. The dealers have access to the central database.
Ford failed to monitor access to the database. The whole problem would have been avoided if they just emailed the service manager every time a database lookup is made. Unfortunately he is in Texas, so Ford needs to be 51% at fault for a judgement. The lawyers are playing this out in the press so Ford will pay to make it go away, even though they would likely prevail in a Texas court.
Ford needs to cut this kid a check for $500k, and implement some better auditing of access to the database.
> A Ford dealer must be able to service any Ford vehicle, including replacing lost keys.
Edit: No, you don't. The lock is just a password. You don't store unhashed passwords.
Have an override code to reset the lock code in the car. That'd stop things like this because the original keys would no-longer function and the owner would know that something was wrong. But if the owner loses her keys, then she'll have the new keys anyway and won't have to worry about the old ones being found and used against her.
The problem comes when you not only have to replace the keys (which typically sell for about $120-$240 these days) but the lock cylinders in the door(s), the glovebox, the trunk, and the steering column. The latter of which is typically held in place by a single-use bolt that has to be drilled out to remove.
The module that responds to the keyless entry signals can easily be reprogrammed, often without tools. However, sometimes they can only hold so many codes before they get "full" and have to be replaced. Honda is 10, I think. Ford is probably similar. So don't lose your keys too often.
He is using computer security as a metaphor.
Security is the same, whether it is digital or a physical lock. It is just much easier to implement these sorts of algorithms in the world of bits than it is to implement them in the world of atoms.
A couple years ago, my used '98 CRV's battery died. I got it replaced, and when I started it back up, the radio was locked out; I needed an unlock code that they'd have given me when I bought the car, if the car hadn't passed through at least a dozen hands before finally reaching me.
I called up my nearest Honda dealership, gave them the VIN, and they gave me the radio code.
I like that they can do that. Maybe it makes more sense from a security standpoint if I would've had to call some centralized Honda location, but that doesn't really solve the problem, does it? I have the VIN -- so does anyone who looks through my windshield. I have the title number -- so does the dealership who originally sold the car. We'd have to enter a few concurrent bits of information to verify that I own it, that this car I'm calling about is mine, and I can identify both it and myself, and then the centralized Honda location would have to be able to verify all that on their end.
Or we can assume some modicum of trust at dealerships, and accept the fringe cases where criminals use information they wouldn't have access to in a perfect world.
Very few stereo thieves write down the vehicle VIN on the deck as they're running away. No point in making it even easier for the police to figure out its stolen property, and they're usually in a bit of a hurry. Assuming they have a sharpie marker in one hand instead of a screwdriver or window smasher. Assuming they can read and write.
One interesting problem "security" guys have is overcomplicating plots. Your average meth head is waaay too zonked out of his mind to memorize which VIN goes with which radio, or even which OEM radios need a code.
Another problem is via the VIN they know instantly that your car is a '98. Well my cheapo commuter car is also a '98, and its approximately worthless at this point. Anyone stealing my worn out, partially broken, approx 2002 model year aftermarket deck pretty much deserves the pain they're about to experience. At a flea market I might be able to give it away... That may very well be Honda's point of view. Now try that again with a new 2013 $2000 GPS DVD player deck and they might hassle you.
Almost every OEM radio needs a code - I've not seen a radio in a car manufactured in the last 10 years that hasn't mentioned this fact. Nobody needs to memorize everything. Even methheads carry cell phones with cameras, and can take a snapshot before even breaking in.
Good points, though there should be some steps manufacturers could take. They could check for unusual usage patterns, much like credit card companies do.
The article doesn't specify but does imply that, in this case, the dealer in question made more PIN requests than is normal. If so, Ford should have seen that and investigated.
It sounds from the article like a rogue dealership. In any case Ford should audit access logs for these keys and look for odd access such as a high volume in area beyond statistical clustering.
Well dealers sort of have to have hte access in order to provide service. You're a Ford customer and you drop you key into the sewer as you're fumbling with your keys. Your dealer can help you make a new key (or sell you one for an extortionate price).
agreed - but they should at least check id to match dmv records - seems a common sense check.
[to the nitpicking gallery: yes - bad guy can use fake id to do this, but any key code pull should be accompanied by a letter to the registered dmv address notifying the pull - all simple checks that would make it harder, costlier and with more points where it could be caught]
Parent to your comment is saying that dealer 1 can provide access to a car in dealer 2's lot. They can each provide service without having access to the other's cars. Therefore, this is a principle of least privilege violation.
My car was purchased at a dealership in central MO. I live in TN now, and there happens to be a dealership about 10 minutes away. If I need something fixed, why should I have to drive all the way back to MO (especially since if I needed something fixed, my car wouldn't be in any condition to drive for 6 hours)?
Fair enough, I can believe that they can provide a secure key scheme, but understand why they don't. The risk/value trade-off in the general case is small for mid-range cars. The article demonstrated that you could make it high value with right circumstances, which is a clever hack. Of course security camera footage at this guys office would show who was sneaking up to unload his trunk when he was at work.
So once they sell those cars, then they shouldn't have those codes? when a customer loses their key and needs a new key made, then what? what about a customer losing key while he's far away from home or where he purchased his key? people do move you know? how about losing your key when you are out of state? it's one thing to lose a key, it's another to have to wait a day to get a key made and be stranded.
iMHO, a better solution would be tracking how often locksmiths request for key codes and have an algorithm that can detect unusual patterns which will then be followed up by human eyes.
It's not that simple though, they do maintenance on cars as well so they'd need to be able to access those access codes as well. There probably should've been some oversight to make sure someone looking up thousands of VINs gets flagged somewhere, but it's reasonable to allow dealerships access to codes for cars they'd need to work on.
Regardless of Ford's procedures, this could happen to anyone who crosses a border, if the smugglers have access to the person's car or bags. And almost inevitably, the person set up in this way will be disbelieved and prosecuted. This guy was relatively lucky.
The ultimate fault lies with the drug laws, which provide for punishment of victimless behavior, incentivize smuggling - and as this case shows, indirectly trap innocents.
On a practical level, this incident shows that it's necessary to examine the trunk, the underside of the car, one's luggage and so on, every time - and still something may have been hidden.
I don't know think about it how many times does a locksmith call a dealership with a legit reason, or the dealership have to look up this internally. We are looking at an average of 4.2 look ups a day. If the national average is only 1 database look up per day per dealership then it should have been a red flag but what if 5 is the national average and this dealership had 9.2 then it would just be an anomaly than an automatic red flag
is it possible that the code is part of the standard screen displayed for the car? If its part of some standard display it may not raise any flags. Type VIN in, get all sorts of information they consider common to inquiries.
For physical keys there are not that many variations per model of car, some are even interchangeable between related brands. I wonder how unique coded keys are?
The code situation definitely isn't secure. I was at a hacker con, in a remote location, and someone locked themselves out of their car. Folks were able to create a key, on site, using the code. I'm not sure if it was a Ford, but it does show it's a significant security issue in the automotive industry.
The problem is a security model where all trust is exclusivity and irrevocably granted to a single external entity. An entity that an owner of property has to go through to access their own property.
This kind of security model has both pros and cons. This is one of the cons and all the internal process in the world at the external authority doesn't change the weakness. The best they can do is push to limit the number of abuses of the authority (for all definitions of abuse as defined by the external power, not product owner).
As implied in Cory Doctorow's "The coming war on general-purpose computation," modern cars are really computers with an engine and wheels. This event has proven that computer security breaches in cars can have real-world legal consequences for citizens. As a result, there may be a market in a hardening/privacy guide for new cars, similar to the kind sysadmins use to harden Internet-facing servers. Alongside your standard hacker-types, a guide like this probably has a market in survivalist/conspiracy circles.
The guide could explain how to change the code in the car's alarm transmitter as well as how to remove devices with privacy implications like OnStar.
Modern cars are really a LAN with an engine and wheels. You need to decide how secure each computer on the network needs to be or whether it is enough that you need be able to get into the car to get at the diagnostic connector. There was a case a while back of one model of car being easily stolen because the cables to the ABS system accessable from the wheel arches.
There has also been talk of allowing wireless access to the in-car network in order to allow cars to be driven much closer together in high-occupancy lanes.
The crimincal case could have easily gone the other way: "The car was locked, locks are presumed secure, presence of a lock is proof that you were aware of the contents of your trunk." This is what happens in home burglaries: If your lock gets picked, insurers claim that the door was never locked.
Lockpicks leave evidence of their use (src: http://www.lockwiki.com/index.php/File:Forensics_pin_picked.... ). If the victim was confident that the lock was picked, they could hire a forensic locksmith to find this evidence if the reimbursement is worth the cost of the locksmith.
As far as I know, getting a keyfob code and using it to unlock a car door is completely surreptitious (no evidence left) entry, as opposed to lockpicks, which are covert entry (evidence is left).
otherwise, use a softer metal on the picks (or plastic, or grease the picks, or as every criminal does, apply soap to the tips), and pick without any markings.
What strikes me about this is that the criminals could have just as easily stolen the vehicles, but the value of the marijuana outweighed the value of the vehicles.
They can probably liquidate the drugs due to contacts they've made in that world faster, so even if the car was worth more it could be harder to liquidate. Stealing a car is worthless if you can't sell it or get a premium for it.
Does the prosecutor here just go "Whoopsie, our bad!", or what?
Yes, that's what happens. It's a cost of having a free society that's randomly distributed instead of explicitly collected from your income, like many costs in a free society.
I wonder how many bags of marijuana made it undetected in that car, since he was in the screened commuter lane.
And he's so lucky they had a record of accesses to the key code database. If they could have erased that record of the access, then it would have been a perfect crime.
How would this be different from a locksmith making a fake key for a more traditional lock and doing the same thing? Is it practically that much more difficult to do?
A locksmith can copy a key, but cannot create a key that fits a specific lock without knowing anything about the key. In this case, they could create a key with the data Ford provided just using the "publicly available" (written on the windshield) VIN.
That key cannot be used to actually start the engine, because you need to register it with the ECU using manufacturer's codes and usually with at least one of the previous keys present. But there are bugs to be exploited in that case too.
Actually, they can add long as they have access to the lock itself. Take a blank key, insert and turn; find the dent made by the closest pin and for that place one level down. Repeat until you have a key that works. This is regarding the physical keys for the trunk.
I suspect the percentage that gets caught on any given trip is quite low. They're playing a lottery with a 99%+ win chance. When they win, they sell the stuff at a huge markup, and when they lose, all they lose is one shipment and one potential courier who wasn't even in on the plot.
They still have drug trafficking in Singapore, where you get the death penalty for drug trafficking. I think the key is not to make drugs expensive, but to make them cheap. Then the criminals are out of business.
But then I realized: Ford actively provided the car codes to a car they'd sold, to someone who wasn't the owner, without the owner's permission. This is no different from the locksmith who installed the lock to your house, giving someone else a copy of the key to your front door "because they said they knew you".
Maybe Ford calculates that it's easier to just give out the codes to people related to the dealers, for convenience, but that needs to factor in that they should be forced to pay heavy, heavy fines or restitution when bad things happen.
And even worse, imagine if someone were raped or killed because of Ford's negligence concerning codes. People's security in their cars is a serious thing.