Real world security by obscurity

I first heard about this issue on Car Talk the other day, and recently ran into this article on Snopes about it...

It turns out that on VW cars (and other manufacturers), the pattern for the door key is based on the VIN for the car.

What that effectively means is that the security of your VW (or other) car is based solely on the difficulty of cutting the keys for the lock - all the information needed to generate the keys is publicly available (and externally visible on the car).

Imagine if the same were true of an operating system - what would we say about the security of a system where the recovery password for the system was etched onto the outside of the case, and if any helpdesk technician could come by, write down the recovery password and, using that recovery password bypass all the system protections?  Of course, the technician would have to own a $5,000 hardware decoding unit that would know how to convert the etched recovery password into the real password, but once they owned that decoding unit, they could bypass all the protections on your computer.

Would you buy such a computer system?


Comments (16)

  1. Anonymous says:

    According to that article, the theives had to write down the VIN, create a fake proof of ownership of the vehicle, take the forgery to the dealership and get the dealers to create spare keys.

    It sounds to me as though the key details are not based on the VIN, but that the dealer has access to manufacturer records linking the VIN to the key details.

    The other thing the article mentions is using the ignition key code number found inside the car to create a fake key using a portable key maker. They would have to break into the car first, read the number, and then create a key for the ignition.

    That sounds like a similar situation to booting a computer with an alternate system, reading the password hash off the disk, and then using that to work out the correct password for the system.

    Looks like you can still get into Windows, that easily, using tools easily found online. You can freely download the complete rainbow tables for LanMan hashes for passwords up to 14 characters long.

  2. Edward, that’s where the obscurity comes in.

    They’re saying that the only people who have the ability to cut keys for this lock are licensed dealerships. But there’s still going to be a mapping between VIN and key configuration.

    And if you use the syskey tool (provided since NT 4) you can eliminate (totally) the issues associated with LM hashes.

  3. Anonymous says:

    I think a better analagy is convicing a customer support person to tell you a password because you know the (public) username of your target.

    This seems to me to be more an issue of an extremely weak authentication system (easily forged title documents) rather than security through obscurity.

  4. Anonymous says:

    The VIN is visible from the *outside* of your VW? Wow. They must put the VIN somewhere really odd on the US models.

    On all European VW models I’ve seen, the VIN is inside the engine bay, so you need to get that open to discover the VIN. Since the engine compartment release is usually inside the cabin of the car, you’ll need to be about as good at breaking and entering as would be required to get into the car in order to discover the VIN.

    So by the time you’re in a position to read the VIN, you’re already in a position to get into the vehicle.

    I initially thought I must have missed some subtle point about how the VIN was being discovered, but going and reading that snopes article, it sounds like they really do put the VIN somewhere you can see it on the US cars. Wow. Really? I’m astonished. Why on earth would you do that?

    Still, even over here, where we don’t put the VIN on display, it’s a pretty stupid idea to base the key on the VIN. VIN information is used to track service history. Some VW-owned brands have VIN information in their web sites in order to provide an online service history facility.

    So the VIN is kicking around on several databases, not all of which are under VW’s control, and some of which also have owner name and address information in them…

  5. Anonymous says:

    In the USA, all vehicles have to display their VIN publically; usually it can be found on the left-hand side at teh corner of the a-pillar and the dashboard.

  6. Anonymous says:

    Car security is a joke. There have been so many cases where a key from one car will unlock and allow you to drive a completely different car that you have to wonder why the manufacturers haven’t been taken to court about it.

  7. Anonymous says:

    Still I wouldn’t say the pattern for the key is based on the VIN, but if you do a lookup for the VIN in the manufacturers database you can retreive the key code.

    A potential theif would need to have both a portable key cutter and remote access to the manufacturers system to be able to generate the appropriate key on the spot.

  8. Mike Dunn says:

    Whenever I hit my car’s remote’s unlock button and I hear another car beep at the exact same time, I wonder if I did it or if it was just coincidentally perfect timing… :/

  9. Anonymous says:

    I know what you are talking about. Turning on the switch for a light outside your house also turns neighbour’s light on. Coincidence, Timing, X Files, Aliens….I’m still searching 😉

    >Whenever I hit my car’s remote’s unlock >button and I hear another car beep at the >exact same time, I wonder if I did it or if >it was just coincidentally perfect >timing… :/

  10. Wound says:

    Ian, go out and check your car. The vin is usually located in 3 locations. In the engine compartment, in one of the doorways, and also just where the dashboard meets the windscreen, usually on the passenger side (in the UK at least). Its not all that easy to see unless you get close, but there it is.

  11. Anonymous says:

    Although of course you are correct about Windows passwords you forgot that thieves don’t need to touch the computer to steal Windows its self…

    It was very nice of the OEM to print my CD Key on the side of my laptop where anyone with a digital camera or a good memory can just take it. And as Microsoft like to remind us, you don’t buy Windows you licence it and thus the CD Key *is* the product not the CD or any other material.

    As an analogy wouldn’t this be like locking the car but leaving the proof of ownership documents on the roof?

  12. Anonymous says:

    Just to confirm what wound said – I’ve got a ’97 UK registered VW Passat and the VIN is displayed near the passenger A-pillar.

  13. Anonymous says:

    I had a similar issue with my motorbike recently. I needed to charge up the battery, but I forgot to put the alarm into "service mode" first, so when I reconnected the battery the alarm went off, and I couldn’t silence it with my remote. After digging through some info on the alarm (DataTool Evo, if you’re wondering), it turns out that there’s a way to "re-synch" the alarm with the remote, by holding down both buttons on the remote for 5 seconds. I did that, and it worked. My spare remote (where I hadn’t done the resynch) also worked after that, so presumably this modified the system on the bike. This does make me wonder whether I could gain access to any other bike that has the same alarm system as mine…

  14. Anonymous says:

    I physically secure servers as my assessment of risk is if someone steals it. It doesn’t much matter (for local access) if they know the password or not as they can’t get to the keyboard to enter it.

    But many people who are locked out of their home machines would prefer the password on the case.

  15. Anonymous says:

    Many European cars now have external VIN plates. In fact it’s an old idea, as my 1975 Vauxhall Firenza has a VIN plate on the top left corner of the dash near the A pillar.

Skip to main content