It makes sense for dealerships to have codes for cars in their lot. But it sounds like dealerships have access to codes for all Ford cars, which is a pretty clear least-privilege violation.
A Ford dealer must be able to service any Ford vehicle, including replacing lost keys. The dealers have access to the central database.
Ford failed to monitor access to the database. The whole problem would have been avoided if they just emailed the service manager every time a database lookup is made. Unfortunately he is in Texas, so Ford needs to be 51% at fault for a judgement. The lawyers are playing this out in the press so Ford will pay to make it go away, even though they would likely prevail in a Texas court.
Ford needs to cut this kid a check for $500k, and implement some better auditing of access to the database.
> A Ford dealer must be able to service any Ford vehicle, including replacing lost keys.
Edit: No, you don't. The lock is just a password. You don't store unhashed passwords.
Have an override code to reset the lock code in the car. That'd stop things like this because the original keys would no-longer function and the owner would know that something was wrong. But if the owner loses her keys, then she'll have the new keys anyway and won't have to worry about the old ones being found and used against her.
The problem comes when you not only have to replace the keys (which typically sell for about $120-$240 these days) but the lock cylinders in the door(s), the glovebox, the trunk, and the steering column. The latter of which is typically held in place by a single-use bolt that has to be drilled out to remove.
The module that responds to the keyless entry signals can easily be reprogrammed, often without tools. However, sometimes they can only hold so many codes before they get "full" and have to be replaced. Honda is 10, I think. Ford is probably similar. So don't lose your keys too often.
He is using computer security as a metaphor.
Security is the same, whether it is digital or a physical lock. It is just much easier to implement these sorts of algorithms in the world of bits than it is to implement them in the world of atoms.
A couple years ago, my used '98 CRV's battery died. I got it replaced, and when I started it back up, the radio was locked out; I needed an unlock code that they'd have given me when I bought the car, if the car hadn't passed through at least a dozen hands before finally reaching me.
I called up my nearest Honda dealership, gave them the VIN, and they gave me the radio code.
I like that they can do that. Maybe it makes more sense from a security standpoint if I would've had to call some centralized Honda location, but that doesn't really solve the problem, does it? I have the VIN -- so does anyone who looks through my windshield. I have the title number -- so does the dealership who originally sold the car. We'd have to enter a few concurrent bits of information to verify that I own it, that this car I'm calling about is mine, and I can identify both it and myself, and then the centralized Honda location would have to be able to verify all that on their end.
Or we can assume some modicum of trust at dealerships, and accept the fringe cases where criminals use information they wouldn't have access to in a perfect world.
Very few stereo thieves write down the vehicle VIN on the deck as they're running away. No point in making it even easier for the police to figure out its stolen property, and they're usually in a bit of a hurry. Assuming they have a sharpie marker in one hand instead of a screwdriver or window smasher. Assuming they can read and write.
One interesting problem "security" guys have is overcomplicating plots. Your average meth head is waaay too zonked out of his mind to memorize which VIN goes with which radio, or even which OEM radios need a code.
Another problem is via the VIN they know instantly that your car is a '98. Well my cheapo commuter car is also a '98, and its approximately worthless at this point. Anyone stealing my worn out, partially broken, approx 2002 model year aftermarket deck pretty much deserves the pain they're about to experience. At a flea market I might be able to give it away... That may very well be Honda's point of view. Now try that again with a new 2013 $2000 GPS DVD player deck and they might hassle you.
Almost every OEM radio needs a code - I've not seen a radio in a car manufactured in the last 10 years that hasn't mentioned this fact. Nobody needs to memorize everything. Even methheads carry cell phones with cameras, and can take a snapshot before even breaking in.
Good points, though there should be some steps manufacturers could take. They could check for unusual usage patterns, much like credit card companies do.
The article doesn't specify but does imply that, in this case, the dealer in question made more PIN requests than is normal. If so, Ford should have seen that and investigated.
It sounds from the article like a rogue dealership. In any case Ford should audit access logs for these keys and look for odd access such as a high volume in area beyond statistical clustering.
Well dealers sort of have to have hte access in order to provide service. You're a Ford customer and you drop you key into the sewer as you're fumbling with your keys. Your dealer can help you make a new key (or sell you one for an extortionate price).
agreed - but they should at least check id to match dmv records - seems a common sense check.
[to the nitpicking gallery: yes - bad guy can use fake id to do this, but any key code pull should be accompanied by a letter to the registered dmv address notifying the pull - all simple checks that would make it harder, costlier and with more points where it could be caught]
Parent to your comment is saying that dealer 1 can provide access to a car in dealer 2's lot. They can each provide service without having access to the other's cars. Therefore, this is a principle of least privilege violation.
My car was purchased at a dealership in central MO. I live in TN now, and there happens to be a dealership about 10 minutes away. If I need something fixed, why should I have to drive all the way back to MO (especially since if I needed something fixed, my car wouldn't be in any condition to drive for 6 hours)?
Fair enough, I can believe that they can provide a secure key scheme, but understand why they don't. The risk/value trade-off in the general case is small for mid-range cars. The article demonstrated that you could make it high value with right circumstances, which is a clever hack. Of course security camera footage at this guys office would show who was sneaking up to unload his trunk when he was at work.
So once they sell those cars, then they shouldn't have those codes? when a customer loses their key and needs a new key made, then what? what about a customer losing key while he's far away from home or where he purchased his key? people do move you know? how about losing your key when you are out of state? it's one thing to lose a key, it's another to have to wait a day to get a key made and be stranded.
iMHO, a better solution would be tracking how often locksmiths request for key codes and have an algorithm that can detect unusual patterns which will then be followed up by human eyes.
It's not that simple though, they do maintenance on cars as well so they'd need to be able to access those access codes as well. There probably should've been some oversight to make sure someone looking up thousands of VINs gets flagged somewhere, but it's reasonable to allow dealerships access to codes for cars they'd need to work on.
