iaati seminar 2013
TRANSCRIPT
IAATI – Seminar 2013
• Car Keys - The next Generation
• A forensic view to a key hole
Manfred Krämer www.lock-expert.de IAATI 2013
My name is Manfred Krämer
- 55 years old.
- working in the field of security since 1979
- member of ALOA since 1984
- member of IAATI since 1994
- working as an expert since 1986
Manfred Krämer www.lock-expert.de IAATI 2013
What is my job?
- key examinations
- lock examinations
- car opening
- burglary analysis
- safe opening and safe service
- transponder technique
Manfred Krämer www.lock-expert.de IAATI 2013
Who are my customers?
- insurance companies
- courts
- other car experts
- locked out customers
Manfred Krämer www.lock-expert.de IAATI 2013
General information:
Please ask your questions directly!
The talk takes about 40 minutes. The complete handout can be downloaded from my website: www.lock-expert.de
Referring to the talk there will be a live demonstration with
Gerrit and Rene and you are welcome to play with locks,
tools and look after traces with a scope.
Manfred Krämer www.lock-expert.de IAATI 2013
Outline
-variation of keys
-transponder technique
-creating a new car key
-the handicap for the forensic expert
-reliability of information from a key
-steps to steel a car
-demonstration of opening techniques
Manfred Krämer www.lock-expert.de IAATI 2013
1. Variations of car keys
What kind of keys do we have at cars?
-Mechanical keys:standard blade without a transponder discontinued models at
older cars partially present at trucks, tractors, construction
machines, motorbikes, boats and planes.
These keys have the minimum security standard and can be
copied in simple ways.
Similar situation at the ignition locks, they can be picked with
basic tools.
Manfred Krämer www.lock-expert.de IAATI 2013
- Mechanical car keys with transponder:
a. conventional cutting
medium to low level of security
b. two- or four track internal or external cutting
medium to high level of security, different for types and
models at the ignition locks
With suitable tools the locks can be overcome!
Manfred Krämer www.lock-expert.de IAATI 2013
- electronic keys or “keyless go” keys or cards
the mechanic has only a minor rule
the locks at the car (drivers door and trunk) have a
medium security standard
mounted within the cars are electromechanical or
electronic ignition devices
the keys or cards are either put into a slot or a clamp or you
only have a start button
there is no ignition lock in the dashboard
Manfred Krämer www.lock-expert.de IAATI 2013
The transponder technique of the car manufacturers differs. In the past we had a more or less conformance in the mechanics. With the transponder technique we live in a “multi-verse”. Most of the manufacturers created their own system. We are currently at the 30th or 35th transponder version. Daimler (Mercedes) – except trucks – works with their systems FBS-3 and FBS-4 without a transponder.
Manfred Krämer www.lock-expert.de IAATI 2013
One of the newest techniques for lock opening and closing is NFC (near field communication). The technology
depends on RFID and Bluetooth. It is possible to open car
doors or locks with a smartphone.
The key copy market:
Opposed to the car industry, which is working with many
different systems, the trend in the key copy marked is the “universal copy technique”.
Manfred Krämer www.lock-expert.de IAATI 2013
In this copy technique an “universal” transponder is used. This transponder has many functions.
-equipped with a read/write module
-works without a battery and gets its power from the ignition
lock of the car
-records basic information at the copy process with cloning
machines
-interchanges communication data with the ECU (engine
control unit)
Manfred Krämer www.lock-expert.de IAATI 2013
A special software calculates from the data of the original key, the data from the ECU and some basic data a new
transponder code. This code is written into the universal transponder. The universal transponder considers the
different existing systems. With this method one transponder can be used for most existing immobilizer
systems.
Manfred Krämer www.lock-expert.de IAATI 2013
The TK 100 Bianchi transponder and the Bianchi 884 cloning machine.
Manfred Krämer www.lock-expert.de IAATI 2013
- Essential benefit for the locksmith industry: only a few transponder heads and a variety of horseshoe blanks
are necessary to copy 80 to 90 per cent of the car keys
on the market.
a horseshoe blank
Manfred Krämer www.lock-expert.de IAATI 2013
- Essential disadvantage for the insurance companies or for the experts:
This technique is unverifiable
If the car is stolen, the only thing the insurance company
gets are the original keys and the VIN number. If you
don’t have any copy traces or manipulations at the keys then there is no trace of a cloning procedure.
Manfred Krämer www.lock-expert.de IAATI 2013
key shell with production date March 2006
– the car was build in 2008
Manfred Krämer www.lock-expert.de IAATI 2013
An opened key shell, a changed transponder, a modified key blank, a good lock expert will find this and it can be
assured. Finding these manipulations depends on the
knowledge of the thief.
Easy verifiable are manipulations of the original key. You have to read the transponder id’s of the keys.
- do they have a logical record number?
- do they belong to that type of car?
- do they match with the registered id’s from the manufacturer?
Manfred Krämer www.lock-expert.de IAATI 2013
For an expert it is necessary to read all information of a key. In this area a big field of fraud is possible.
Just how reliable is data from a key?
a.Transponder id’s
- very authentic at this moment. The transponder copy or clone machine generates a new transponder-code and write it into the universal transponder. The new transponder-code is approximately exact. The code is effectual to start the car, butdiffers in the codes you have from the factory.
- Conclusion: the transponder-codes from the factory keys could be matched quickly and authentically to the VIN of the car.
Manfred Krämer www.lock-expert.de IAATI 2013
b. Date and time of the last use of a car key using the example of a BMW car.
1. readout of an original key:
- last use at March, 09th,2013, 07:35
- last odometer reading = 71.647 km
- key reading date = March, 13th,2013
time =11:38
Manfred Krämer www.lock-expert.de IAATI 2013
b. Date and time of the last use of a car key using the example of a BMW car.
2. We manipulate the date and the time at the on-board
computer.
-set date at March, 11th,2013
-set time at 10:41 ( - 1 hour)
-driving 8 km with speed > 40 km/h
-put the key into the key reader and get new data
Manfred Krämer www.lock-expert.de IAATI 2013
b. Date and time of the last use of a car key using the example of a BMW car.
3. readout of the original key:
- last use at March, 11th,2013, 10:41
- last odometer reading = 71.650 km
- key reading date = March, 13th,2013
time =11:52
There is a difference in the date and
time between real time and time, which
is written into the key!
Manfred Krämer www.lock-expert.de IAATI 2013
Conclusion: if you use the key reader and read the data of an original BMW key – the data can be right, but it can be
false too. If the date and time of the board computer is
wrong (intentionally or by mistake) the date and time of the last use of the key is not the real date.
If date and time is ok, there can be a difference in the mileage too. The board computer doesn’t write the data
into the key every time. You have to drive a distance of approximately 10 km and the speed has to be > 40 km/h.
In case of a car theft you always have to proof the circumstances.
Manfred Krämer www.lock-expert.de IAATI 2013
If the car is recovered after vehicle theft, there are approved procedures of a car examination:
– manipulation of VIN numbers
– lock examination
– traces of force
– how was the car stolen? Spare key, replaced key, copy, without a key or manipulation?
– how was the lock overridden? Tools, knowledge of the tumblers
– traces
– examination results
Manfred Krämer www.lock-expert.de IAATI 2013
Today:
Modern car thieves won’t steel a car with a hammer or a
big steel wire to open it, or with a drill or a solid screwdriver
to overcome the ignition. Modern thieves will steal it with small opening tools and a laptop. They open the car with
an opening tool, put the adaptor to the OBD-port and run a special program to get into the car system. Each
manufacturer has its own way to program a new key into
the system. Some differ in a few programming points, others are the same.
Manfred Krämer www.lock-expert.de IAATI 2013
Sometimes you „tell“ the system that a new key has to be programmed (and you need a key or a key-liked instrument
to put it into the ignition lock or a slot). For keyless go
systems it is enough to tell the system that a „key“ is near and the car will start.
In some cases the investigator is able to find „traces“ in the board computer but mostly the intruding program leaves no
trace in the system.
Manfred Krämer www.lock-expert.de IAATI 2013
Evidence of a manipulation:
-The ECU (electronic control unit) and other components of the immobilizer system (dashboard) can be read by specialists.
-Door – and ignition locks can be investigated via microscope for traces of picking or manipulation.
-A damaged door lock alone is no evidence for a car theft.
-I am sure that many insurance companies will insure a car theft and the results of the theft if the car is recovered and the door lock is damaged.
-Many other things are disregard: “ Is it possible to drive off a car when only a door lock is damaged?
Manfred Krämer www.lock-expert.de IAATI 2013
What is the situation today?
-transponder types – fixed, rolling, encrypted codes
-processing power
-many systems can be duplicated
-manipulations at keys or at cars
-do telematics facilitate car thefts in the near future?
-is car hacking something new?
-key immobilizer hacking – and the court
Manfred Krämer www.lock-expert.de IAATI 2013
Discussion:
The questions on the latest sheet are for discussion.
Immobilizer hacking is nothing new. From a minority
method it became a dominant method to steel the most targeted models in Europe and probably the States too.
Manfred Krämer www.lock-expert.de IAATI 2013