How poor software engineering causes vehicle thefts

This is a post I have been wanting to make for a while. It feels as though every day we see vehicle thefts continue to happen at an alarming rate – and automakers are somehow completely helpless. Surely, this has to be some major engineering challenge, and not the result of cheap/lazy automakers, right?

There are various attack vectors modern cars are susceptible to depending on manufacturer and model year. But somehow, in every video I see, thieves drive away within a minute of approaching the car. How is this possible?

There are various methods of attack that modern cars (depending on year/make/model) are susceptible to.

• Key signal amplification: “The driveway attack” that uses a passive or active signal amplifier to extend the key antennas range enough that the car believes the key is present.
• Key reprogramming: Using a factory-capable scan tool (typically an Autel unit) to pair a new key fob to the vehicle.
• BCM/ECM swaps: bringing modified modules that ignore inter-module anti-theft requirements or already have a key paired
• Forced entry: The vehicle was left unlocked, or a window was smashed

While physical access lets you steal anything inside a car, you ultimately need to satisfy two requirements to steal a car:

• Physical access: this can be obtained by breaking a window or key signal amplification
• Start operation authorization: once physical access is had, this can be obtained with key reprogramming or key signal amplification.

There are some notable exceptions:

• Kia somehow thought that removing immobilizers and identified keys as a cost-saving measure would go unnoticed. Once thieves realized these cars could be hotwired like it was the 1960s, it was game over.
• Some attacks have been very well engineered, like this one that uses a PIC chip hidden inside a JBL speaker that can unlock and start Toyota vehicles by getting connected to CAN lines, which are accessible externally from the headlight assembly.
• Tesla vehicles use cell phones and user-trusted methods of key management (they’re also the least stolen vehicles in the world)

Also, please tell those clueless Canadian lawmakers that the Flipper Zero literally does not have the capability to assist with stealing cars. Thieves use signal extenders and Chinese scan tools.

So you might be wondering. If this is an issue that persists in brand new vehicles, what is the massive hurdle stopping auto manufacturers? Well, not really anything. Here are the two solutions I have seen:

1. FCA (in response to Dodge/RAM/Jeep vehicles being stolen at unbelievable rates) gave customers the ability to lock their BCM so it never accepts a new key. If you need to program a new key or lost a key then you need a new BCM.
2. Do nothing whatsoever.

Add an artificial delay to the key programming procedure.

When the scan tool starts the key programming procedure, it must stay connected and communicating for 15 minutes (timed by the vehicle) before a key programming will be accepted. You could even spice it up and make the vehicle honk a few times or turn on its buzzer in case a thief is willing to lay in the car.

This truthfully would solve a majority of these thefts. Thieves are gaining access to vehicle diagnostic ports with scan tools or window smashing, and then programming a new key in 15 seconds before driving away to their local street takeover. By simply making the process take a long time, you eliminate the vast majority of criminals who want to be at the scene for as little time as possible.

I personally would use the fancy new telematics capabilities (if server/cellular connection is okay) and request that the owner or a Ford tech authorize the transaction.

I started looking into anti-theft solutions once I learned that my very own Infiniti Q50 is one of the most stolen vehicles in the city I live. There were a couple of options to make my running car not be a running car.

• Fuel pump kill switch
• Start/stop button kill switch
• EcuTek no-run map

There are some issues though.

1. I hate the idea of a fuel pump kill switch, as there is enough pressure in the line for the car to start and drive before leaning out and dying in case you forget. Also, remote start won’t work anymore.
2. The start/stop button idea isn’t bad, but it would require some relay solution to disengage once ignition is on so the car can be shut off.
3. The EcuTek solution would also break remote start.

Breaking remote start is simply not an issue when it gets as cold as it does in Chicago.

I integrated a clean little trick into a module I am working on. It prevents the car from moving without authorization, catches and prevents key reprogramming, and keeps remote start.

My module wakes up with the rest of the CAN bus and monitors for any diagnostic messages to the BCM. If it spots a diagnostic session request that is needed for key reprogramming, it does two things:

1. Fires the telematics CAN signal to trigger the vehicle alarm and to trigger flashing lights
2. Floods the BCM response ID with fabricated 7F failed responses so it cancels the registration request.
3. Requests a low-privilege diagnostic session with the BCM.

To disable this, you must connect to my module via BLE and disable the protection.

1. When the car is first started, it is in an armed state. This means the module is sending BCM diagnostic override requests to keep the shift inhibit solenoid configured to prevent gear shifting.
2. The user does a steering wheel cruise control and/or paddle switch combination to disarm the system (example, cruise up/down/up or paddle -/+/-/-)
3. The BCM diagnostic override is aborted, returning control to the program which allows shifting when the brake is held.

This works great. It does require a shift override blockoff plate to be fully secure, but for my purposes I am extremely happy.

Another feature I am working on is a steering switch combination to re-arm the system once you’ve driven. This lets you leave the car running while you go inside somewhere without letting someone jump in and drive away.