Opening A Ford With A Robot and the De Bruijn Sequence

The Ford Securicode, or the keyless-entry keypad available on all models of Ford cars and trucks, first appeared on the 1980 Thunderbird. Even though it’s most commonly seen on the higher-end models, it is available as an option on the Fiesta S — the cheapest car Ford sells in the US — for $95. Doug DeMuro loves it. It’s also a lock, and that means it’s ready to be exploited. Surely, someone can build a robot to crack this lock. Turns out, it’s pretty easy.

The electronics and mechanical part of this build are pretty simple. An acrylic frame holds five solenoids over the keypad, and this acrylic frame attaches to the car with magnets. There’s a second large protoboard attached to this acrylic frame loaded up with an Arduino, character display, and a ULN2003 to drive the resistors. So far, everything you would expect for a ‘robot’ that will unlock a car via its keypad.

The real trick for this build is making this electronic lockpick fast and easy to use. This project was inspired by [Samy Kamkar]’s OpenSesame attack for garage door openers. In this project, [Samy] didn’t brute force a code the hard way by sending one code after another; (crappy) garage door openers only look at the last n digits sent from the remote, and there’s no penalty for sending the wrong code. In this case, it’s possible to use a De Bruijn sequence to vastly reduce the time it takes to brute force every code. Instead of testing tens of thousands of different codes sequentially, this robot only needs to test 3125, something that should only take a few minutes.

Right now the creator of this project is putting the finishing touches on this Ford-cracking robot. There was a slight bug in the code that was solved by treating the De Bruijn sequence as circular, but now it’s only a matter of time before a 1993 Ford Taurus wagon becomes even more worthless.

70 thoughts on “Opening A Ford With A Robot and the De Bruijn Sequence

  1. you have to wonder at the morons who developed these car ‘locks’. If you read the project you will see that you can crack them by hand in 20minutes, and using his device does it in 4min on average.
    Why on earth would anyone make a lock for a car that could be open with no skill in 20 minutes, by hand?

    1. Because the average user isn’t brainy enough to figure things out if they are too complicated. The same principle applies to people who get flustered by ever-changing password schemes, especially those with what they would consider “onerous” complications like symbols, numbers, and capitalisation.

      Fact is, is that engineers kinda have to “design down” for the average consumer, because if Joe Dirt thinks it’s a pain in the ass more than it is secure and modern/flashy, Joe Dirt won’t buy it.

      1. That shit’s loud yo! Realistically this is “up to” 4 minutes, it will probably be faster, unless your door code is the last four digits in the sequence. Stick this on the door at night, hit go, no one will bat an eye at the dude standing beside his truck “talking” on his phone, “yea honey, I’ll get eggs, no, I won’t forget the milk either”. Reaches into his truck to get something, then strolls into wal-mart.

        1. The silk-screening on the buttons wears so easily, you can tell which ones get used the for the code. In the above picture, you can see the most wear on the 8-9 button and the 5-6 button, a little bit of wear on the 1-2 button, while the others look pristine. The wear on the 1-2 key is probably from it being the leading edge of the keypad and getting wear from dirt and stuff, so the code itself is most likely just a permutation of the other two buttons and you should maybe add the 1-2 key if all of those fail.

          Eventually the silk-screening wears completely off all the buttons and makes the keypad more secure.

          1. I’m not sure what happened too chip off the edge of the 5/6 button like that, but it has been that way for years. As for the rest of the wear, it doesn’t really match what my door code was. I think most of the wear was caused by my testing of this project over the last year that I’ve been working on it. I never used the keypad on a regular basis. Certainly not enough to actually cause wear to the buttons for my code. This machine pressed those buttons far more than I ever did in normal use of the keypad. And it would wear the lower numbered buttons more because the deBrujin sequence starts with the codes heavy on the lower numbered digits and ends with the higher number digits, and I usually didn’t wait for it to finish the whole sequence each time I tested it.

      2. No need to break the window, just jam a wedge into the top of the door, and bend it open until you can pull the lock up.
        I know this works on the Peugeot 206, because mine’s been broken into several times like this. On the plus side, all I need to do to fix it is bend the door back flush.

    2. “Why on earth would anyone make a lock for a car that could be open with no skill in 20 minutes, by hand?”

      Because they were expecting: SECURITY THRU OBSCURITY.

      Who could possibly know about a de Bruijn sequence and be a bad guy … ?

      ;-)

    3. Physical locks aren’t particularly secure, either. These are all meant as a deterrence, not chasing the ghost of perfect security. Needing a few specialized tools or skills is enough to keep random thieves out.

          1. My buddy has a Ford Escape and this really rings true.Seems like there is always something that breaks on it…rusted rear door lock motor, leaking ac, bad window seals, electric window switch is flaky, air control only works on max…

      1. Or, on those 70s Fords, just wait until it rusts off.

        CSB: Mom had her mother’s old 1963 Falcon sedan. Typical old lady car, bench seat and all. But, even with the 201CID straight-6 and 4 doors, the thing was light and quick. You couldn’t get it to go slower than 20-30. Fast forward to recently, when I learned the famous 65 Mustang was built on a Falcon chassis. I wonder how the Falcon would have done with a 289 in it….

    4. 20 minutes is pretty risky. I assume that most people trying to get into a car are going to want to steal contents inside, at which point a brick and intense focus on your goals is enough to get the job done.

    5. It’s what, 40 year old technology now? We’re talking about a hobbyist who figured a way to crack it with a computer with a hundred times more power than anything that was available at the time. Is anyone really a moron here for not having developed an infallible electronic car security system in 1980? Also even though it’s “easy” for a thief to crack, most thieves don’t (and probably didn’t) have the resources to get around something even this simple much less to steal a Ford, a car that isn’t even worth your time!

    6. Because it is a compromise between convenience and security. Which was the whole point of my creating this project – to demonstrate how the compromises made for convenience and ease of use affect the level of security achieved. This is the case for all security measures. Your phone would be much more secure if you had to enter a 30 digit random security code to unlock it but nobody would put up with that. When people can trade convenience for security they almost always go for the convenience.

    1. …. suction cup modification. Boom! Nobody is safe! :)

      In all seriousness, the comment about security through obscurity is very true. I used to reverse engineer engine control modules and most of the security mechanisms were VERY basic, and this was up until 2015. Very few car makers were even considering using RSA or similar encryption for transmitting the files, and most of the checksums for the code were just rolling 32 bit counters. Even modern cars can be opened with two really basic radio repeaters. It’s more about making the cars “hard enough” to steal or break into, and the convenience of having a system that allows you to get into your car when you forget your keys / lock your keys in your car probably outweighs the downsides. It would be interesting to see how many cars with this system have been broken into this way.

      Besides, most cars now are stolen when thieves use a stick with a magnet through the letter box (or smash the front door in) and grab the keys from the hall as most people leave their keys right next to the front door.

      I like the unit though, it reminds me of the rotating combination safe hacks.

  2. How does this get around the one minute wait between every 35 key presses that don’t include a correct key?

    Anti-Scan Feature
    The keypad will go into an anti-scan mode
    if you enter the wrong code seven times
    (35 consecutive button presses). This
    mode disables the keypad for one minute
    and the keypad lamp will flash.
    The anti-scan feature will turn off after:
    • One minute of keypad inactivity.
    • Pressing the unlock button on the
    remote control.
    • Switching the ignition on.
    • Unlocking the vehicle using intelligent
    access.

  3. I’m sorry, but if it takes you longer than 30 seconds to to enter a locked vehicle, you don’t know what you’re doing and should be arrested for your own safetyc

  4. Everybody’s so down on this lock. Look at all the comments like “yeah well a really dedicated thief would just tow your car, how does this lock prevent THAT?” I mean, it’s a car lock, not the door to Fort Knox. What do you expect?

    I always thought these things were cool. With the 35-code enforced timeout I think it would definitely approach Secure Enough.

    1. Right. People don’t always see security as an overall system. It’s possible to have individual components be somewhat weak, while still having layers that catch failure in other ways. The lock is not often the weakest link, even with vulnerabilities like this.

  5. After reading this, I was struck by the question nobody has asked:

    Who in their right mind, would steal a Ford?

    [Honda Civic used to be the most stolen car in the US, I think it alternated top spot with Toyota Corolla]

    1. Later Fords have a pretty good anti theft system in the key so even though you got inside it there’s still the matter of getting it to start.
      Though with the right tools any chip key or fob is a moot point if you can get to the ODB port as you can just program in a new key.
      Maybe they should have kept said ports the engine compartment or hidden under seats.

  6. Speaking of Ford, locks, etc. does remind me of an incident that happened to me as a teen working at Babbage’s Software the Hickory Ridge Mall in Memphis, TN. I always parked by the closest employee entrance when I worked there, so when it came quitting time late that night when everyone’s already gone home. Should be easy to spot your car as the lot is empty other than other mall employees’ cars. Get outside, walk in the direction of my car. It’s not there!

    I wandered around, looked for a good 15 minutes before I accepted what I thought: the car had been stolen. Pissed and bummed out simultaneously I start walking towards the bus stop to catch a ride home. As I’m walking towards the farthest end of the mall I spot a Crown Victoria that looked like mine from a distance. “Did I have a brain fart and park way the hell over here? But why would I have parked it there? It can’t be mine…. but just maybe?”. Go that direction and take a closer look. Sure enough, it’s undeniably my car with the back window plastered with skateboard stickers. I get in the car, relieved that it hadn’t been stolen.

    But slowly it came to me that something was weird. I’m 6’5″ so the seat was moved forwards, for me it’s slammed all the way back. Thought, “That’s weird”. Fire up the car and it’s tuned to some country station. “Whiskey tango foxtrot?” Puzzled the hell out of me on the way home.

    I immediately asked my Dad if he came to my work and took my car for some reason. He hadn’t, then explained what had happened tonight.

    According to him it was not uncommon for Ford’s to use a limited number of key patterns back in the day. That someone walked to where they thought they parked their car, put the key in, it worked. Probably had the same puzzled reaction “Why is the seat so far back? Who left this industrial metal band (Ministry) in the stereo? Who put all these stickers on my back window…. ohhhhhhh shiiiitttt” and by the time the realized they accidentally stole someone’s car. They promptly parked and left it right there. Rather than come back to the scene of the inadvertent crime to possibly run into the owner who is ready to shoot them. Passing on the advice that if you ever do leave your keys locked in the car, look for someone with a similar model year of Ford to ask them to try their key in the door. Might just work.

    Never bothered to verify that information, but it was still a weird event. I do miss that old Crown Vic Interceptor.

    1. Hah, my dad was on the other end of this in college. He got in the wrong Dodge van by mistake, and realized it shortly after leaving the parking space. I think he had to jiggle the key to make the door open.

    2. Totally likely. I had an ’80 Mustang, another of the gang had an ’82, and a third had a Capri. Each one of our keys worked on the others’ cars. We were constantly hiding vehicles whenever a back was turned.

    3. You’re not the only one this has happened to. Years ago I used to listen to the “Car Talk” radio show and someone called in to tell a similar story of finding his car at the far end of the lot. He said it had happened back in the 1980’s but it had been bugging him ever since to learn what happened. The Car Talk guys were laughing before he even finished the story and told him that back then there were a limited number of different keys and someone got in his car and didn’t realize it wasn’t theirs until they backed out of the spot, and by the time they circled around the spot up close to the door was already taken so they parked it at the end of the row and got out of there fast. :) They said they had heard similar stores several times over the years.

    4. A cousin of mine did that with her Mustang II. Same color and body style. Same keys. She walked up, unlocked it, got in – then noticed stuff in the car that wasn’t hers.

  7. Heh heh I had a great Applied Mathematics class where the instructor pounded this and weighted number systems in very interesting and useful ways to spark our interest. Euler freak to boot. His TA took the cake though and had some ocd thing where he counted alllllll of his steps everywhere he went. I always imagined that at home he shaved and brushed his teeth like some sort of robot and ate his paper mail to ‘input data’ lol. csb

  8. Awesome to see my project on the blog. If I had known they were going to post it I might have asked them to wait a week or so until I got my YouTube videos posted that are in the process of being created and edited.

    I filmed one video and did the editing and then decided to change it a bit and never got back to it. But I plan to finish it, showing the device in operation, and create a second video that goes into detail about the DeBrujin sequence sequence and the other aspects that drastically reduce the time to search all the codes.

    The development of this project is done, which is good, because a few weeks ago I traded my 2001 Explorer for a 2017 Explorer. It has the light up capacitive touch sense buttons in the window frame so this device wouldn’t work on it. I could rebuild it with something on the solenoids that would be detected by the touch sensors, but the Anti-Scan feature that new Fords have would prevent it from working anyway, unless I programmed it to work in 35 keypress groups with the one minute wait, which would drastically lengthen the time.

    I’ve had a few people comment on why I made something to break into cars. My reply is that nobody will ever use this to break into a car to steal the car or stuff inside. Those people have much easier ways to break into cars than using this thing. Like breaking the window, using a coat hanger, or one of these radio relay systems that makes the car think the keyfob inside your house is actually near the car. I made it as a learning project, and as a demonstration of the shortcomings of the system.

    As for the Ford haters that always come out of the woodwork, my 2001 Explorer was by a wide margin the most reliable vehicle I’ve ever owned. Not perfect, but in the 17 years I had it it only had a few problems that weren’t wear items. The thermostat died at 25000 miles, it blew a radiator hose, which was probably due for replacement anyway, and I had to put new intake manifold gaskets and a new thermostat housing in it a couple years ago. Everything else was wear items you’d expect after 17 years of driving like tires, shocks, brakes, ball joints and tie rod ends, etc. Hopefully my 2017 Explorer will be just as reliable, although with all the added electronics and gadgets it has that might not be the case.

    Stay tuned and I’ll try to get those videos uploaded to YouTube in the next few days and I’ll post them on the project page.

    1. Congrats on getting your cool project on the blog! I for one was impressed.

      Just sold our beastly but unreliable 2003 Expedition and it had those locks on it. Got a minivan instead. Waaah

      1. I was wondering if anyone would notice and comment on that. Not a free birthday battery, but there is a story behind it. When my local Radio Shack store closed several years ago I went in on the last day and they were having a “bag sale.” Anything you can cram in a small bag for $5, a medium bag for $20, and a large bag for $50. It turns out I can cram almost 350 items into two large bags. :) I walked out of there with merchandise that Radio Shack had priced at somewhere around $8500 for $107 with tax. Of course, that $8500 price was a good part of why they went bankrupt. All that stuff could have been bought on Amazon for half that price. Anyway, I spent the next two years selling cell phone and camera batteries, chargers, cases, and screen protectors on eBay. And a lot of other miscellaneous Radio Shack stuff. But I kept a lot of stuff for myself that wasn’t of enough value to bother listing on eBay, or things I just wanted for myself. I’m well stocked up on earbud headphones, audio patch cables, watch batteries, etc. And I got a box of 10 of those bright green NiMH rechargeable 9V batteries. Unfortunately the component drawers were picked clean well before that last day.

  9. What gets me is why Ford has always made these as fake 10 digit locks when they’re really only 5? They put the code numbers in the owner’s manuals and on a label on one of the electronic boxes using all the digits. It’s a bit of a scam, pretending to be more secure than it actually is.

    1. I think the reasoning behind putting two numbers on each key is that having all the numbers on the buttons allows you to use whatever code you like without having a 10 key pad. If you just numbered them 1,2,3,4,5, someone would complain that they wanted to use their kids birthday as a code and they were born on 6/7/89. Or you can use that same code you’ve been using on your debit card for the last 20 years. :) And you don’t have to have a huge ugly 10-key pad on your car door.

      The DeBruijn sequence is a neat concept that attracts the most attention on this project but the doubling up the numbers and having 5 keys instead of 10 is what reduces the time the most. You go from 100000 codes to only 3125 because of the 5 keys. The DeBruijn sequence and the shift register nature of the checking only reduces testing those 3125 codes by another factor of 5, since you get to test a full five digit code with each key press.

      But you’ve hit on one other issue that is the one factor that I really don’t like on this system. That fact that there is a factory assigned code that is printed on a card in the owners manual and on a sticker on the box that controls the door lock system. Anyone who knows this and has unsupervised access to your vehicle could note that code and be able to unlock your vehicle at any time afterwards and there’s nothing you can do about it. Now, I understand they need a way to program a new code when someone forgets their code, but there has to be a better way than making a system with an unchangeable “backdoor” code. It sounds kind of stupid when you explain “You can pick whatever code you want, but the factory assigned code is still going to work forever.”

      Perhaps a change could be that if you have the push button start system where you just have to keep a key fob in your pocket, the factory code should only work when there is actually a valid key fob present. And if you have a keyed ignition the key would have to be in the ignition. This makes the factory code useless to open the vehicle since someone with the fob or the key would be able to open it anyway, but makes the factory code still useful as an authorization step to reset a lost user code.

      Another worry I have about the factory code — is is truly assigned randomly or is it perhaps somehow based on the Vehicle Identification Number? If it is derived from the VIN, all it would take is for someone to crack that process and whip up a quick smart phone app and anyone could enter your VIN, which is visible through the base of the windsheld, and have your unchangeable factory door code.

  10. A screwdriver was all it took to start my brother’s ’61 Buick LeSabre AKA LeSlobber. A bad thing for his drunk friends to know when they wanted leave the bar and he didn’t. Hilarity was not what ensued. More gray hairs for my parents did.

  11. Key pads that are used frequently are generally worn on the buttons that are used in the key. I’ve opened many a security door that have 4 worn keys in just a couple tries. Though on a Ford taurus who knows how frequently the keyless entry is. The same goes for tablets and phones that use the keypad or pattern to unlock, people are dirty creatures and don’t wipe off their grunge, take a device and look for the grime and you’ll often find a pattern to start from.

  12. Ford had this option on the last two cars I owned and its really kind of redundant. They now let you keep your key fob in your pocket and I can unlock my car just by walking up to it and touching the door handle. The only possible reason I would ever want this feature is if I wanted to unlock my car and did not have the keys (which is never). Might have been cool in the past but if redundant now. Oh and yeah, I checked and there is a lockout after what seems like five bad combinations. A good locksmith or thief can get in your car way faster than this device. It really does not matter to me though, that would be my insurance company’s problem.

  13. I have finished and uploaded a second video on my Five Finger Code Finder project. It is an explanation of the theory behind how the device can open a Ford car door so fast. I discuss the compromises made in the design of the Ford keypad door lock system. How having only 5 keys and how their “shift and check on each digit” greatly impacts the time needed to search all codes. And how the de Bruijn sequence maximizes the efficiency of checking all the possible codes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.