Insecure locking: cars and doors

| August 6, 2006

UPDATED (08/09/06): Welcome to Consumerist readers (and thanks to The Consumerist for the link)!

I’ve run across two different stories recently that have the same theme: fundamental flaws in common physical security methods can result in (a) you losing your property (car, household goods) and (b) your insurance company refusing to pay because they don’t believe that you were actually robbed.

The first has to do with the electronic anti-theft measures found in many modern cards. These use RFID (radio frequency ID) chips to match your ignition key with your car. No RFID match, no car starting. Insurance companies tend to consider these measures fool-proof and so will treat a stolen car report as possible evidence of fraud on your part, as this Wired article by Brad Stone points out:

Last summer Emad Wassef walked out of a Target store in Orange County, California, to find a big space where his 2003 Lincoln Navigator had been. The 38-year-old truck driver and former reserve Los Angeles police officer did what anyone would do: He reported the theft to the cops and called his insurance company.

Two weeks later, the black SUV turned up near the Mexico border, minus its stereo, airbags, DVD player, and door panels. Wassef assumed he had a straightforward claim for around $25,000. His insurer, Chicago-based Unitrin Direct, disagreed.

Wassef’s Navigator, like half of all late-model domestic cars on the road today, is equipped with a transponder antitheft system: The ignition key is embedded with a tiny computer chip that sends a unique radio signal to the vehicle’s onboard computer. Without the signal, the car won’t start. And Wassef still had both of his keys.

The insurance company sent a forensic examiner to check out the disemboweled SUV in an impound lot. The ignition lock, mounted on the steering column, had been forcibly rotated, probably with a screwdriver. The locking lug on the steering wheel, which keeps it from being turned when the truck is not in gear, had also been damaged. But the transponder system was intact. The car could have been shifted and steered, the investigator concluded, but the engine couldn’t have been turned on. “Since you reportedly can account for all the vehicle keys, the forensic information suggests that the loss did not occur as reported,” the company wrote to Wassef, denying his claim. The barely hidden subtext: Wassef was lying.

Read the entire article to see the ways in which this “fool-proof” anti-theft technology can be short-circuited. (Hat tip to Slashdot.)

The second has to do with something far more simple and far more common: door locks. According to this video, it is possible using a standard key-cutting machine to cut what is known as a “bump key”. If you insert this key into any lock that it fits, then tap the key as you twist, you can open that lock. As one locksmith in the video puts it, with 10 such bump keys, you can open 90% of the locks around. And again the issue is raised: with no evidence of burglary, the insurance company may well refuse to pay. (Hat tip to Digg; the comments there are worth reading.)

Neither issue is particularly new, but both point out the possible legal and financial consequences to us as consumers of an over-confident belief by other organizations (insurance companies) in the efficacy of a given techonology, simple or complex. ..bruce..

Be Sociable, Share!

Category: Information Technology, Legal, Main

About the Author ()

Webster is Principal and Founder at Bruce F. Webster & Associates, as well as an Adjunct Professor of Computer Science at Brigham Young University. He works with organizations to help them with troubled or failed information technology (IT) projects. He has also worked in several dozen legal cases as a consultant and as a testifying expert, both in the United States and Japan. He can be reached at, or you can follow him on Twitter as @bfwebster.

Comments are closed.