Schneier on Security
A blog covering security and security technology.
« Vehicle Tracking in the UK |
| Idiotic Article on TPM »
December 23, 2005
Car Thieves Adapt
Because automobile security devices are so effective, some car thieves are breaking into people's homes in order to steal the keys.
He said modern cars with electronic keys and immobilisers were putting car thieves out of business -- but the thieves were adapting.
If a car thief wants to steal a modern car, they need the keys.
Posted on December 23, 2005 at 6:21 AM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
People *still* leave their keys in the car while shopping?
This is an incredibly interesting security problem.
In trying to stop cars being stolen we've actually increased the risk of another (more serious) crime taking place.
I'd much rather have my car stolen than have my house broken in to. First of all, my car is insured. While my premiums will likely go up if the car is stolen, the vast majority of the liablity has been transfered to the Insurance company.
Naturally, I don't want my car to be stolen but I'm much more adverse to someone breaking in to my house. An intruder in my house is far more worrying than having my car stolen. I'd gadly take the hit on my premiums to avoid that problem.
It's interesting that by how solving one set of security problems you can create a whole new set of unanticipated problems. I think the moral of the story is that stopping one type of attack is easy; making the attack so hard that the attacker gives up is much much harder.
Another unfortunate by-product of increased security in cars is the increase in car-jacking. Google for "carjacking increase" and you'lll see stuff like this:
"Why is carjacking on the increase?
* It's a crime of opportunity - a thief searching for the most vulnerable prey. Sometimes it's part of another crime.
* Car thieves find it easier to steal a car while the owner is there - with the keys in the ignition - than to break into a car, especially if the car has an alarm.
* Cars equipped with sophisticated, built-in alarm systems and theft-deterrent devices are becoming harder to steal."
You wrote about this in Beyond Fear:
Schneier on Security: Security Risks of Biometrics
April 01, 2005
Security Risks of Biometrics
From the BBC:
Police in Malaysia are hunting for members of a violent gang who chopped off a car owner's finger to get round the vehicle's hi-tech security system.
The car, a Mercedes S-class, was protected by a fingerprint recognition system.
What interests me about this story is the interplay between attacker and defender. The defender implements a countermeasure that causes the attacker to change his tactics. Sometimes the new tactics are more harmful, and it's not obvious whether or not the countermeasure was worth it.
I wrote about something similar in Beyond Fear (p. 113):
Someone might think: "I am worried about car theft, so I will buy an expensive security device that makes ignitions impossible to hot-wire." That seems like a reasonable thought, but countries such as Russia, where these security devices are commonplace, have seen an increase in carjackings. A carjacking puts the driver at a much greater risk; here the security countermeasure has caused the weakest link to move from the ignition switch to the driver. Total car thefts may have declined, but drivers' safety did, too."
This is not new... happened to my parents about 12 years ago. Keys are nearly always somewhere in the vicinity of the door... My parents' particular story is interesting because of the way they found out the car was stolen... at around 7am they got a phone call from the police notifying them of the theft... that's because the thief had a fatal accident on the way to the chop-shop... the police told them it was a rare case of actually solving/closing a car theft crime!
Yeah, that happened with a friend of mine (house break-in to steal the car with laptop incidentally stolen in addition).
He came up with an interesting idea for the next time, it if happens. His idea is to park the car relatively far from the house and have a dummy car key always lying around in an obvious place in order to minimize the time the burglar would be in his house (the break-in occurred while he and his family were at home).
Keyed ignition locks were supposed to stop theft, but thieves figured out how to hotwire ignitions.
Door locks were supposed to keep thieves out of cars, but thieves figured out how to finesse the lock -- or just break a window or window crank mechanism.
Ignition locks were supposed to stop car theft, but thieves figured out how to defeat them, in the process breaking the ignition lock.
Car alarms were supposed to deter thieves, and mostly did, so carjacking started.
Now advanced car defenses are driving thieves to break into homes to steal the keys.
What's the next defense, keeping the car keys in a safe at home?
Then we'll have home invasion robberies to get all the keys ... and ....
A home invading key snatcher needs to consider the probability of encountering an armed homeowner. That probability ranges from roughly 0.0 to maybe 0.8 depending on the area.
Note well that the homeowner doesn't have to *shoot* the invader to dissuade him, but considering the potential threat to his life and the lives of others he may be well advised to do so.
This has been around since car security was improved. In my area theives were using canes/or similar to simply unhook the keys hung up by the door next to the coats.
I do in a sense. My car is a push button start. I made it that way so I wouldn't have to worry about a key. And I leave my car unlocked. There is nothing in it to steal. In any case I don't believe the security risk of having my car stolen outweighs the convenience I get from just getting in my car, pushing a button and driving. Nobody around here steals cars so there isn't a threat or risk.
IF it was stolen -- whatever. I'll get a new car.
I am intrigued by your ideas and wish to discuss them with you in person. Where do you live?
I remember hearing back during the first wave of car-jackings and home invasions that this was a result of removing shop classes from the standard high school cirriculum for boys.
I wonder if it occurs to people that the number of individuals willing to break into a home to steal the keys to the car, or to perform a carjacking, is probably lower than that number of people who will simply steal a car.
I don't have any firm numbers to back this up, but breaking into a home, or performing a car-jacking has a higher perception of risk to most people than does say, breaking into a car, and stealing it for a joyride.
Naturally this will not dissaude a professional car thief, but if you have this level of fear, perhaps buying the most common car available in your jurisidication would add a sense of security by reducing the desirability of the car, and further reducing the probability of your car being stolen or your home being targetted.
"I am intrigued by your ideas and wish to discuss them with you in person. Where do you live?"
Ah, but the trade-off is a reasonable one only because you don't know who he is or where he lives. I'm not convinced his trade-off is unreasonable; as long as a very small percentage of car owners do this, he gets the benefit of everyone else locking their cars.
For years I didn't bother to lock my car doors; it was too much of a bother. My new car has an electronic lock, so locking the car is kind of cool...but before then I never did. Same sort of trade-off.
"I wonder if it occurs to people that the number of individuals willing to break into a home to steal the keys to the car, or to perform a carjacking, is probably lower than that number of people who will simply steal a car."
I think it occurs to everyone. The question is, and it is a question, is whether the smaller number of more serious crimes -- carjacking is the best example here -- is better or worse than the larger number of traditional car thefts. I don't know the answer to that, but it's an interesting "revenge effect" that most people don't think of when they consider car-theft countermeasures.
Many years ago when I had a convertible, I never locked it. Did not want to give someone the incentive to slash to top to find what (generally nothing) that was inside.
My solution is not to drive a car worth stealing (at least in comparison to the rest in my neighborhood).
I leave my keys in random places around the house. It's not intentional, but since it often takes me a few minutes to figure out where they are, a thief is also unlikely to find them quickly.
I also always lock the door behind me when coming and leaving, unless I'm taking out the trash to the Dumpster, which is about 40 feet from my door and in clean line of sight. Even when going to the mailbox or laundry, only to be gone for a few minutes, it gets locked. It's a reflex reaction now, and not an inconvenience at all.
My car gets locked whenever I leave it, and I have a LoJack on it. A professional will probably be able to deal with that quickly, but the average thief will probably not. I rarely leave anything more than a book and a few CDs in it, so there's little of value aside from the car for anyone interested, and it becomes (hopefully) a painful inconvenience for me as long as I notice it gone relatively soon after it's stolen -- which I've not had to deal with yet. Sort of like losing a hard drive when the backup is recent.
There is a car security solution that uses a uniquely wired wrap plug to connect a bunch of cables in your car. You need the wrap plug to start the car, and the number of wiring combinations is large enough that it is a serious deterrent... But stealing your keys would give you the wrap plug. I can't remember the name but I'm sure you can google it if you're interested.
For early Mustangs they are very easy to start without the keys, and most people with convertibles don't lock them because they would rather not have the top slashed. The nicest solution I have seen is the T-lock which replaces your standard gear shifter with an almost identical one that can be locked in place. Someone can start your car easily and then sit there looking stupid... Again, have your keys stolen and it's useless.
Of course the one thing that I was always surprised at is how few car thieves use some kind of car carrier to steal cars. If the Repo man can do it in a few seconds then what is to stop a car thief. I would imagine it would have to be disguised in some manner but it should be possible... Or I guess they could just claim that they were with Overhaulin' (a TV program that "steals" classic cars and then renovates/customises them and returns them)
What did they used to do to horse thieves? Why, they hung them of course.
Car theft is too lightly punished. When you read of some criminal getting arrested for their 20th, 30th 40th time for car theft, you have to ask "Why are they still walking around breathing my air?".
Driving a ratty car is not an option. Some of us actually like to drive nice vehicles.
Fortunatly, I live in an area where car theft is not too common. Plus the thieves know that they are likely to get filled full of little holes if they break into someone's house.
The other problem is that law enforcement spends way too much time on items like making sure people have their seatbelts on, that they are not smoking in a resturant, that the strippers are staying 6 ft away from the customers, that you're not buying alcohol on Sunday, and so on and so on...
Many years ago I used to work with a guy who said his high-school passtime was to unlock cars on the street for fun. He was no more obsessive than anyone who had a teenage passtime, and spent time among a competitive group who tried to get the door open in under seven seconds. But what stood out to me is that they knew exactly which cars were most susceptible and they had a somewhat complex ranking system.
Once he explained the differences to me, I completely changed the way I look at the security of certain vehicles. Most consumers, I would say, have little/no idea of the vulnerability. They can set a value to their assets, and they might be able to gauge the threat(s) from the neighboorhood, but they are missing a very critical component to performing a risk calculation.
On the other hand, the thieves do know the vulnerabilities. Thus it makes sense to me that some would just give up and leave the car door unlocked -- if you do not know enough about how the thieves approach risk to know how to counter them effectively, you try and alter the equation so you have a better grasp of what the real risks are.
This aint a new problem in the UK, though there is a targeting one: they need to ID the house with the keys. Cars in the drive are therefore more vulnerable than cars parked in a busy street.
What is also common is burglary+car theft. After they break in your house, they look for car keys so your car can be used to drive off with the valuables. The model of car is unimportant here, as it is going to be torched once its job is done.
I have a friend who does the opposite. He *never* takes the key out of the ignition. If he's at all concerned when parking, he locks the doors but leaves the tailgate window unlocked, where there's a lock release inside.
I visited him one week, and at first it really bugged me, but I saw how liberating it was. He never worries about where his keys are, and when you get to the car you just hop in and go. So far, after a couple of years of doing this, nothing has ever happened.
But I still lock my car. :-)
If this is becoming common and you leave you keys in the car and it's stolen you can just claim that the thief must have come into your house and stolen the keys ... ergo, more people will leave their keys in the car and the theives will have easier targets again.
Driving the most popular or common make of car wouldn't necessarily help. Some of the most stolen vehicles are some of the most popular, the parts are more desireable and easier to resell. Old and undesireable cars are the way to go, nobody would steal a thirty year old Pinto, no matter how pretty it was or how well it drove.
Similar developments in motorcycle thefts. The brake locks that clamp onto the front rotor are designed to be a deterent, but one group of thieves looks for them, as it makes it easier to steal the motorcycle. A panel truck pulls up next to the bike, the door rolls up, 4 big guys with two steel rods jump down, slide the rods through the locked wheels, and then hoist it up into the truck, hop in after, and they drive off, to deal with the locks at their leisure.
I rarely see motorcycles actually locked TO anything, unlike bicycles.
My wife also once saw a cyclist come out of a store, to find both of his tires still locked to the rack, but the frame missing. The thief had used the quick disconnects in the hubs to steal the bike without the tires.
Also, bike theft in my area is so high that now the students at the university have switched to skateboards, since they can take them to class with them, instead of locked up outside, where they'll still get stolen...
There's lots of places where the risk of having your car broken into in order to have the contents stolen is much higher that the risk of having that car stolen.
I had friends who lived in one suburb of Sydney where it was common place to leave all the car doors unlocked because no one ever actually stole the cars, and it was easier to just make sure you left that car empty and unlocked than to deal with fixing the damage from having someone attempt to break into it.
When I lived in the inner-city I drove cheap cars but I kept them locked with the glovebox, ashtray, etc open. I locked it because I didn't want to come down in the morning and then have to chase away the people who had been sleeping in it.
As always it's about risk assessment.
In college, I had a boyfriend who made a few special modifications to his car. One was the "anti-theft" system. It would start up with a key just fine, but unless you did some special things with a panel that dropped out of the dash (that had to be manually dropped and activated), the car would stall 3 minutes later, and you wouldn't be able to restart it. The idea was to give the thief just long enough to get the car onto the street and attract attention when it stalled.
I liked the card theft prevention device on Bond's car. It would blow up to bits if someone broke a window to get in.
This is a pretty classic demonstration of the follies of trying to use technological fixes to solve a human problem. Rather than making cars harder to steal, we should be looking at ways to get rid of the car thieves.
Most car thefts are conducted by habitual or professional offenders. These people should not be walking around on the streets after they have demonstrated that they have no regard for society's laws. Lock them up for life, or just shoot them if imprisonment is inhumane or too costly. Wiping out the hard core of vehicle thieves would reduce losses dramatically.
With Moore's law constantly creeping along, how long will it be until two factor, continuous biometric authentication become a cost effective solution for securing your car?
The idea here (i'm I hope it's not too much overkill) is that when you are operating the vehicle's controls it regularly checks and rechecks a unique biometric about you or other authorized drivers.
However that is only "something you are", for true two factor authentication you still need "something you know", so a restricted view pin pad could be used that locks out after x many invalid attempts.
The system could support "guest" codes (or perhaps standard keys) (for friends and valets) that do not require the biometrics but time out after a customizable while or specified distance. Driver duress codes (for use in carjackings) could also be available that act just like the master code except they expire after just a few minutes and contact the authorities on the GPS enabled cell phone.
This does move the workaround to the engine compartment, where you replace the CPU/brains of the car with a more hospitable one or forces the thieves to steal tow trucks beforehand.
If we make the cars truely infeasable to steal, will these same criminals turn to other less desireable (to us) crimes such armed robbery or kidnapping?
To not make it harder is to be sheep for the slaughter, to make it hard in a non-thought though manner is to make us less secure overall.
If those are both true, what then does it say about making individual crimes harder in an effective way?
Would this make us safer overall?
One theft reduction system is the NZ *555 number - it connects to non-sworn Police who take reports of annoying drivers. This mostly good for calming people down, and sending letters to people asking them to drive more politely. A side effect is that habitual criminals seem to crop up disproportionately often, and when the number gets a series of reports about one vehicle close together they sometimes send out a cop car to have a look. Generally they bust the occupants for a variety of offenses, and often a seach of the residence produces more interesting convictions.
For a while I believe they also used to search the homes of bike thieves for the same reason. But that's a human rights violation now AFAIK.
The solution seems simple enough to me - the RFID key required to start my car will be in one of the cartridges loaded in my .357 Magnum. Here, Mr./Ms. Thief, let me fetch that for you...
@ Bill McGonigle,
If you agreed that your insurance would only cover losses if you made certain efforts and failed to uphold your end of the agreement, then the insurance company owes you nothing. Of course, lying to the insurance company is its own form of thievery.
And if the penalty for your thievery is similar to what the macho set have been advocating here, you'll be filled with little holes.
My security system /is/ the vehicle I drive. Nobody want's a Ford...
"What did they used to do to horse thieves? Why, they hung them of course."
The problem with this is that, from the criminal's perspective, auto theft is the same as mass murder. So once you're (provably) guilty of one, the other carries no additional deterrent.
It is a very good idea to have many levels of punishment, with death reserved for the most serious of crimes.
Just trolling through, interesting comments. I like the BF’s 3 minute rule :) For my truck I use two kill switches. One to the fuel pump, the other to the ignition. To trigger the starter you have to have the lights on. That circuit closes a relay the closes the original circuit to the starter. Thieves don't usually turn on the lights. The other is another switch, usually a stock auxiliary looking switch for the feul pump. Also if you never have the heater\blower ever off completely you can rig up a relay to that to activate your fuel pump. No fan no fuel. Another used a pin switch behind his ashtray; whenever he left his car he popped his ashtray a bit to release the pin switch. A little ingenuity goes a long way ;)
My pet peeve is how data theft is reported as theft of something physical. That's the way these stories like today's Marriott one are reported. It's like "the tapes" were stolen by some sort of jewel thief, or some queen's tiara fell off somewhere in the city during her bikeride across the city.
It seems like most times credit card databases like this are stolen by copying in a non-destructive way - perhaps lifting up an extra backup DVD lying around the office, or good old fashioned FTP of the list over internet. It sort of lets these sloppy companies off the hook by forcing them to disclose only the totally obvious cases - a "lost laptop or tape", or a company discovered to be scamming 1000s of credit reports for no legitimate reason, or a team of expert hackers from the underworld caught infiltrating an IT department.
Step 1: Suppurt the 2nd ammendment and buy a gun.
Step 2: Learn to use it. Go to the range and put a few holes into a silloette target.
Step 3: Hang said target on your front door.
Go on and burn me for promoting something like this, but if it comes down to breaking into my house, or breaking into the neighbor's where the sign on the door says "Welcome to the So-and-So House, Cookies and Smiles are free," I think you know who's door will be kicked down. I am not a violent person, I do not own "assault" weapons and I do not think there is any glory in shooting somebody. I simply beleive in a guy's right to make his home safe for his family.
If I recall the data correctly, home invasions (for any purpose, not just ripping off automobile keys) in Australia and the UK are up significantly since restrictions on private firearm ownership tightened.
One can't help but wonder whether these issues are connected.
Verrry interesting... people talking about offing someone for auto theft -- which is, after all, simply STUFF.
Personally, I don't care about STUFF -- if someone is determined to steal it, they are going to find a way. I would much rather they take the STUFF, then kill me and take the STUFF anyway. I can always get insurance (which is externalizing the risk to the set of people who buy insurance policies, not necessarily an insurance company) on STUFF if I find it necessary, to help offset the cost of replacing it.
Yes, I do lock the doors on my car, and take prudent precautions otherwise. However, I find it odd that folks would endorse the death penalty for theft of property, when we can't even agree on using it for multiple-murderers, child molesters, and other such undesirable types.
You don't recall the data correctly. First up, there has been no practical change to "restrictions on private firearm ownership" in any Australian state (I say this as a local).
Secondly, burglary (home invasions) is lower now that five years ago (indeed, as is most crime).
And this isn't a vague "recollection":
Australian Inst. Criminology
Apparently you'll find the US leads the world not only in gun ownership bu home burglaries, e.g. http://faculty.ncwc.edu/toconnor/301/... but it's getting better: http://www.ojp.usdoj.gov/bjs/glance/burg.htm
But don't let the facts get in the way of a good argument :-)
Interestingly enough I heard of this a few years ago in The Netherlands. Insurance companies were catching on as well: You want to pay less for the insurance of your new car? Upgrade the security system on the house!
anyone here that thinks car theifs should be shot for taking ur car.. should be shot. A car can be replaced, ur life can not. Doesnt matter if ur car is 1000$ or 1 million $ replace it.
Losing ur car is NOTHING compaired to the crimes of childmolesting, raping, murder, drug trafficing. Never compair such a petty crime to murder.
By giving car theif capital punishment or life in prisin that would just make people less scared to kill someone. thus opening a new gateway to more serious crimes.
I have recently had my car stolen, I may have either left my keys in the ignition (it was off) or lost them while trying to put them in my pocket. If the keys did so happen to be in the car, what do the insurance companies do (allstate). Will it be considered negligance, or just theft. Just wondering if I'll ever get a car back, and if not, will I still have to pay for the lost car. Any help would be GREATLY appreciated. Thank you
I have an expensive car that looks like an old car ... the components that make up the car are expensive. The engine, suspension, brakes, transmission, ... are all mopar parts but the body and the interior are average looking but well maintained. It has a low probability of theft because it is very distinctive looking and therefore not a good car for a thief who is trying to keep a low profile, and, well, it doesn't look like it is worth anything. I don't even lock it. I do however remove a key electrical component when I park it. It will not go anywhere unless they really know car electrical systems.
At this time I am testing a new security system for a company in Germany that(must remain nameless at this time) which utilizes hidden pinhead size hi rez cameras, optional page alert technology and GPS that will allow you to be notified directly and track your car as well as disable it through your cellphone and computer, there will be no need for systems such as lojack to notify you, how it works is in real time once the system is activated by movement or sound it begins to video relay the image of the thief in your car with date and time as well as locaton. So far we have had great success and expect to bring this to public use by early 2009. It will be expensive, but I believe being able to see who stole the car and where it goes will be of great benefit. This system will be compatible with all car alarms. There will be no indication such as window decals or sirens that could tip a thief off as to what type of security system you have installed. Stay tuned.
how about if someone take your keys and steal your car, will police still be able to find your car?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.