Guest Article: Transponders Bypassed?
by Thomas G. Seroogy,
Certified Forensic Locksmith
A 2005 VW Passat was reported stolen and was soon recovered. The steering column had been attacked, and the wiring on the back of the ignition switch was pulled off. The insured stated that law enforcement had told him the wires were pulled off of the ignition lock and hotwired to start and steal the vehicle. A forensic examination of the ignition lock and immobilizer system proved otherwise, and it was determined that the damaged wiring could not have been used to start the vehicle and was cosmetic in nature.
Every year this author conducts hundreds of forensic examinations on stolen-recovered vehicles that contain transponder-based immobilizer systems. Each of these examinations begs the question, “Was the immobilizer system bypassed and, if so, how?”
Before this question is answered, it must be stated that a transponder system is not impervious to attack and can, in fact, be bypassed.
In theory, the transponder-based immobilizer system is fairly simple. The system is comprised of a transponder key, a transceiver module/antenna, and the security module (usually located in the Engine Control Module, Powertrain Control Module, or Body Control Module).
The registered transponder key is inserted into the ignition and rotated to the ON position. Then the transceiver antenna, usually attached to the front of the lock, sends an inductive pulse to the transponder chip located in the head of the key. This pulse excites the transponder, which in turn sends the key’s unique digital ID back to the transceiver antenna. Upon receiving the key’s ID, the transceiver may confirm whether it is a registered key, or send it to the security module for interrogation. If the key’s ID is recognized, the vehicle is allowed to start and operate. If it is not recognized, the engine will not start.
This is a very simplified explanation of how the transponder system operates. The actual operations and characteristics of a given system are dependent on the year, make, and manufacturer of the vehicle.
There are two main categories of methods for defeating a transponder system: hard bypass methods and soft bypass methods.
Hard bypass methods circumvent the immobilizer by physically altering the system. Relay jumping and module swapping are examples of hard bypass techniques commonly used to steal early Ford, Toyota, Lexus, Acura, and Honda vehicles. In other words, the transponder hardware is physically replaced by the thief.
Soft bypass methods electronically circumvent the immobilizer system. These techniques either turn off the immobilizer system, create unauthorized programmed keys, or introduce information into the system that disarms the immobilizer function.
Due to advancements in immobilizer technology, relay jumping and module swapping are not efficient methods for stealing today’s vehicles. However, where advancements in immobilizer technology have made hard bypass techniques difficult to use, corresponding advancements in electronics have made soft bypass techniques more efficient and effective, even for the car thief.
Currently, there are four basic genres of soft bypass techniques: key programming, key cloning, factory bypass, and code stealing.
Recent research indicates that code stealing is especially effective on keyless entry cars. This technique uses an antenna to read the signal from the key fob when it is out of the car (say in a pocket while the driver is at a restaurant). The captured signal is then relayed back to the car, just as if the key fob was within disarming distance. The car is then started and driven away without the key fob.
Factory bypass is a method built into some models by the manufacturers as a way to rescue vehicles stranded by failed transponder systems, or lost keys. A bypass procedure, that includes entering a PIN, is performed to start the car, using just a mechanical key. As you can imagine, thieves can use various methods to obtain the PINs, and then steal the cars. Honda, Acura, Mitsubishi, and Ferrari are among those that include PIN bypass procedures.
Cloning a key is the electronic equivalent of duplicating a key. During the process of making a cloned key, both the mechanical cuts and the electronic ID of a working key are transferred to a new key. Being a direct duplicate or clone of the original working key, the cloned key is capable of starting and operating the vehicle without further programming.
Because cloning a key requires possession of a working key, the proper clone key blank, a cloning device, key cutting equipment, and, in some cases, the vehicle, its use to steal a vehicle might be limited. However, using a cloned key to steal vehicles is not unheard of, and should not be ignored or ruled out without cause by the auto theft investigator.
Of the soft bypass techniques available, the one presenting the most potential for quickly stealing an automobile is that of programming a new key into the vehicle using a transponder key programming tool and then either picking, force rotating, or extracting (such as with a slide hammer) the lock cylinder of the ignition assembly.
The most common aftermarket key programming tools sold in North America are Ilco’s TKO and Advanced Diagnostics’ T-Code Pro. More recently, there has been a surge of Asian-produced key programming tools on the market. These tools offer similar capabilities as the TKO and T-Code Pro, but are less expensive (from $300 to $800) and can be purchased over the Internet.
One of the interesting, and dangerous, characteristics of these tools is that they are capable of circumventing the key programming security features of most North American transponder systems. In essence, in the hands of a trained and experienced technician, these tools render the transponder system impotent, allowing the vehicle to be stolen in little more time than it takes to steal a vehicle without an immobilizer. Bypassed vehicles include Acura/Honda, Chrysler, Ford, GM, Mazda, Mitsubishi, Nissan/Infiniti, Subaru, Toyota/Lexus, and VW/Audi.
In light of the potential these tools have in stealing vehicles, it becomes extremely important that the auto theft investigator closely follow immobilizer and transponder key programming tool trends. Whether an investigation is focused on a chop shop, organized crime ring, or an individual, tool identity is an invaluable asset.
Finally, the good news is that despite the ability these tools have in bypassing the immobilizer system, their use is not invisible to a qualified forensic locksmith or security technician. Their use often leaves evidence behind for investigators to detect. In many cases, a properly trained examiner will be able to identify whether such programming tools were used in the theft of a stolen-recovered car.