Security is a tricky thing. You only have to look at the recent kerfuffle around the vulnerabilities discovered with the Tapplock, billed as “the world’s first smart fingerprint padlock,” which turned out to be less than secure. The lack of security can be squarely blamed on the design and architecture of the lock, so it’s actually sort of interesting to see a design-led security flaw in a more mature product so soon after another in the long line of Bluetooth LE-related problems.
The Ford Securicode is keyless-entry keypad available on all models of Ford cars and trucks, which has been around since the early 1980s. This system makes use of a five-button keypad which crucially doesn’t have an ‘enter’ key. Instead it accepts the last five digits entered, with no delays and no penalties for incorrect entries.
It turns out that this makes the whole thing horribly insecure, and means that you can build a robot to compromise the system using an Arduino to drive some solenoids. Which is exactly what Carl Smith has done.
The secret here is that, because the lock accepts the last five digits entered, you can make use of mathematics—and a cyclic sequence called after the the Dutch mathematician Nicolaas Govert de Bruijn—to avoid having to brute force the lock.
“[The] purpose is to demonstrate how the design of [the Ford Securicode system] allows PIN codes to be found in a much shorter time than would normally be required to brute force search and try all possible PINs… The purpose of this project is to demonstrate how design decisions that put a priority on ease of use can greatly compromise the security of a system such as this.”
On average the robot will find a code, and open the door, in under four minutes.
Although, if you do have this system on your car, you might want to think about whether you want to continue using it as, even without the use of a robot, “…[you] can enter this sequence manually in approximately 20 minutes and find the code to unlock [any] Ford vehicle with this system.”