Your Car Key Could Unlock Somebody Else’s Car
Shutterstock

FYI.

This story is over 5 years old.

Tech

Your Car Key Could Unlock Somebody Else’s Car

Physical security is dumb.

Seriously, how crummy are car keys? First of frigging all, they get lost really easily. Secondly, they don't even work all that well. Did you know there's a small chance that your car key can unlock somebody else's ride? I am not even kidding you.

I know this because I recently spoke to Joanne Fluegel, a 24-year-old Oakville woman who says she used the keys to her 2005 Toyota Echo to unlock the doors to someone else's Echo, which was parked in the same lot as hers after attending a music festival in Mississauga on Sunday night. I caught up with her after she posted about her experience on a Facebook page for the Toronto rave community.

Advertisement

Read More: What Learning to Lockpick Taught Me About Digital Security

According to Fluegel, she used her keys to unlock the other car's doors, mistaking it for hers. But when she tried to start the car with the same key, it wouldn't work.

"I went to pull out the owner's manual and actually looked around, and thought, oh my god, this doesn't look like my car," she said. "Like, my car doesn't have a cover like that. My car doesn't have a baby seat. Holy crap, this isn't my car."

She put everything back as she found it and left, Fluegel said. "I just hope that whoever's car I almost stole doesn't feel too violated. I posted it on Facebook so hopefully whoever's car it was sees it and they know they weren't robbed," she explained.

As it turns out, car keys aren't totally unique. It's been previously reported that Honda, for example, only has about 3,500 different lock combinations. This means that it's possible, although quite unlikely, that someone else could unlock your car with their key and vice-versa. This is actually a relatively well-known issue, according to Jacob Botden, a white-hat lockpicker and co-founder of the Toronto chapter of The Open Organization of Lockpickers (TOOOL). According to him, it comes down to manufacturing costs.

"Car keys are never part of the purchase decision […] they are just something that comes along with the deal," he explained in an email. "Until more concern, publicity and complaints are brought out, this will not be of significant concern for auto manufacturers and they won't spend the money needed to correct this."

Advertisement

But why did Fluegel's key apparently open the car door, but not start the ignition? Again, Botden said, it comes down to cost to the manufacturer.

"Typically a car door lock, keyed glove box or trunk won't use all of the tumblers which are present in the ignition lock for manufacturing cost reasons," Botden wrote me. "This further reduces the number of possible keys and makes it more probable to open a door than turn the ignition."

When I reached out to Toyota, a spokesperson said the company is not aware of this issue, but offered the following statement: "The 2005 Toyota Echo complies with all relevant regulatory standards for keys and these keys exceed the number of mandatory unique combinations," the spokesperson wrote in an email. "As is the case with most vehicles of most brands and models, if a door lock has been damaged, it is possible that the door may no longer lock properly."

The spokesperson asked if I could send Fluegel their way so they could address the problem with her, and I dutifully did.

This all goes to show that physical security is really dumb. When your adversary is a human being with a human peanut brain and human tools at their disposal, "good enough" might just be good enough. It's not like a car thief is going to walk around with the keys to every car ever made and hope that one of them works in a given vehicle.

That's fine, sort of, unless you're the luckiest thief in town.

Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.