How cars are stolen?
Over the past few years, we have seen millions of high end cars across the UK stolen through key cloning theft. It all started with BMW's mysteriously disappearing off owners driveways in the early hours of the morning. Fast forward a few years, it’s now uncommon for our morning Facebook news feeds to be filled with the nights cars stolen in our area. We are now seeing huge numbers of Ford, Audi, Land Rover and Mercedes being hit by the threat. Worst hit areas in the UK are London, Greater Manchester, Essex, Midlands and Liverpool.
We have spent years researching how these thieves are taking our cars. We have watched hours of CCTV footage made available to us by not only our customers, but also by working closely with the police in all major cities. This has helped us research exactly how each vehicle was stolen. We have also been featured in major newspapers and magazines reporting on the theft of motor vehicles. From all our research, we have designed and developed new devices which are controlled by our Pandora Alarm Systems that help keep your car on your driveway. Unlike other companies, we don't just pull an alarm out of the box and fit it straight on to your vehicle! In the world we live in this won't give you much extra security. Only a loud noisy siren coming from your car. It's the extra security features we have designed in house and fit to our packages, that keeps your car on the drive where you left it!!
So how are they stealing your car so quickly and why aren't the manufacturers doing anything about it?
Firstly, OBD port key cloning.
So, What is the OBD port and what does it do? OBD (on-board diagnostics) is fitted to all vehicles from 2001. The connector, gives the vehicle owner or repair technician access to the status of the various vehicle BCMs and ECUs which control your cars electrics. If your car develops a fault or needs programming, a complex computer is plugged into the port. You may have a simple OBD reader yourself such as CarMD, Innova or Carly. Independent car garages and main dealerships generally have expensive programmers worth thousands of pounds. But a cheap OBD key reader can be purchased off the net from sites like ebay for less than a hundred pounds. These devices are capable of extracting your vehicles immobilisers codes which flashes a blank key with your vehicles security codes. The thieves are using theses devices to steal your car.
To gain access to your OBD port, first they need to get to the port, preferably with out the factory alarm activating. This is normally done by either smashing the window with the end of a spark plug, or the drivers door lock is picked using something like a Turbo decoder. On some vehicles BMW for example, the drivers door lock can be removed and a screw driver inserted. A small pressure switch can then be accessed, which when pressed will drop the drivers window and reduce the sensitivity of the factory alarms ultra sonic sensors. This then gives a black spot for the thief to work on the OBD port. Once access is gained, a specialist key cloning device is plugged into your port. Within seconds the immobiliser codes are extracted from the car. Depending on the device used, a blank key can be flashed with your car's immobiliser and alarm codes right there and then literally in seconds. The car can then simply be unlocked by pressing the disarm button on the newly programmed remote. Car started! And simply driven away. In some cases we have seen cars which have been broken in too but are left by the thief. In this case, generally the codes are extracted and taken away to be used later to make a new key. A few days later they will return to collect your car!
How does our security packages protect your car against key cloning theft? We offer extra security in our upgrade package to keep your car on your driveway, with the latest key cloning threat, we have specially designed an OBD port immobiliser which we include in all our Pandora upgrade packages. When the alarm system is armed, the OBD port is physically immobilised. The only way to open the port for communication is by using the super encrypted Pandora remote. This makes it almost impossible to program a key to your car when the alarm is installed.
Specially designed Engine immobiliser.
We have designed and developed a new type of engine immobiliser. Specifically designed for push button start vehicles and controlled by our Pandora alarm packages. Once armed, the immobiliser stops your car from starting. Even if you have the cars OEM key fob present, you still won’t be able to start the car. This takes care of any unauthorised key cloning whilst your car is left with a third party, E.G Valeting company or garage. If a key is programmed they still won’t be able to start the car.
So why aren't the vehicle manufacturers coding the OBD port to stop this from happening?
Well the simple answer is, legally they aren't allowed to. A law was put in place a few years ago ironically to protect us, the vehicle owner. This was put in place to stop forcing the customer back to them for service and warranty work and charging ridiculous prices to keep your vehicle going. The block exception regulation was first put in place in 2010. The BER stated that the manufacturers could not code the OBD port allowing other independent garages to access work on your vehicle at a fraction of the cost without voiding your manufacturers warranty. This opened up the industry making/protecting millions of jobs across the globe. Not many owners know this, but you could also use like for like parts such as a Bosch oil filter, apart plugs etc instead of the manufactures own parts. The only problem is, anyone can gain access to your cars main computers. Which as we have seen over the past 9 years, has seen millions of cars stolen across the globe.
A new threat! - RollJam
well its not quite new anymore due it now being around for a few years, however with new technology being introduced and with more and more vehicle owners educated in key cloning theft, most new cars are now fitted with some sort of aftermarket alarm system or OBD port relocation/security device. So has the thefts slowed down or stopped? No way! The thief have found a new way to take your vehicle, but this time wirelessly, without even entering the car! It's called, Key Scanning!
What is RollJam?
With most OEM factory car keys featuring keyless start/entry, the biggest security threat for vehicle owners now is key scanning. A thief will visit your house armed with a black box or laptop. They will then scan for your car keys code. Now most new car keys wirelessly emit not only the alarm codes to your car, but also the immobiliser codes to start your car. These keys can work up to 5 meters from your car. Once the signal is grabbed it is amplified and sent over to a receiver box, where the code is stored. The second thief then simply needs to stand by your car with the box as if he has the key in his hand. The signal is then transmitted from your car key(even when the key is securely sat inside your house) to the box, allowing the 2nd thief to simply open and start your car. This threat is happening with all new Ford, Mercedes, BMW, Audi and Land Rover models, fitted with proximity keyless entry/start. This can also be done whilst your walking round the shops for example with the car key in your pocket. The thief only needs to walk past you to steal the codes.
But it's not only the proximity key which is effected. This same equipment can also grab the code when you press the unlock button on your remote to unlock your car.
My car or aftermarket alarm has rolling code technology so is it protected? Wrong! The thieves have found a way past this too. A well known hacker in the United States called Sammy Kamkar has demonstrated at Def Con (Conference for Hackers). He uses a side line attack.
Sammy is campaigning for all car manufacturers and aftermarket car alarm companies to upgrade the security in their key fobs. He has designed a device which is being used by the thieves to simply catch your factory remotes or aftermarket alarms key codes and stores them for use by the thief.
How does key scanning work?
The next time you press your wireless key fob to unlock your car whether it be the factory remote or an aftermarket alarm, if you find that it does not beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Sammy Kamkar may be using a clever radio hack to intercept and record your wireless key command. Then when that hacker walks up to your vehicle a few minutes, hours or days later it will not even take those two button presses to get inside. The $32 radio device named RollJam, smaller than a mobile phone, is designed to defeat the rolling codes security used in not only most modern cars and vans keyless entry systems, but also in most aftermarket alarm systems and in modern garage door openers. The technique, long understood but easier than ever to pull off with the Kamkar attack, which lets an intruder break into cars without a trace, turn off their alarms and effortlessly access garages.
RollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victims fob to open that car or garage again at will. Every garage that has a wireless remote and virtually every car that has a wireless key (including aftermarket alarms from many big names) can be broken into says Kamkar.
How does rolling Code key scanning work?
When you first press the remote, the signal to unlock the car is grabbed and stored by RollJam. We'll call this code A. But all you see is your car didn't respond. Your next reaction is to then press the button on the remote again. We'll call this code B. RollJam then grabs this code and stores this too, but in a split second also sends the first code A to the car. Your car receives code A which locks unlocks the car and Code A expires and can never be used again. But Code B is still stored in the device and can be used at any time by the thief to unlock and deactivate your alarm system and unlock your car, whether this be now or hours/days later. The majority of remotes used are generally only 40-60 bit encryption. The problem with keyloq is that it’s very dated now and although they roll the code each time, the code never expires, which allows the thief to collect these codes at any given time.
How does Pandora Car Alarms Protect against key Scanning?
Pandora uses a new type of rolling code and is the only company using this technology in aftermarket alarm system. Firstly the Pro V2 (Pandora's flagship alarm system) comes with a full U.K legal 856mhz 2-Way LCD pager remote, which keeps you in contact with your vehicle anywhere up to a mile from the vehicle. Remote encryption comes in at AES-128 (that's billions of Code possibilities) but most importantly expiring codes! This makes the Pandora remote signal extremely hard to grab the codes from these remotes, making these Pandora systems the most secure option for your vehicle.
Why choose our Pandora package over any other after market alarm?
Pandora secures against everything! Whether it's OBD port theft and key cloning. A specially designed second secure immobiliser designed for push button start vehicles. But most importantly, 128bit encryption. All our packages also offer the option to upgrade to Anti-Hijack immobiliser tags. This protects the owner against key theft as well as being dragged out of the car at the traffic lights. Since 2020, Pandora has been tested an approved by Thatcham, the UKs leading security research & test centre rating all our Alarms systems with a Category 1 rating being the highest level of category given.
Why choose anything else?