Transponders and Remotes in 2017

April 3, 2017
Car dealers see stepped-up security technology as a reliable way to force vehicle owners back to the dealerships. Automotive locksmiths and others in the automotive service field have found ways of dealing with these systems.

The first vehicle equipped with a remote keyless entry system was introduced 35 years ago on the 1982 Renault Fuego, which was not sold in the United States. (Photo 1)  Similar systems began appearing in the U.S. beginning in 1983.  Within 10 years, these systems became an integral part of our American popular culture.  Remotes became so much of our daily lives, that in his introduction at the 1992 Oscar Awards, Billy Crystal as Hannibal Lecter, included a joke about using a keyless remote to secure the hand-truck that had been used to wheel him onstage.  Today, vehicles without keyless remotes as standard equipment are as hard to find as manual windows.

The first transponder-based immobilize system appeared in Europe in 1993.  Shortly thereafter, Immobilizers were required by law in Europe, and began appearing on U.S. vehicles.  In 1999, Ford made transponder based Immobilizers standard equipment on all “Passenger Vehicles.”  At the same time, transponder-based immobilizers became optional equipment on most Ford light duty trucks.

The transponder revolution has continued to the point that today, very few new vehicles are available for sale in the U.S. that do not have a transponder-based immobilizer system.  Transponder-based Immobilizer systems have continued to evolve to the point that the systems in use today bare very little resemblance to those early systems.

Almost from the beginning, auto manufactures recognized that both of these systems provided a reliable way to force vehicle owners back to the dealerships for service and replacement.  Transponder keys and remotes have become a huge profit stream for the dealer networks.

If the truth were told, most of the changes and “Improvements” to these systems are based in the desire of the manufacturers to enhance the bottom line of the dealers, rather than to enhance security or convenience.  It’s no accident that anyone who wishes to sell either aftermarket or OEM (Original Equipment Manufacturer) remotes and transponders, will have to make a large investment in inventory in order to stock even a basic inventory of products.

Obviously, automotive locksmiths and others in the automotive service field have found ways of dealing with these systems.  Some are prospering, some are just getting by, while others are failing, but the dealers simply do not have the lock on the market they once had.  This article is intended to bring you up to speed with the latest market trends and help you to better understand the playing field.

Transponder Systems

A general name for the type of transponders used in automotive systems is RFID, which stands for Radio Frequency Identification.  The entire purpose of the system is to provide a secure method for “Identifying” a unique key or device.  The original transponders used a “Fixed Code” system, where each individual transponder had a more or less unique code that the vehicle was programmed to recognize.  In the Texas Industries transponders Used in the first generation Ford products, there were 74 Quadrillion (74,000,000,000,000,000) possible codes, so finding two alike was virtually impossible.  Today, fixed codes are almost obsolete. 

The next step, which was quickly embraced by Mercedes and BMW among others, was a “Rolling Code” system.  That type of system Used huge numbers of fixed codes, similar to the Ford system, but each time the transponder was U.S.ed, it would cycle to a different set of codes.  Typical rolling code systems Used one hundred different sets of codes, thus multiplying the total number of codes available by a factor of one hundred, plus fact that any one code would only be used every one hundredth time that the key was used.  A few manufacturers still use rolling code systems, but today they are rare.

The next step in the evolution of the transponder is referred to as “Encryption.”  Encryption has long been a standard for secure military communication, and the level of encryption used by modern vehicles is much greater than the military systems used during the Vietnam war.  In an encrypted transponder system, the individual transponder is identified by its unique “Algorithm.”  The term Algorithm is defined as “a self-contained sequence of actions to be performed by a data processing device.”  In very basic terms, the algorithms used by automotive transponders are mathematical equations.  In a typical encrypted automotive system, the computer in the vehicle will generate a large random number.  That number is then transmitted by radio to the transponder.  The transponder will then run the number provided by the vehicle through its built-in algorithm and send the result back to the vehicle.  At the same time, the vehicle “knows” the algorithms of each authorized key and performs the same process that each key would perform.  If the signal sent back from the transponder matches the expected response of any of the authorized keys, this tells the vehicle not only that the transponder in use is authorized, but also which transponder is being used.  That information is used to allow the vehicle to start, and in many cases to set the seat position, mirror positions, heat or air conditioning levels, radio station and volume, or any number of other functions, including parental controls.

The level of encryption is expressed by the size of the “key” that is used to unlock the encryption.  The earliest systems were 16-bit, but soon the standard became 40-bit encryption.  That level of encryption was also standard for “secure” web browsers around 2004.  At that time, a typical home computer could “break” 40-bit encryption with a brute force attack (trying every possibility) in about two weeks.  40-bit encryption is now considered obsolete in computing due to the faster processing speeds and improved software available today. 

Around 2010, Ford, Toyota and others went to 80-bit encryption, and currently both manufacturers are working on rolling out 256-bit encryption.  256-bit encryption is the currently accepted “Advanced Encryption Standard” (AES) worldwide.  The “National Security Agency” (NSA) approved 256-bit encryption for Top Secret documents in 2002 and continues to monitor hacking attempts.  A brute force attack on a 256-bit encryption would require billions of years for the most sophisticated “Super Computers” available today.  But so-called “Side-Channel” attacks have been partially successful, but at this time no successful breaking attempts have been documented.

The bottom line here is that the computing power required to break the current level of encryption used by auto manufactures is simply out of reach for even the most advanced car thieves, and probably most governments.

Very few transponder systems now allow for any on-board programming.  In addition, many modern programming systems also require the use of some sort of password to gain access to the programming system.  Many of us refer to these passwords as PIN numbers, but the manufacturers and dealers seldom use that terminology.  Many of these passwords are now getting harder to get, and some such as the 20-character Nissan system, are encrypted communication, and change every time the system is accessed. 

Remote Technology

The same sort of evolution that we saw with transponder systems has occurred with remotes as well.  Early Radio Frequency (RF) remotes used a set signal to trigger the power door locks and/or trunk locks.  A device that could record and repeat that signal could be used by thieves to gain access to the vehicle quite easily.  That type of system is now virtually worthless to thieves, despite the scary urban myth emails to the contrary, because that type of system has not been used since the mid-1990s.

The first improvement in keyless remotes was two-way communication.  All modern remotes both send and receive signals from the vehicle that allow for much greater security.  And just like transponder systems, some remotes use a rolling-code system and others use an encrypted signal.

Remote programming has also changed a lot through the years.  At one time, almost all remotes could be programmed by way of on-board procedures.  Gradually, that type of programming has been replaced by the use of diagnostic tools.  Some remotes can still be programmed with on-board procedures, but the vast majority now require programming equipment.

Integrated Keys and Remotes

It was just a matter of time before the manufacturers realized that they could combine the key and the remote into one device.  BMW and Lexus were among the first to build the keyless remote into the head of the key, (Photo 2) but they were soon followed by a flood of other manufacturers. The idea itself is sound, but the execution of that idea is rarely an improvement on two separate devices.

The main problem with integrated remote keys (IRK) is that the manufacturers seem to be obsessed by making them as cheaply as possible, while charging as much as possible for them.  The Lexus IRK is an excellent example of this.  The thin plastic housing that surrounds the remote / transponder module and makes up the heads of the key is just not stout enough to hold up under real-world usage.  I’m sure that at some point, the design was cycle-tested by some sort of robotic machine to prove that the device would last for several hundred thousand uses.  But, I’m also sure that the robot never got in a hurry, never tried to turn the key before it was fully inserted, and that the test lock was perfectly lubricated at all times.  I’m also sure that the test lock never was connected to a steering column lock that simulated steering column pre-load from parking on a curb.  History has shown that these keys rarely last for more than a few years, and that as the vehicle ages; the life-span of the key assembly is often reduced to months rather than years (Photo 3).

Lexus in not alone in this problem; perhaps the worst designed IRK ever is the standard Toyota / Scion key, which not only breaks easily, but when it breaks, seemingly explodes into a handful of small parts.  The design of the Mitsubishi IRK seems to have been based on the Toyota / Scion key, but made even more flimsy (Photo 4).  Honda / Acura also an easily broken IRK, (Photo 5) but at least they seem to have learned from their mistakes.  The new G-chip IRK keys seem to be built to a much higher standard. 

All of these poorly designed IRK keys have spawned a huge market for “Shell Keys” that allow you to replace the failed shell of the IRK key with an exact duplicate of the original shell.  Naturally, these shell keys tend to break just as easily as the originals.  I personally buy Lexus and Toyota shell keys by the dozen.  Don’t get me wrong, I’ve made lots of money from poorly designed IRK keys and I think of them as a gift from the manufacturers.  However, I have long wished that I could offer my customers an improvement over the OEM keys.

Proximity Fobs

A proximity fob or “Prox-Fob” combines a keyless remote with a transponder-based immobilizer that does not necessarily have to be inserted, or even touched in order to start the vehicle.  The first prox-fob system appeared on the 1998 Mercedes S-Class sedan under the trade name “Key-less Go.”  (Photo 6) Naturally, other manufacturers soon jumped on the bandwagon and today prox-fob systems are available from every major manufacturer.  Prox-fobs are standard equipment on Cadillac, BMW, Jaguar, LexU.S., Lincoln, Mercedes, Porsche, Volvo and other so-called luxury vehicles, and as optional equipment on hundreds of other vehicles.

Like transponder systems and remote systems, prox-fobs have gone through an evolutionary process since their introduction as well.  Nissan / Infiniti was quick to embrace this new technology and has become one of the most common types of prox-fobs in use in North America today.  The Nissan / Infiniti system can be used to demonstrate the evolutionary process that most of the early adopters of proximity systems have gone through.  When it was introduced, the Nissan proximity system was called “Nissan Intelligent Key,” and that name is still in use today, even though the system has changed drastically since it was introduced.

The original “Intelligent Key” (Photo 7) didn’t look that different from a normal remote, but it was meant to be inserted into a socket that was part of the ignition lock, and turned – much like a FOBIK.  The second generation Intelligent Key adopted the familiar egg-shape that is still in use today (Photo 8). 

There were two different styles of starting systems for vehicles equipped with the second generation system.  Some vehicles had a push-button start, while others had a twist-knob that was either mounted on the steering column or the dash (Photo 9).  The twist-knob system was interesting in that it had a spring-loaded door in the center of the knob where the emergency key (E-Key) (Photo 10) could be inserted for programming and for operating the vehicle if the proximity feature failed.  The push-button start models had a socket in the dash, Photo-11, that the fob could be inserted into for programming and if the proximity feature failed.  This meant that there were two types of E-Keys, one with a chip and one without a chip.  The E-Keys with chips were only for use on vehicles with the twist-knob system.  Vehicles that were equipped with the twist-knob could also be programmed to accept a regular NI04T transponder key in an emergency.  Later generations of the system did away with the twist knob system.

As the system evolved, the programming socket (or slot) was eventually done away with.  The latest versions of this system are programmed by actually pushing the start button with the logo end of the prox fob.  A very similar system is also used on many Toyota and Lexus vehicles.

Most prox-fobs operate on the same basic principal:  When the user starts the vehicle (by pushing the start button, turning a twist-knob, or other starting system), a signal is broadcast to the prox-fob by an array of antennas mounted inside the vehicle.  When the correct signal is detected by the prox-fob, it triggers its own transponder and then amplifies and broadcasts the signal from the transponder back to the antennas inside the vehicle.  If the signal from the fob is accepted by the anti-theft system as genuine, the vehicle is allowed to start and run.  If no signal is detected, or an incorrect signal is detected, the vehicle will not run. 

To prevent people from starting the vehicle when the prox-fob is outside the car (such as while the owner is pumping gas, etc.) the antennas inside the vehicle are carefully tuned so that they cannot pick up the signal unless the fob is actually inside the vehicle.  A standard is in place in Europe that requires the system to be inoperative if the fob is more than 25 centimeters outside of the vehicle.  If you are like me, that 25 centimeter figure doesn’t mean much until you convert it and discover that 25 centimeters is approximately four inches!  I’ve tested this in the field and much to my surprise, it is true and in many cases the car won’t start if the fob is even an inch outside the vehicle.

Many transponder systems “burn” identification data into the new transponder during the programming process that will permanently “lock” the transponder to that one particular vehicle.  Chrysler keys and the GM Circle-Plus keys have worked that way from the beginning.  That process takes on a whole new meaning when you apply it to IRK keys and prox-fobs.  The bottom line is that once one of these devices has been programmed to a particular vehicle, it can never be programmed into another.  This makes many of the used and “refurbished” remotes and prox-fobs that are for sale on the Internet essentially useless.  There is equipment available to “re-virginize” some fobs, but that equipment is pricey, and many internet sellers simply don’t know that it is necessary or they don’t care.  If you are purchasing used or refurbished remotes or prox-fobs, make sure that you are dealing with a reputable company.

Where Do We Go From Here?

We now have automotive encryption systems that are as highly encrypted as national secrets, yet we still have car theft.  How can that be?  Modern car thieves don’t even try to beat the encryption – they go after the weakest link, which is usually the vehicle owner.  Before the advent of electronic anti-theft systems, there was no such thing as car-jacking.  Today most stolen vehicles are stolen along with the keys, or fobs.  If a thief really wants a particular vehicle, they can always use a tow-truck or a flat-bed to simply haul the vehicle away.  No matter how much we improve the encryption, as long as people control the system, other people will find a way around the system.

Some sophisticated thieves do actually beat the system, but they certainly don’t use a brute force attack on the encryption.  You may have recently heard of, or read about, a “mysterious black box” that is being used to steal cars.  As it turns out, it is not mysterious, but it does take advantage of both human nature and a weakness that is built into most prox systems.  This system requires two people working together with some surprisingly simple electronic equipment.  One of the car thieves carries a laptop or briefcase-sized device into public places and tries to stay near well-dressed or affluent looking people.  Trendy shops that serve overpriced coffee and expensive restaurants are popular targets.  Meanwhile, the second thief cruises the parking lot with a second device, trying the doors of vehicles that depend on prox-fobs for security.  When the second person finds a door that opens, he or she simply gets into the car, pushed the start button and drives away.

How can a system like that possibly work?  The answer is surprisingly simple and doesn’t involve cracking sophisticated encryption systems.  The first device is a compact radio frequency device, often made from parts taken from wrecked vehicles of the type that are targeted.  Basically, the device broadcasts the same signal that is used to trigger the prox-fob when it is inside the vehicle, but at a much higher power to increase the range.  This signal then triggers all of the prox-fobs in people’s pockets or purses that are in range.  The response signals from the various prox-fobs are then received by the device and re-broadcast to the second device.  The second device amplifies the signals again and broadcasts them over an area of 20 – 30 yards at a strength that is sufficient to be received by the antennas inside the vehicles.  The thief simply walks around trying doors until he finds one that will open.  He then enters the vehicle while his device is re-broadcasting the legitimate signal from the owner’s prox-fob, and pushes the start-button to drive away.  Once the vehicle is running, it will continue to run until it is shut off, or runs out of fuel.

Insurance companies are well aware of this type of attack and are urging police departments all over the country to step up security in public parking areas.  Keep in mind that these are the same insurance companies that lobbied legislators to bully the auto manufacturers into developing this kind of technology in the first place.  Now, they are advising their clients to wrap their prox-fobs in aluminum foil when they are not in use.  The sales of wallets, pouches, and purses with RF-blocking linings are booming, Photo 12, and many high-end designer fashions now include pockets with RF-blocking linings.  If you do an online search for “RF-blocking” you will find a wealth of products that are designed to help protect us from the technology that was supposed to make our lives easier and safer.

Many think that the next step in the evolution of automotive security will be bio-metrics.  Fingerprint scans are already used on many laptops, cell phones, and of course safe locks.  Some think that retina scans are the way to go.  (Just imagine how the car rental industry would respond to that!)  Personally, I look back fondly on the days when cars were protected by actual physical security and common sense.  But whatever the future holds, I have faith that human beings will still find a way to lock themselves out, as well as lose, break, or ruin whatever technology comes along.