as appeared in The International Association of Auto Theft Investigators, The ABP, July 2007, Volume 13, No. 3, p 23.
by Thomas Seroogy, CFL
contributions by James Norwood
Investigative/forensic auto experts have perpetuated the mystique of transponder technology at the expense of providing material and relevant evidence. The next two articles turn immobilizer forensics from junk science into a credible scientific tool that withstands the legal challenges of Frye and Daubert on both state and federal levels.
Stolen or not?
Throughout modern history no other piece of Americana has garnered the ubiquitous following as that of the automobile. And, likewise, no single object has evoked the degree of intrigue as that of the automobile. Through the glorification of escapes and police pursuits, street racing, drifting, and theft, the automobile has taken center stage in cultures worldwide.
Hollywood learned early about the mystical attraction of the auto. The exploits of Bonnie & Clyde, the Cosa Nostra gangland killings (the first drive-by shootings) as pictured in the St. Valentine’s Day Massacre, James Bond, the Italian Job, the Dukes of Hazard, Smokey & The Bandit, American Graffiti, Fast and the Furious, Gone in 60 Seconds; these are just a few of the thousands of films and TV shows that embody man’s fascination with the automobile.
Unfortunately, the mystique of the automobile takes on a whole new face when it hits the wall of real life crime. Unlike other property subject to theft, automobiles are in a state of ceaseless-change. Anti-theft features that once changed every 5 to10 years are now changing with every new model year.
PASS-key I, PASS-Key II, PATS I, PATS II, NATS 2, NATS 4, SENTRY, Smartkey, Passlock I, Passlock II, Passlock III, Pass-Key III, Pass-Key III+, Pass-Key III Circle+; the techno-electronic age has spawned an unrivaled velocity in the metamorphosis of automobile anti-theft technologies. Unfortunately, this single dynamic plays better into the hands of those stealing cars than it does in preventing auto theft or to law enforcement’s ability to solve auto related crime. Only the most informed and seasoned veteran law enforcement auto theft investigators have been able to keep up with the bulk of transponder technology. And those investigators who have taken the time to learn and understand the technology have been able to put it to good use
Are Transponders Effective?
Does a damaged lock indicate a legitimate theft?
While the FBI Uniform Crime Report shows a 3.7 percent increase in violent crime there was a surprising 2.6 percent decrease in property crime in the first 6 months of 2006 compared to 2005. As part of the property crime figures, auto theft showed a 2.3 percent decline. (Eggen, 2006.) AlthoughInvestigative/forensic auto experts have perpetuated the mystique of transponder technology at the expense of providing material and relevant evidence. The next two articles turn immobilizer forensics from junk science into a credible scientific tool that withstands the legal challenges of Frye and Daubert on both state and fe research has yet to determine the definitive cause, speculation attributes the decline in auto theft to a combination of factors including the industry wide employment of immobilizer systems (most transponder-based) starting in late 1995, and the reduction of non-immobilizer equipped vehicles by an aging market.
This writer’s law enforcement contacts indicate that the reported reduction in auto theft is also due, in part, to an aggressive campaign to reduce owner give-up false reporting by employing the use of forensics in transponder technology. However, this effort has not necessarily resulted in a meaningful reduction of missing vehicles. (This, of course, is not to diminish the effort law enforcement personnel dedicated to auto theft crimes.)
While the jury is still out, first indications suggest that the emergence of better manufacture-installed electronic security has shifted the demographic topography with respect to how a car is stolen and by whom it may be stolen. Anecdotal data suggests that these systems have caused a reduction in the occurrence of the causal theft and shifted most legitimate thefts to gangs and crime organizations that profit directly from a stolen vehicle, and have the time and money to expend on methods of bypass.
The Roots Of Junk Science
Over the last 10 years, two growing technologies have both aided and complicated the way law enforcement approaches auto theft: the internet and transponder-based immobilizers.
For investigators involved auto theft, the internet is both a curse and a blessing. When it comes to fast and effective methods for broadcasting as well as retrieving information, little compares to the capabilities of the internet. Yet, for all of its benefits, the internet also serves as the birthplace of many of the greatest urban legends known to law enforcement.
Transponder-based immobilizer technology, on the other hand, for all of the investigative and forensic potential it offers, is more often misunderstood or ignored than utilized. The reluctance to rely on the use of this technology for solving auto related crimes is rooted in two attributes common with emerging technologies.
First, is the proliferating amount of information that needs to be digested before an investigator or detective is comfortable and competent enough in the technology to properly apply it to an auto theft or owner give-up investigation. This same learning curve also applies when a case is presented to a prosecuting attorney or to other law enforcement agencies that may be working with limited or incorrect information and inadequate training on immobilizer systems.
Second, and of more consequence, the mystique of immobilizer technology has been perpetuated by investigative/forensic experts. From the time they learn to spell “immobilizer” this group uses their newly found jargon – i.e. Cloning, Transceivers, Encryptions, ECU, PCM, Module Swapping…yuck, yuck, yuck – as a cloak of competency-through-confusion (the old “…baffle them with your baloney” adage). Their written findings often do not even begin to properly answer the two most basic questions, “Were the mechanical security features defeated, and were the electronic security features defeated?”
Unfortunately, it is the automotive “expert” that bears the sole responsibility for making transponder and immobilizer forensics so confusing that few attorneys or prosecutors give credence to the materiality or relevance of findings based on the application of this technology. And without the proper training, law enforcement, insurance companies and individual plaintiffs can only hope that the “expert” on whom they are relying is knowledgeable in his/her proclaimed field
How can an investigator separate fact from fiction?
While law enforcement investigators have observed that almost none of their cases based on transponder technology experts have been filed in criminal court without an additional or independent case witness, insurance companies have consistently relied on these same forensic experts to dispute and deny claims. For those trained and educated in immobilizer forensics, the court decisions based on the findings and testimony of these experts are often painfully ludicrous. Worse yet, this procedural model creates two major road bumps to further investigation or prosecution efforts.
First, considering that by policy insurance companies refuse to report a suspicious claim to law enforcement until after the claim is denied or a settlement guaranteed, the chain of evidence and accessibility to evidence is at least delayed if not destroyed.
Second, is the high degree of confusion that results when the fallacious assertions and claims of inexperienced or self-proclaimed experts become part of public record. While a thorough examination of the written results and depositions from some of these forensic examiners reveal repetitive web-based, cookie-cutter reports that bear little connection to the vehicles being investigated; their testimony soon becomes the marker by which later immobilizer information is judged.
At a loss is the detective or officer that must wade his/her way through the now muddied waters of transponder technology in pursuit of the truth. More than one law enforcement agency has indicated to this writer the frustration of battling misinformation; and this, despite having an investigator trained in immobilizer technology and whose time is solely dedicated to researching and eliminating misinformation and bad case evidence.
It’s no wonder that immobilizer forensics is often considered junk science at best.
So, Where Does One Begin?
There is no magic wand to affect change. Quite simply, it comes by educating oneself and others involved in auto theft as to the capabilities and limitations of immobilizer forensics.
While the next article covers the finer points of immobilizer forensics, it is best to begin with two basic principles or rules:
- Carefully evaluate information presented by the media, internet or self-proclaimed experts.
- Process transponder or immobilizer technology like any other type of evidence.
Rule #1: carefully evaluate information presented by the media, internet or self-proclaimed experts.
Some may remember the 1995 media stir caused by the Code Grabber. Developed by Kingfish Manufacturing of Long Beach, CA, this electronic device, about the size of a cigar-box, was presumably capable of capturing or grabbing the signals sent out from remotes; and then later able to use those captured signals to make unauthorized access to homes, businesses and vehicles.
“Police and security systems experts say burglars using electronic ‘code grabbers’ can record and play back the signal from an automatic garage-door opener from hundreds of feet away.” (Covarrubias, 1995.)
Appearing in a national news program, the inventor of the Code Grabber demonstrated how the unit was capable of making unauthorized entry into a vehicle by stealing the signal when the remote was used to open the doors.
According to Jeff Cooper, founder of Remotes Unlimited of Houston, TX, a subsequent personal conversation with Code Grabber inventor Jim Telenko revealed that the televised car opening was staged. (Cooper, 2006.) In short, while the technology was legitimate, the small size and power limitations of the Code Grabber, and similar devices, were not adequate to capture signals at the distances shown in the demonstration. It was further disclosed that, at the time, the technology required to reliably grab a signal from a car remote at the distance shown required equipment so large that aside from the prohibitive cost, the size of the unit precludes the possibility of covert and/or surreptitious use.
Still, the buzz caused such a stir that legislative efforts were made to illegalize these types of devices, it had law enforcement and insurance companies at an impasse on solving reported thefts and break-ins, and sent the garage door and automobile industry racing to incorporate rolling or rotating code technology into their systems.
A more recent media phenomenon involves the use of bump keys to easily and surreptitiously bypass many commercial and residential locks. According to Don Shiles, Director of the Technical Counterintelligence School for the Department Of Defense, and Jim Bickers, Army Section Chief Close Access Team/Vulnerability Assessment Team, bump keys have been used by special law enforcement agencies for decades. Effectively what the media did was broadcast to the entire world how this technique can be used to commit a crime.
In essence, the recent presentation of bump keys is simply media hyperbole, great for sweeps week. This is not to discount that this technique can be used to make unauthorized entry into a structure. However, it still requires proper training and practice before the technique can be used effectively. As former and current president of the International Association Of Investigative Locksmiths, Shiles and Bickers, respectively, state that this method of bypass is often detectable by properly trained forensic locksmiths. (Shiles, 2006.)
Thus, when it comes to researching immobilizer technology, the investigator needs to consider the credibility of the medium delivering the message. This is not to say everything broadcast by the media or presented on the internet is not plausible. Nor should the internet be ignored altogether. The fact is, even some of the craziest urban legends are rooted in truth. Further, it serves as an invaluable tool for both relaying and researching the continuously changing world of auto theft.
Still, one must be cautious in separating proposed methods of bypass or theft that are based on mere speculation from those that are proven, duplicable, and scientifically sound. Too often, a request for information on a potential method of theft quickly evolves into “fact” void of scientific validation. In short, forensic investigators must be able to submit their conclusions to independent experts for confirmation and be prepared to actually duplicate their findings. Stating an unsupported opinion as fact is both irresponsible and liable.
The late 2004 announcement by Johns Hopkins researchers stated that their breaking of the Texas Instrument encrypted transponder chips was a clear demonstration of how easy it is to steal Ford vehicles or gasoline from service pumps. Despite the fact that the findings of these researchers was not new or novel, even some seasoned law enforcement personnel succumbed to the media buzz that Ford vehicles around the country would soon be disappearing in great numbers.
Speaking before law enforcement and insurance groups around the country, the researchers’ rhetoric was toned down a bit. However, it was too late. Despite the lack of sound field research, and having absolutely zero documented instances where the technology was used to commit theft, web-based automotive experts accepted the hyperbole as fact. Yet it was not until September 2006 that a commercially available tool capable of cloning Ford encrypted keys was actually introduced; and not until early 2007 that the clone keys used in this tool were available for performing and completing the cloning process; more than 1-1/2 years after the Johns Hopkins announcement.
As recently as this last month, an Alabama court found an insurance company liable of bad faith. The testimony of the defense was based on the contrived and misleading opinion and testimony of a self-proclaimed expert. One element of the defense’s case centered on cloning a key based on the Johns Hopkins study. What wasn’t entered was the fact that the technology for the devices capable of cloning the transponder type used in the vehicle was not commercially viable at the time of the purported theft. Presently, this writer is aware of other ongoing cases where the Hopkins study is being used by automotive experts in a wholly fallacious and deceptive manner.
As such, one needs to be careful in weighing the various new methods of theft as they appear in the media, the internet, and even from experts. This year alone, of the half-dozen or so requests for information on potential new methods of auto theft, nearly all are now espoused as fact by various experts. Yet, by this writer’s research, only one – i.e. the force rotating or drilling the ignition of the GM Passlock system installed one GM vehicles using the CSS column – has proven legitimate. Most, however, were later proven to be false or highly improbable.
Aside from the Johns Hopkins study, the three recent proposed methods of auto theft that received the most attention include the use of a strong magnet to unlock a vehicle’s locking system and the use of laptops with antennas to steal the signals from the key fobs used on keyless cars. Although originally appearing as simple inquiries, these quickly climbed the ladder of “mythodom” and are currently reported as fact by some automotive forensic experts.
The magnet myth started as a simple request for information on identifying a magnetic pickup or transducer stuck next to the handle of a late model Toyota Prius. Speculation over the potential capabilities of the device grew prolifically. From the magnet being a simple hoax to it being an insidious high-tech auto theft device using Near-Field Magnetic Communication (NFMC), concepts flew about the internet like birds gathering for their winter flight south. In short, the identity and purpose of the magnet are still unknown; however, later examination of the original vehicle and magnet demonstrated that it was not the magnet that opened the door locks when the vehicle was initially tested.
Stealing radio signals to open and start the newest keyless cars may be more a little more realistic. However, like the Code Grabber mentioned earlier, the physical limitations of today’s technology make it an unlikely candidate for being used in auto theft. And until such a device is actually available for demonstration and objective peer review, its existence and use in theft is highly suspect.
Finally, the omnipresent and magical “black box” is still touted as a method of theft by some automotive experts.
Recently, a well-known insurance company paid a claim based on the incorrect speculations of an “automotive theft expert.” Involving the purported theft of a late model Audi, the expert claimed that car was stolen using a high-security lock pick and the use of the infamous “black-box.”
As this author is intimate with the development, application and use of the high-security pick listed by the expert, it is known that while the tool has a fairly high degree of success unlocking the door locks on early model VW, Audi and Porsche’s, its use on later model vehicles, and its application any year model ignition (for which the tool was not designed) is extremely low. So, while not impossible that such a tool was used, it is highly improbable. Further, that this tool was ever used cannot be supported by known, direct, and scientifically collected tool mark identification procedures. Thus the markings described by the expert in identifying the tool are not supported.
As for the black-box, no such tool existed for the vehicle at the time of purported theft. Although much has appeared in recent months for accessing and working on the immobilizer system of the VW and Audi, the technology was not available at the time. The closest device capable of programming the transponder system on this vehicle still required the use of a PIN number, available at the time only through authorized VW/Audi dealers. Further, there is no record of forensic diagnostics being performed on the vehicle to determine what, if any, immobilizer data had been altered.
Interestingly the owner of the stolen Audi worked for a company that had direct access to and sold into the locksmith market the programming tool required for making keys for the vehicle; as well as direct access to high-security picks and a means of obtaining the necessary PIN.
Despite the current realities of these technologies, some independent auto forensic experts continue to proclaim these as definitive methods for easily stealing cars. Unfortunately, the confusion proliferated by such experts leave law enforcement and related agencies in a quandary when discerning a legitimate theft from fraud. So, where does an investigator begin?
Back to square one! While separating valid from invalid information is time consuming, it boils down to a single, long-time accepted scientific principle: Can the procedure, method or technology be reliably and consistently duplicated or repeated and yield the same results?
Proper field testing of all proposed techniques on all proposed methods of bypass and theft may take time, but provides for proper and accurate conclusions. In applying this principle to the myths mentioned above, it was learned that the magnet/transducer played no role in the opening of the Prius door locks.
It has also shown that while the Johns Hopkins cloning research is accurate when conducted under controlled conditions; in the field, relative to being used as a method of auto theft, the technique has proven to be severely flawed.
Likewise, it has been found that the methods of theft as proposed by some experts have not and cannot be scientifically supported. In evaluating several recent cases involving expert testimony, it was found that many of the methods or techniques of theft as proposed by the expert(s) were either 1.) so vague that testing was not possible (i.e. black box), or 2.) were incorrectly applied to a technology or vehicles (recent cases include the Johns Hopkins research being applied to the transponder chips not tested or include in their research).
Rule #2: Treat Transponder or Immobilizer Technology like any other type of Evidence.
Like firearm and tool mark analysis, proper immobilizer forensics is based on the class and unique characteristics of the actual system being investigated. Understanding these characteristics better prepares and protects field officers, crime scene investigators and detectives relying on the collected immobilizer data by dramatically reducing the likelihood of spoliation through improper recovery or handling. Proper evidence handling and investigative techniques utilized by qualified individuals also eliminate departmental liability through false accusations, before and after cases are actually considered for prosecution.
As evidence, the data available from an immobilizer should not be considered better or worse than any other type of evidence. When properly protected and recovered, the evidence provided is nearly impeachable. When mishandled and incorrectly recovered and/or interpreted, it can destroy the credibility of an otherwise open-and-shut case as well as the investigators presenting the testimony.
As a forensic locksmith, this writer has observed that the typical recovered vehicle has been examined by police or the fire department, towed at least two times, inspected by the owner, insurance adjuster and/or the SIU agent, and in some cases driven with the use of a proper key. Needless to say, many of the items or systems in the vehicle have been altered, moved or used prior to the time this writer/examiner has opportunity to view the vehicle. The potential for evidence spoliation is high and gets worse with every delay in proper processing.
Thus, while immobilizer technology offers the detective or investigator a whole new tool in solving auto theft related crimes, the lack of understanding its potential often subjects it to spoliation due to mishandling or to being completely ignored. This is even more problematic when well-intentioned but uninformed insurance adjusters or SIU personnel get involved with under-qualified experts.
Recently, this writer was called to examine a late model Ford Focus. Prior to the examination, the SIU agent used a key provided by the insured to try and retrieve the mileage.
Unbeknown to the agent, using this key destroyed the only data that was capable of providing a direct link to the owner’s involvement in the purported theft. While other data was available, the spoliation caused by the use of the key had already compromised a pivotal piece of forensic evidence. In addition, should the recovered data ever be questioned later in court, it becomes more difficult to convince the court that any of the recovered data is reliable.
Further, forensic experts and investigators need to understand that there are individuals ready to testify that security features on a given vehicle in question could have been defeated by any number of means without necessarily leaving any latent evidence behind. Therefore, they claim, the case can be made that a particular vehicle was stolen by a method or technique yet unknown. Still, these same experts are seldom able to adequately explain how they have arrived at these conclusions, they have not had their findings confirmed by experts of the same field of study, and they cannot demonstrate in court how the specific system in question was allegedly defeated.
In short, what they do very well is imply that anything that has been created by man can be defeated by man and the inherent error rate with transponder-based security systems makes them unreliable for court purposes.
As paid experts, their task is quite simple – create that instant of a shadow of a doubt. Law enforcement officials call these people "Testiliars." If pressed under cross examination by an informed prosecutor their testimony crumbles. A properly prepared examination of the case evidence eventually destroys their credibility every time. And handled correctly, a proper immobilizer investigation is an objective search for the truth; offering cogent evidence as to exactly what could have happened or could not have happened to the vehicle in question.
In the examination of a late model Honda Accord, keys were obtained from the owner and were not used in the vehicle subsequent to its recovery. The vehicle had been towed once and properly stored and protected. The data was properly recovered and spoliation was negligible to non-existent. The data was cogent enough to be considered material and reliable evidence to the court. When presented with the evidence, the insured dropped the claim.
Okay, so understanding an immobilizer system is fine and dandy when a vehicle is recovered. But what about vehicles that are burned or not recovered?
How Does Understanding Immobilizers Affect An Unrecovered Theft?
While the lack of a recovered vehicle precludes the ability to make a determination as to how it was stolen, a clear understanding on the class and unique characteristics of its immobilizer system allows investigators the ability to produce a summary of what is needed to move the vehicle and a list of potential suspects known to have those capabilities. Most owner give-up claimants routinely do not understand what is necessary to defeat transponder-based immobilizer systems and usually file insurance claims that are obviously questionable. However, this is where the ball gets dropped.
Without proper investigation and information, insurance claims are routinely declined based on evidence and opinions that simply would not hold up under proper cross-examination in court. These inadequacies include a failure to properly query the onboard computer system, insufficient examinations of mechanical security features, a failure to properly account for all of the keys associated with the vehicle in question, and a failure to properly secure pertinent timely case evidence for adjudication and secondary confirmation.
Conclusion
Stealing a car equipped with an immobilizer is not a mystical event. Using standard scientific methods and procedures, the proper tools and training, data can often be retrieved from a recovered vehicle that is both material and relevant.
All immobilizer systems have specific class and unique characteristics that can be used to make definitive and cogent conclusions regarding the method of theft, and also provide evidence that may be used to include or clear potential suspects. As such, all immobilizer systems should be considered and handled as potential evidence; and like any evidence, everything reasonable should be done to protect it from spoliation.
The next article is a discussion of the class characteristics of the most common transponder-based immobilizer systems. Included are recommended recovery, transportation and storage procedures that reduce the likelihood of spoliation.
Tom Seroogy holds a degree in Criminal Justice and is an IAIL Certified Forensic Locksmith. He has been involved in the development, use and training of transponder and other electronic immobilizer technology and tools since 1996. His experience includes instructing tactical automotive techniques to law enforcement and the Department Of Defense. Seroogy can be contacted at www.vinsecurityforensics.com. Specializing in Chop Shops, Jim Norwood has over 30 years experience in law enforcement, auto theft investigations and insurance fraud.
Reference:
Cooper, Jeff, December 22, 2006. Phone conversation regarding the capabilities of the Kingfish Manufacturing Code Grabber.
Covarrubias, Amanda, 1995. Associated Press. Appeared in the Los Angeles Times, Saturday March 25, 1995, Business Section, Part D, p. 4.
Eggen, Dan, December 19, 2006. Washington Post, p. A01.
Shiles, Don & Bickers, Jim, 2006. Phone conversations with DoD Counter-Intelligence training personnel regarding the media coverage on bump keys.
