IAATI Seminar 2013

IAATI – Seminar 2013

• Car Keys - The next Generation

• A forensic view to a key hole

Manfred Krämer www.lock-expert.de IAATI 2013

My name is Manfred Krämer

- 55 years old.

- working in the field of security since 1979

- member of ALOA since 1984

- member of IAATI since 1994

- working as an expert since 1986


What is my job?

- key examinations

- lock examinations

- car opening

- burglary analysis

- safe opening and safe service

- transponder technique


Who are my customers?

- insurance companies

- courts

- other car experts

- locked out customers


General information:

Please ask your questions directly!

The talk takes about 40 minutes. The complete handout can be downloaded from my website: www.lock-expert.de

Referring to the talk there will be a live demonstration with

Gerrit and Rene and you are welcome to play with locks,

tools and look after traces with a scope.


Outline

-variation of keys

-transponder technique

-creating a new car key

-the handicap for the forensic expert

-reliability of information from a key

-steps to steel a car

-demonstration of opening techniques


1. Variations of car keys

What kind of keys do we have at cars?

-Mechanical keys:standard blade without a transponder discontinued models at

older cars partially present at trucks, tractors, construction

machines, motorbikes, boats and planes.

These keys have the minimum security standard and can be

copied in simple ways.

Similar situation at the ignition locks, they can be picked with

basic tools.


standard keyblade – cuts on both sides


a simple copy machine


picking tools for door or ignition locks


- Mechanical car keys with transponder:

a. conventional cutting

medium to low level of security

b. two- or four track internal or external cutting

medium to high level of security, different for types and

models at the ignition locks

With suitable tools the locks can be overcome!


car keys with tranponder


a modern lock opening tool


- electronic keys or “keyless go” keys or cards

the mechanic has only a minor rule

the locks at the car (drivers door and trunk) have a

medium security standard

mounted within the cars are electromechanical or

electronic ignition devices

the keys or cards are either put into a slot or a clamp or you

only have a start button

there is no ignition lock in the dashboard


keyless go card – electronic key


The transponder technique of the car manufacturers differs. In the past we had a more or less conformance in the mechanics. With the transponder technique we live in a “multi-verse”. Most of the manufacturers created their own system. We are currently at the 30th or 35th transponder version. Daimler (Mercedes) – except trucks – works with their systems FBS-3 and FBS-4 without a transponder.


One of the newest techniques for lock opening and closing is NFC (near field communication). The technology

depends on RFID and Bluetooth. It is possible to open car

doors or locks with a smartphone.

The key copy market:

Opposed to the car industry, which is working with many

different systems, the trend in the key copy marked is the “universal copy technique”.


In this copy technique an “universal” transponder is used. This transponder has many functions.

-equipped with a read/write module

-works without a battery and gets its power from the ignition

lock of the car

-records basic information at the copy process with cloning

machines

-interchanges communication data with the ECU (engine

control unit)


A special software calculates from the data of the original key, the data from the ECU and some basic data a new

transponder code. This code is written into the universal transponder. The universal transponder considers the

different existing systems. With this method one transponder can be used for most existing immobilizer

systems.


The TK 100 Bianchi transponder and the Bianchi 884 cloning machine.


- Essential benefit for the locksmith industry: only a few transponder heads and a variety of horseshoe blanks

are necessary to copy 80 to 90 per cent of the car keys

on the market.

a horseshoe blank


- Essential disadvantage for the insurance companies or for the experts:

This technique is unverifiable

If the car is stolen, the only thing the insurance company

gets are the original keys and the VIN number. If you

don’t have any copy traces or manipulations at the keys then there is no trace of a cloning procedure.


typical copy trace on a mechanic key


key shell with production date March 2006

– the car was build in 2008


manipulation on microchips


modification at the roll pin


An opened key shell, a changed transponder, a modified key blank, a good lock expert will find this and it can be

assured. Finding these manipulations depends on the

knowledge of the thief.

Easy verifiable are manipulations of the original key. You have to read the transponder id’s of the keys.

- do they have a logical record number?

- do they belong to that type of car?

- do they match with the registered id’s from the manufacturer?


For an expert it is necessary to read all information of a key. In this area a big field of fraud is possible.

Just how reliable is data from a key?

a.Transponder id’s

- very authentic at this moment. The transponder copy or clone machine generates a new transponder-code and write it into the universal transponder. The new transponder-code is approximately exact. The code is effectual to start the car, butdiffers in the codes you have from the factory.

- Conclusion: the transponder-codes from the factory keys could be matched quickly and authentically to the VIN of the car.


b. Date and time of the last use of a car key using the example of a BMW car.

1. readout of an original key:

- last use at March, 09th,2013, 07:35

- last odometer reading = 71.647 km

- key reading date = March, 13th,2013

time =11:38



2. We manipulate the date and the time at the on-board

computer.

-set date at March, 11th,2013

-set time at 10:41 ( - 1 hour)

-driving 8 km with speed > 40 km/h

-put the key into the key reader and get new data



3. readout of the original key:

- last use at March, 11th,2013, 10:41

- last odometer reading = 71.650 km

- key reading date = March, 13th,2013

time =11:52

There is a difference in the date and

time between real time and time, which

is written into the key!


Conclusion: if you use the key reader and read the data of an original BMW key – the data can be right, but it can be

false too. If the date and time of the board computer is

wrong (intentionally or by mistake) the date and time of the last use of the key is not the real date.

If date and time is ok, there can be a difference in the mileage too. The board computer doesn’t write the data

into the key every time. You have to drive a distance of approximately 10 km and the speed has to be > 40 km/h.

In case of a car theft you always have to proof the circumstances.


If the car is recovered after vehicle theft, there are approved procedures of a car examination:

– manipulation of VIN numbers

– lock examination

– traces of force

– how was the car stolen? Spare key, replaced key, copy, without a key or manipulation?

– how was the lock overridden? Tools, knowledge of the tumblers

– traces

– examination results


manipulation at a car door cylinder


Today:

Modern car thieves won’t steel a car with a hammer or a

big steel wire to open it, or with a drill or a solid screwdriver

to overcome the ignition. Modern thieves will steal it with small opening tools and a laptop. They open the car with

an opening tool, put the adaptor to the OBD-port and run a special program to get into the car system. Each

manufacturer has its own way to program a new key into

the system. Some differ in a few programming points, others are the same.


An OBD port in a car


An OBD reader


Sometimes you „tell“ the system that a new key has to be programmed (and you need a key or a key-liked instrument

to put it into the ignition lock or a slot). For keyless go

systems it is enough to tell the system that a „key“ is near and the car will start.

In some cases the investigator is able to find „traces“ in the board computer but mostly the intruding program leaves no

trace in the system.


Evidence of a manipulation:

-The ECU (electronic control unit) and other components of the immobilizer system (dashboard) can be read by specialists.

-Door – and ignition locks can be investigated via microscope for traces of picking or manipulation.

-A damaged door lock alone is no evidence for a car theft.

-I am sure that many insurance companies will insure a car theft and the results of the theft if the car is recovered and the door lock is damaged.

-Many other things are disregard: “ Is it possible to drive off a car when only a door lock is damaged?


What is the situation today?

-transponder types – fixed, rolling, encrypted codes

-processing power

-many systems can be duplicated

-manipulations at keys or at cars

-do telematics facilitate car thefts in the near future?

-is car hacking something new?

-key immobilizer hacking – and the court


different types of transponders


cloning or copying of transponders


Discussion:

The questions on the latest sheet are for discussion.

Immobilizer hacking is nothing new. From a minority

method it became a dominant method to steel the most targeted models in Europe and probably the States too.


Thank You !

Manfred Krämer

Car lock expert

Osnabrücker Str. 104

D-32312 Lübbecke

Germany

www.lock-expert.de


IAATI Seminar 2013

Business

Transcript of IAATI Seminar 2013