The manufacturer should maintain a root cert that can be used. If that root cert is compromised then they should have a way of rotating keys if the vehicle and physical keys are present. Breaches then constitute what amounts to a software recall, putting the onus on the manufacturer to report them or be held liable for thefts. The recall notice puts the liability on the driver to have their vehicle updated (for free) in a timely fashion.
The situation doesn’t need to be as strict as #2: you could have a way for a registered service shop to get a per-device rekey by shifting some liability to them. Making it per device prevents bulk usage and an active communication with the manufacturer would mean the cops could ask the owners of a shady auto shop some questions when 80% of the stolen cars in the area are being rekeyed at a place the owners have never been to. I lost a car key once and the locksmith who showed up checked my drivers license against the title database because he could have been penalized for unlocking a vehicle without doing so - we could make the same model work electronically because while car thieves are anonymous, legitimate repair shops have a business presence and reputation to preserve. Even someone amoral isn’t going to look the other way for something which will cost them their primary revenue stream.
I don't think that the dealer equipment being used to steal cars today is coming from dealers where management is knowingly engaging in car theft. It is other people who are misusing those tools. There are many hundreds of thousands of people who work at dealerships, and many do not care about their employers reputation. Also, many dealerships are broken into.
Yes, which is why I suggested a combination of measures to change that. An active per-device transaction would make it clear when a dealer’s access is being misused, and if it affects their business viability it would turn out that they could do a better job of controlling access. Hundreds of thousands of people work at banks, too, and many of them do not care about their employers but thefts from customer accounts are rare because the companies are incentivized to set appropriate safeguards. There’s no reason why car repairs couldn’t be the same other than that it costs more than what they’ve been doing, and there aren’t strong enough incentives for them to take on those costs.
What would that look like in reality? Expecting dealerships to have the same physical security, procedures, and security vetting of a bank? There's already a shortage of workers in these roles, now we want the guys busting their knuckles on vehicle repairs to have a good credit score and good background check and perform elaborate opening and closing procedures with a buddy system? Storing tools in a vault?
I really don't see how any of this is merited or reasonable, especially when the vast majority of the cars being stolen in my neighborhood are either stolen with the keys or with a tow truck.
Require resets to be initiated and authorized by the F&I department, whose security and KYC processes should already be substantially similar to those of other institutions that regularly approve $50,000+ loans.
1. As a result, we'll see costs like losing the keys to a rental car go from a $250-500 fee to a $2500-5000 fee, due to the additional costs to process and the additional loss of use.
2. Criminal rings that steal high value cars will go from often using tow trucks, to exclusively using tow trucks.
3. The number of cars stolen via stolen keys will remain unchanged.
Yes, the key itself will be more secure, but I'm not really sure it will actually improve anything. More security is not better if the costs do not create real-world results.
Your second point is leaving out a lot: there’s no way adding a requirement that you have heavy equipment and a skilled operator isn’t going to reduce the number of thefts, and those trucks are in more limited supply and easier to track than a small tablet. They’re also way less stealthy so there’s a lot more time to get caught.
The third point may be true for classic theft but would not be true for the growing category of thefts caused by abusing wireless keys. If you can’t easily get a new key, the resell value for that car is going down dramatically.
Commercial tow trucks are not hard to get in many places, but it is also not required to tow a car. There are many consumer oriented solutions for towing a car. Tow dollies are about $40 to rent in my city. Or if you're a thief, trailers aren't hard to steal either.
> If you can’t easily get a new key, the resell value for that car is going down dramatically.
Most of the vehicles that are stolen for resale are high value and sent overseas to parts of the world where the labor cheap to do something like entirely rip out all of the security components. I don't really think that these criminals will stuff a G-wagon in a shipping container for $100,000 but they won't do it for $80k or $90k.
> Commercial tow trucks are not hard to get in many places, but it is also not required to tow a car. There are many consumer oriented solutions for towing a car. Tow dollies are about $40 to rent in my city. Or if you're a thief, trailers aren't hard to steal either.
Again, it’s possible but do you really think there isn’t even one thief who lacks easy access to a tow truck or will be caught firing up noisy equipment at 3am but not if they fumble around in their pocket while walking up to a car? Not a single teenager looking to joyride won’t give up if it’s harder than the Kia video they saw on Tik Tok?
Similarly, yes, people will still steal vehicles and ship them overseas but the more work they do the lower the resale market and value will be, and that will make it less tempting since you’d only be able to sell to people who are content never getting service from the manufacturer. Even if we assume that there are countries with skilled technicians and effectively no law enforcement, only something like 10-15% of stolen vehicles are shipped according to U.S. officials so even if you wrote those off entirely you would have plenty of room to improve by reducing the majority of thefts which never leave the country.
There's different categories of criminal here who are willing and able to do different things to different types of cars.
> Again, it’s possible but do you really think there isn’t even one thief who lacks easy access to a tow truck or will be caught firing up noisy equipment at 3am but not if they fumble around in their pocket while walking up to a car?
Canbus attacks, OBDII reprogrammers, and similar are typically pretty intrusive, they require cutting into fender liners, removing lamps, busting a window, or otherwise gaining physical access to the bus. They also require specialized tooling and expertise that are harder to get than the tools which physically move vehicles.
The one that might be an exception, and some savvy street criminal might be able to get their hands on is a tool to do is a relay attack, which is usually good enough to steal belongings from a car, but generally not capable of stealing the car.
> Not a single teenager looking to joyride won’t give up if it’s harder than the Kia video they saw on Tik Tok?
Definitely not. Vehicles with immobilizers are essentially never stolen by joyriders unless they have also stolen the keys.
> Even if we assume that there are countries with skilled technicians and effectively no law enforcement, only something like 10-15% of stolen vehicles are shipped according to U.S. officials
Yes, and almost all of the other ones either just lack immobilizers, or the thief also stole the keys.
Simply requiring the dealers to take seriously ownership validation and track which workers used the reset system (no shared logins, etc.) would do most of it.
