For two decades, car security has shifted dramatically, moving from simple keys to complex keyless entry systems. Luxury brands like Mercedes, BMW, and Audi have invested heavily to combat auto theft, a highly profitable criminal enterprise. Yet, many car owners overlook the security and privacy aspects of their key fobs, the wireless access devices that now control so much of our vehicles and their connected features. Even fewer realize the extent of data stored within these electronic keys, particularly Used Key Fobs, which can hold surprising details.
Recently, I spent a day at a leading private forensic laboratory in Europe, GOETH Forensic & Security Services in Mayen, Germany. Manfred Goth, a certified forensic expert, operates this lab, assisting major European insurance companies. Their work involves forensic analysis in criminal and civil cases, examining locks, safes, cars, and buildings related to crimes like arson, burglary, auto theft, and even murder. Last year, their expertise saved one insurer approximately twenty million Euros in fraudulent claims, including vehicle theft. They also consult with law enforcement on security system bypass techniques and are affiliated with the Lockmasters Group, specialists in covert entry tools and training for government agencies.
While my work typically involves testing the security of physical locks, car security systems were not my primary focus. Like many, I use keyless entry but hadn’t deeply considered the security vulnerabilities or privacy implications. The notion that my key fob could store vehicle data, potentially accessible to insurers or law enforcement, was not on my radar. This perspective shifted after visiting the Goth lab and Lockmasters.
Manfred was investigating a BMW theft case, a brand known for storing extensive data on its keys. He demonstrated a decoder from Abrites, a Bulgarian company specializing in electronic decoding and bypass systems for global vehicle brands. Abrites develops tools for locksmiths and, in restricted versions, for government agencies. Modern car immobilizers, keys, locks, and onboard computers are vulnerable to hacking, enabling unauthorized vehicle entry, bug or tracker implantation, key cloning, data extraction, and car theft. These tools are not exclusive to law enforcement; car thieves also utilize them.
Connecting a BMW key fob to the Abrites decoder, Manfred instantly revealed a wealth of data: the Vehicle Identification Number (VIN), mileage, fuel level, and last driving time. Newer used key fobs and current models are even capable of storing GPS data, adding another layer of information.
The relevance of this data becomes clear in insurance claims, particularly those involving car theft, where fraud is a significant concern. In Europe, insurers often require claimants to submit their car keys for examination. Unbeknownst to many, the data within their keys can be used against them in insurance fraud investigations or claim denials. For example, an owner might report their car stolen three days prior and provide their keys to demonstrate they were not left in the vehicle. However, the key’s memory could reveal the car was driven the previous day, exposing a false claim. This is particularly important to consider when dealing with used key fobs associated with pre-owned vehicles, as their data history can be scrutinized.
Furthering my understanding, I visited Lockmaster headquarters in Bergheim for a demonstration of key decoding and interception techniques used to steal vehicles. In an interview with Enrico Wendt, Lockmaster’s Operations Manager, he demonstrated BMW key fob decoding. In a subsequent demonstration (mentioned for a future article), Sascha Wendt, Technical Manager, showed the ease of stealing a new Audi. These vulnerabilities are critical to understand, especially when considering the security implications of used key fobs that may have passed through multiple owners.
While manufacturers claim data storage in keys is primarily for maintenance, it’s evident that law enforcement and insurers influence these developments, pushing for increased data collection, mirroring the trend in smartphones. This data collection raises privacy concerns, especially in the context of used key fobs and vehicles where the history of data access and usage might be unclear.
Vehicle keys are just one facet of the ongoing security battles involving covert entry specialists, law enforcement, criminals, and hackers. I witnessed demonstrations of how sophisticated thieves can steal high-end cars using portable devices, also originating from Bulgaria. Furthermore, I learned how easily a key fob for a top-tier German luxury car can be replicated via the infrared port in the ignition using a laptop, thanks to Polish hackers. Car manufacturers are now reacting to wireless entry system flaws, with innovative solutions emerging, such as one from a Swiss inventor I interviewed in Zurich. The security landscape of car key fobs, both new and used, is constantly evolving, demanding ongoing vigilance and expertise.
Conclusion
The journey from simple mechanical car keys to today’s data-rich key fobs is remarkable. Understanding the data stored in used key fobs and the security vulnerabilities of keyless entry systems is crucial for car owners, especially in the context of insurance, privacy, and vehicle security. As experts at keyfobx.com, we are committed to providing insights and solutions in this evolving field, ensuring you stay informed and secure in the digital age of automotive access.
