On this year’s IAATI – Seminar I gave a talk about modern car locks and revealed some details of my work with lock-mechanics and key-transponders.
A small history in car locks.
Former car locks had bad security systems. In Germany the locks had single sided wafer tumblers, 4 or 5. In England the locks had pin tumblers (in Germany only Porsche had it). There are only a handful of lock manufacturers, which produced car locks. The security only depends between different keyways. The Swedish car industry set on more tumblers or the higher class cars on pin tumblers. Nobody talks about picking or lock bumping. Most of the times when a car was stolen, the reason was joyriding.
As the car theft rate raised up, the insurance companies had to tell the car industry to make the car locks safer. That was sometimes a hard job, due to the car lock engineers, who don‘t believe, that their car locks can be overcome by picking or something else.
The parallel progress at the lock experts are as follows:
(A sample of an approved procedure of a key examination)
The car is stolen – the keys are analyzed:
- are the keys originals, factory replacements or duplicates?
- in the past we had mechanical copy traces
- pictures of traces
The insurance companies are under pressure. The theft rate of cars raised up. But are all car thefts real or do they commit fraud?
If a car was stolen the keys are collected by the police, given to the insurance sent to the experts like Gerrit, Rene and myself and a few others who are able to read traces. With special equipment we look after copy traces, proof whether the keys are the originals and the most important thing:
“Do the delivered keys belong to that stolen car?”
If I don‘t know how often an insurance company has paid for a „theft“ of a car without an investigation of the keys. It have been millions and millions of Euros. In the early 80th to the mid 90th cars are „stolen“ with an original key or with a good copy at a rate of 80 percent. To find the traces with a microscope and to look at the important locations, was the task of a good lock-expert.
Another sample of an approved procedure of a car examination.
The car is recovered after vehicle theft:
- manipulation of VIN numbers
- lock examination
- traces of force
- how was the car stolen? Spare key, replaced key, copy, without a key or manipulation?
- how was the lock overridden? Tools, knowledge of the tumblers
- traces
- examination results
If a stolen car is found and recovered a look at the car and the latching device is profitable. The traces we found or not found can be interpreted in different ways. The car was opened with an opening tool or with a convenient key. But if the car is not at hand and not found with GPS locating, then all we have are the keys. So let’s do our best.
As the pressure against the car lock industry was big enough, they modified their locks. At first they put more than 5 wafers into the lock, some do 6, 8 or 10 to 12 tumblers alternately into the lock to make it more secure. Before picking pin-tumbler locks became a favourite, car manufactures which used pin tumblers, don‘t change a thing. Later they realized, that the production of wafer tumbler locks was much cheaper.
In the early 90-th the car thefts raised up to new limits. Lock picks in thousands of differences are available on exhibitions or via internet. No lock and no car was secure anymore.
The thieves who were not able to pick locks, could open cars with commercial tools. To overcome an ignition lock, drills or sledge-hammers were used. Cars were no safes.
A handful of good mechanics are able to understand the mechanic in the different kind of locks. The main principle of picking is always the same. It depends on the Hobbs‘ opening principle (to take pressure on the rotor and to sort the tumblers into the right position). Only the art of tools differs. This good mechanics engineered different tools, which made it simple to open the locks.
Some locks are designed in a special way. The open and close direction with the key was normal. But to open the lock with a pick you first have to turn it into the locked position and then with a second tool into the unlocked position. To know the different lock constructions, to know what kind of tool is able to open the lock and what tool is unable and to know what kind of trace you can find and where to find the traces – that is the task of a good lock investigator.
With the right tool you will open the car in a minute, more or less. On newer cars you sometimes have to pick the lock twice because of the alarm system. If you only pick it once and open the car door, the alarm sound will start. Only the second pick disarms the alarm system and you are able to open the door without alarm sound.
A small journey to the USA:
A high rate of stolen sport cars „Chevrolet Corvette“ in the early 80th had occasioned the American lock manufacturers to produce a security ignition lock. First they made a mechanical style, a special armoured protection around the ignition lock with a non pick able lock, later 1984 they produced the first electronic system. The VATS (vehicle anti theft system) was integrated in the Corvette cars 1984. The theft rate broke down from 75 percent to 10 percent for this special car. But the European car industry ignored this trend. Finally ten years later the first electronic devices were integrated in normal cars in the European market.
Today
With the beginning of the electronic Anti-theft-systems VATS, PATS, WFS II, WFS III, NATS and all the other systems, the investigation experts had an additional field to work on.
How to overcome each system, a lot of different things have to be known, to be understood and to be guessed. A partner in this field was the key industry. In difference to the USA, where the car industry has no interest to produce additional or spare keys, the European car industry captured back the complete key segment market. For about 16 years the car industry told their customers, that only they are able to produce additional or spare keys for the customers cars. Which means that the key blank industry invests a lot of money in investigating how an Anti-theft-system works and produces cloning and copying systems for their partners, locksmith shops and security shops.
At first we had fixed coded transponders. The cars have a coded system, the keys have a fixed code. The key sends a signal, the car accepts the signal, the car starts.
Later we had rolling code systems. The key sends a code, the car accepts the code, sends a new (rolled) code and the key memorises the new code. At the second use, only the new code was accepted and so on.
Later they made encrypted codes from 16-bit to 256-bit in a system. It requires a big processing power to overcome these systems.
At this time we are talking:
- All fixed codes can be copied
- All rolling codes can be copied
- the Philips* crypto code I and II can be copied
- the Texas* crypto codes I and II can be copied
- all BMW crypto codes from 2003 to 2010 can be copied
- all Volvo encrypted codes can be copied
- a lot of other systems can be copied too
- they are working on the Megamos* crypto system…
So we can say, that about 80 to 85 percent of all installed Anti-theft-systems can be overridden to clone or copy the keys.
*Philips, *Texas, *Megamos are trademarks.
A completely different method , to overcome Anti-theft-devices in cars, is to tell the car :
„Hello, here am I and I like to drive this car. I am the right person and you have to start.“
At the moment it isn‘t as easy as it sounds, but if you are prepared with the proper knowledge, it will be easy.
But to open a car is not equal to driving a car. A few computer programmer knew how a car system works. Most newer cars have a board computer. The Anti-theft device is one of the components in the system. To make it easier for car garages and authorised repair shops the industry installs an „OBD“-interface in each car, first with different plugs, later with the same adapter in different cars.
Modern car thieves won’t steel a car with a hammer or a big steel wire to open it, or with a drill or a solid screwdriver to overcome the ignition. Modern thieves will steal it with small opening tools and a laptop. They open the car with an opening tool, put the adaptor to the OBD-port and run a special program to get into the car system. Each manufacturer has its own way to program a new key into the system. Some differs in a few programming points, some are the same.
Transscript
1. IAATI – Seminar 2012• Car Locking Systems• Opinion of an expert Manfred Krämer www.lock-expert.de IAATI 2012
2. My name is Manfred Krämer- 54 years old.- working in the field of security since 1979- member of ALOA since 1984- member of IAATI since 1994- working as an expert since 1986 Manfred Krämer www.lock-expert.de IAATI 2012
3. What am I doing?- key examinations- lock examinations- car opening- burglary analysis Manfred Krämer www.lock-expert.de IAATI 2012
4. Who are my customers?- insurance companies- courts- other car experts- locked out customers Manfred Krämer www.lock-expert.de IAATI 2012
5. General informations:Please ask your questions directly!The talk takes about 30 minutes. The complete handoutcan be downloaded from my website: www.lock-expert.deReferring to the talk there will be a live demonstration withRene and Gerrit and you are welcome to play with locks,tools and look after traces with a scope. Manfred Krämer www.lock-expert.de IAATI 2012
6. outline-past and today – progression in locks and in examination-sample of a key examination (approved procedure)-sample of a car examination (approved procedure)-electronic in cars and keys-demonstration of opening techniques Manfred Krämer www.lock-expert.de IAATI 2012
7. Isn’t it funny? Illegal to lock your car when parking!Manfred Krämer www.lock-expert.de IAATI 2012
8. past-car locks had bad security systems-Germany only 4 or 5 wafer tumblers-England had pin tumblers (in Germany Porsche)-only a handful of lock manufacturers produced car locks-the security depends between keyways-Swedish cars – more tumblers or pin tumblers (higher class)-no picking or lock bumping – only joyriding-the car theft raised up – pressure from the insurance companies-how safe are car locks? Manfred Krämer www.lock-expert.de IAATI 2012
9. past-analyzing keys of a stolen car-are the keys originals, factory replacements or duplicates?-comparison of VIN and key-no.-mechanical copy traces Manfred Krämer www.lock-expert.de IAATI 2012
10. copy trace on a standard car key – microscope viewManfred Krämer www.lock-expert.de IAATI 2012
11. pastAnalyzing the car after recovering:-traces at the latching device-manipulations at door or ignition locks-traces at the window and the weather stripping-copy traces at keys-traces at lock wafer tumblers Manfred Krämer www.lock-expert.de IAATI 2012
12. changings at the weather strippingManfred Krämer www.lock-expert.de IAATI 2012
13. looking for traces at the tumblersManfred Krämer www.lock-expert.de IAATI 2012
14. a plug – containing 8 tumblersManfred Krämer www.lock-expert.de IAATI 2012
15. past-pressure from the insurance companies-changing the locks – more tumblers-picking locks with special tools-drills or sledgehammers Manfred Krämer www.lock-expert.de IAATI 2012
16. pastParallel progress at the lock experts:-microscope investigations-special equipment-how to read traces-important locations of traces-real theft or fraud? Manfred Krämer www.lock-expert.de IAATI 2012
17. different types of lock picksManfred Krämer www.lock-expert.de IAATI 2012
18. today-different mechanical lock systems-picking – the Hobbs’ method-the art of tools differs-good mechanics engineered special tools for simpleopening locks Manfred Krämer www.lock-expert.de IAATI 2012
19. a modern lock opening toolManfred Krämer www.lock-expert.de IAATI 2012
20. today-special lock design – opening and close direction-different lock constructions-able and unable lock opening tools – court-where to find and kind of traces-alarm – to pick twice-task of a good lock investigator Manfred Krämer www.lock-expert.de IAATI 2012
21. today-anti theft systems-Chevrolet Corvette 1984-theft rate breaks down-what does the European car industry do?-first electronic devices in 1995 in the European market Manfred Krämer www.lock-expert.de IAATI 2012
22. today-VATS, PATS, EWS, FBS and so on-additional fields to work on for the experts-to understand different systems-the key industry in Europe and in the USA-cloning systems – partners Manfred Krämer www.lock-expert.de IAATI 2012
23. today-transponder types – fixed, rolling, encrypted codes-processing power-systems which can be duplicated-manipulations at keys or at cars Manfred Krämer www.lock-expert.de IAATI 2012
24. different types of transpondersManfred Krämer www.lock-expert.de IAATI 2012
25. cloning or copying of transpondersManfred Krämer www.lock-expert.de IAATI 2012
26. manipulation on microchipsManfred Krämer www.lock-expert.de IAATI 2012
27. manipulation at the OBD portManfred Krämer www.lock-expert.de IAATI 2012
28. manipulation at a car door cylinderManfred Krämer www.lock-expert.de IAATI 2012
29. opening a key plastic shellManfred Krämer www.lock-expert.de IAATI 2012
30. modification at the roll pinManfred Krämer www.lock-expert.de IAATI 2012
31. today-opening and driving a car-on board computer-anti theft device-OBD – interface (on board diagnostic)-programming keys with special software-dummies Manfred Krämer www.lock-expert.de IAATI 2012
32. today-modern car thieves-key-liked instruments-keyless go systems-how to interpret found or not found traces-examination results-only the keys are left Manfred Krämer www.lock-expert.de IAATI 2012
33. locks – opening techniques live demonstration lets go !Manfred Krämer www.lock-expert.de IAATI 2012
34. Thank You ! Manfred Krämer Car lock expert Osnabrücker Str. 104 D-32312 Lübbecke Germany www.lock-expert.deManfred Krämer www.lock-expert.de IAATI 2012