For the annual IAATI – Seminar, I gave a talk about next-gen car keys and a forensic view to a key hole.


1. IAATI – Seminar 2013 • Car Keys – The next Generation • A forensic view to a key hole Manfred Krämer IAATI 2013

2. My name is Manfred Krämer – 55 years old. – working in the field of security since 1979 – member of ALOA since 1984 – member of IAATI since 1994 – working as an expert since 1986 Manfred Krämer IAATI 2013

3. What is my job? – key examinations – lock examinations – car opening – burglary analysis – safe opening and safe service – transponder technique Manfred Krämer IAATI 2013

4. Who are my customers? – insurance companies – courts – other car experts – locked out customers Manfred Krämer IAATI 2013

5. General information: Please ask your questions directly! The talk takes about 40 minutes. The complete handout can be downloaded from my website: Referring to the talk there will be a live demonstration with Gerrit and Rene and you are welcome to play with locks, tools and look after traces with a scope. Manfred Krämer IAATI 2013

6. Outline -variation of keys -transponder technique -creating a new car key -the handicap for the forensic expert -reliability of information from a key -steps to steel a car -demonstration of opening techniques Manfred Krämer IAATI 2013

7. 1. Variations of car keys What kind of keys do we have at cars? -Mechanical keys: standard blade without a transponder discontinued models at older cars partially present at trucks, tractors, construction machines, motorbikes, boats and planes. These keys have the minimum security standard and can be copied in simple ways. Similar situation at the ignition locks, they can be picked with basic tools. Manfred Krämer IAATI 2013

8. standard keyblade – cuts on both sides Manfred Krämer IAATI 2013

9. a simple copy machine Manfred Krämer IAATI 2013

10. picking tools for door or ignition locks Manfred Krämer IAATI 2013

11. – Mechanical car keys with transponder: a. conventional cutting medium to low level of security b. two- or four track internal or external cutting medium to high level of security, different for types and models at the ignition locks With suitable tools the locks can be overcome! Manfred Krämer IAATI 2013

12. car keys with tranponder Manfred Krämer IAATI 2013

13. a modern lock opening tool Manfred Krämer IAATI 2013

14. – electronic keys or “keyless go” keys or cards the mechanic has only a minor rule the locks at the car (drivers door and trunk) have a medium security standard mounted within the cars are electromechanical or electronic ignition devices the keys or cards are either put into a slot or a clamp or you only have a start button there is no ignition lock in the dashboard Manfred Krämer IAATI 2013

15. keyless go card – electronic key Manfred Krämer IAATI 2013

16. The transponder technique of the car manufacturers differs. In the past we had a more or less conformance in the mechanics. With the transponder technique we live in a “multi-verse”. Most of the manufacturers created their own system. We are currently at the 30th or 35th transponder version. Daimler (Mercedes) – except trucks – works with their systems FBS-3 and FBS-4 without a transponder. Manfred Krämer IAATI 2013

17. One of the newest techniques for lock opening and closing is NFC (near field communication). The technology depends on RFID and Bluetooth. It is possible to open car doors or locks with a smartphone. The key copy market: Opposed to the car industry, which is working with many different systems, the trend in the key copy marked is the “universal copy technique”. Manfred Krämer IAATI 2013

18. In this copy technique an “universal” transponder is used. This transponder has many functions. -equipped with a read/write module -works without a battery and gets its power from the ignition lock of the car -records basic information at the copy process with cloning machines -interchanges communication data with the ECU (engine control unit) Manfred Krämer IAATI 2013

19. A special software calculates from the data of the original key, the data from the ECU and some basic data a new transponder code. This code is written into the universal transponder. The universal transponder considers the different existing systems. With this method one transponder can be used for most existing immobilizer systems. Manfred Krämer IAATI 2013

20. The TK 100 Bianchi transponder and the Bianchi 884 cloning machine. Manfred Krämer IAATI 2013

21. – Essential benefit for the locksmith industry: only a few transponder heads and a variety of horseshoe blanks are necessary to copy 80 to 90 per cent of the car keys on the market. a horseshoe blank Manfred Krämer IAATI 2013

22. – Essential disadvantage for the insurance companies or for the experts: This technique is unverifiable If the car is stolen, the only thing the insurance company gets are the original keys and the VIN number. If you don’t have any copy traces or manipulations at the keys then there is no trace of a cloning procedure. Manfred Krämer IAATI 2013

23. typical copy trace on a mechanic key Manfred Krämer IAATI 2013

24. key shell with production date March 2006 – the car was build in 2008 Manfred Krämer IAATI 2013

25. manipulation on microchips Manfred Krämer IAATI 2013

26. modification at the roll pin Manfred Krämer IAATI 2013

27. An opened key shell, a changed transponder, a modified key blank, a good lock expert will find this and it can be assured. Finding these manipulations depends on the knowledge of the thief. Easy verifiable are manipulations of the original key. You have to read the transponder id’s of the keys. – do they have a logical record number? – do they belong to that type of car? – do they match with the registered id’s from the manufacturer? Manfred Krämer IAATI 2013

28. For an expert it is necessary to read all information of a key. In this area a big field of fraud is possible. Just how reliable is data from a key? a.Transponder id’s – very authentic at this moment. The transponder copy or clone machine generates a new transponder-code and write it into the universal transponder. The new transponder-code is approximately exact. The code is effectual to start the car, but differs in the codes you have from the factory. – Conclusion: the transponder-codes from the factory keys could be matched quickly and authentically to the VIN of the car. Manfred Krämer IAATI 2013

29. b. Date and time of the last use of a car key using the example of a BMW car. 1. readout of an original key: – last use at March, 09th,2013, 07:35 – last odometer reading = 71.647 km – key reading date = March, 13th,2013 time =11:38 Manfred Krämer IAATI 2013

30. b. Date and time of the last use of a car key using the example of a BMW car. 2. We manipulate the date and the time at the on-board computer. -set date at March, 11th,2013 -set time at 10:41 ( – 1 hour) -driving 8 km with speed > 40 km/h -put the key into the key reader and get new data Manfred Krämer IAATI 2013

31. b. Date and time of the last use of a car key using the example of a BMW car. 3. readout of the original key: – last use at March, 11th,2013, 10:41 – last odometer reading = 71.650 km – key reading date = March, 13th,2013 time =11:52 There is a difference in the date and time between real time and time, which is written into the key! Manfred Krämer IAATI 2013

32. Conclusion: if you use the key reader and read the data of an original BMW key – the data can be right, but it can be false too. If the date and time of the board computer is wrong (intentionally or by mistake) the date and time of the last use of the key is not the real date. If date and time is ok, there can be a difference in the mileage too. The board computer doesn’t write the data into the key every time. You have to drive a distance of approximately 10 km and the speed has to be > 40 km/h. In case of a car theft you always have to proof the circumstances. Manfred Krämer IAATI 2013

33. If the car is recovered after vehicle theft, there are approved procedures of a car examination: – manipulation of VIN numbers – lock examination – traces of force – how was the car stolen? Spare key, replaced key, copy, without a key or manipulation? – how was the lock overridden? Tools, knowledge of the tumblers – traces – examination results Manfred Krämer IAATI 2013

34. manipulation at a car door cylinder Manfred Krämer IAATI 2013

35. Today: Modern car thieves won’t steel a car with a hammer or a big steel wire to open it, or with a drill or a solid screwdriver to overcome the ignition. Modern thieves will steal it with small opening tools and a laptop. They open the car with an opening tool, put the adaptor to the OBD-port and run a special program to get into the car system. Each manufacturer has its own way to program a new key into the system. Some differ in a few programming points, others are the same. Manfred Krämer IAATI 2013

36. An OBD port in a car Manfred Krämer IAATI 2013

37. An OBD reader Manfred Krämer IAATI 2013

38. Sometimes you „tell“ the system that a new key has to be programmed (and you need a key or a key-liked instrument to put it into the ignition lock or a slot). For keyless go systems it is enough to tell the system that a „key“ is near and the car will start. In some cases the investigator is able to find „traces“ in the board computer but mostly the intruding program leaves no trace in the system. Manfred Krämer IAATI 2013

39. Evidence of a manipulation: -The ECU (electronic control unit) and other components of the immobilizer system (dashboard) can be read by specialists. -Door – and ignition locks can be investigated via microscope for traces of picking or manipulation. -A damaged door lock alone is no evidence for a car theft. -I am sure that many insurance companies will insure a car theft and the results of the theft if the car is recovered and the door lock is damaged. -Many other things are disregard: “ Is it possible to drive off a car when only a door lock is damaged? Manfred Krämer IAATI 2013

40. What is the situation today? -transponder types – fixed, rolling, encrypted codes -processing power -many systems can be duplicated -manipulations at keys or at cars -do telematics facilitate car thefts in the near future? -is car hacking something new? -key immobilizer hacking – and the court Manfred Krämer IAATI 2013

41. different types of transponders Manfred Krämer IAATI 2013

42. cloning or copying of transponders Manfred Krämer IAATI 2013

43. Discussion: The questions on the latest sheet are for discussion. Immobilizer hacking is nothing new. From a minority method it became a dominant method to steel the most targeted models in Europe and probably the States too. Manfred Krämer IAATI 2013

44. Thank You ! Manfred Krämer Car lock expert Osnabrücker Str. 104 D-32312 Lübbecke Germany Manfred Krämer IAATI 2013

IAATI – Seminar 2013